[Snort-users] Where to place the IDS ?

Jose Maria Lopez jkerouac at ...12346...
Sat Nov 20 04:20:19 EST 2004

El vie, 19 de 11 de 2004 a las 16:50, andrea escribió:
> Is it convenient to use snort in the same machine of the firewall (iptables)? 

It can be. It depends in how you are gonna use snort and the
resources you have. I run snort in the firewall machine and
everything works fine.

> Or is it a waste of resources?

Snort can use a big amount of resources.

> Do you use a whole machine for snort?

I don't need it, but if you have a gigabit ethernet or a lot
of traffic you may need it. It's a good idea to have a machine
just for snort, but it's not absolutely necessary.

> Can snort stop malicious traffic? For example applying firewall rules? Or is 
> it just a logger?

Snort can use guardian to create rules in the firewall, but it's
much more interesting to use snort-inline that it's an IPS and
can stop malicious traffic detected by the snort rules.

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac at ...12346...
bgSEC Seguridad y Consultoria de Sistemas Informaticos

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

More information about the Snort-users mailing list