[Snort-users] Placing Snort

Jose Maria Lopez jkerouac at ...12346...
Wed Sep 1 12:17:12 EDT 2004

El mié, 01 de 09 de 2004 a las 11:30, Chandana Bandara escribió:
> hi
> I implemented snort in this way .
> Internet ---------------> Router -----------------------> Firewall
> ---------------------> Snort--------------------> switch
> -----------------> LAN
> am i correct ?
> thanx

It all depends in what attacks you want to see. If you use the
configuration you have proposed then you see all attacks that are
knocking at your door, but you could have an insane number of
alarms and false positives. If you place snort after the firewall
you won't see the attacks that the firewall it's blocking but you
will see the attacks that are really affecting your network and
the number of false positives decreases a lot.

The perfect solution for me is having both. One snort in the external
network to see all the traffic that it's knocking your site and another
snort behind the firewall to see the really interesting attacks. You
should treat each of this snorts in a different way, the inner one is
the one you should check all the time to see the attacks your firewall
is letting in, and the outer one should be checked from time to time
to see who's attacking you and you can compare both results to see how
well is acting your firewall.

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac at ...12346...
bgSEC Seguridad y Consultoria de Sistemas Informaticos

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

More information about the Snort-users mailing list