[Snort-users] Snort in front of WAF or behind?

Joel Esler jesler at ...1935...
Tue Feb 2 19:03:25 EST 2010

My opinion is, if you can let another tool do some work, let it. Let  
snort concentrate on what gets through.

Joel Esler
Sent from my iPhone

On Feb 2, 2010, at 5:24 PM, "Jefferson, Shawn" <Shawn.Jefferson at ...14448... 
 > wrote:

> I’m putting in a WAF in the next two weeks, and I’m deciding on  
> where to put it, in front of my network tap with Snort, or behind th 
> e network tap with Snort.  I’m thinking it’s better to put it in  
> front of the network tap with Snort, and let the WAF do the inspecti 
> on, filtering and alerting of HTTP(S) traffic.  A couple of benefits 
>  of doing it this way that I see:
> 1. WAF will know more about how the HTTP applications are configured  
> and what is good and what is bad input.
> 2. It will decrease the load (marginally) on the Snort box, since it  
> won’t have to inspect the traffic that is already going to be filter 
> ed at the WAF.
> Anybody have input on this scenario?  It seems just like the “Snort  
> in front of the firewall or behind the firewall” debate… but I  
> might be missing something.
> --
> Shawn
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the  
> business
> Choose flexible plans and management services without long-term  
> contracts
> Personal 24x7 support from experience hosting pros just a phone call  
> away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100202/88923c73/attachment.html>

More information about the Snort-users mailing list