[Snort-users] Snort Deployment

JJ Cummings cummingsj at ...11827...
Tue May 4 09:46:55 EDT 2010


Inline--

On Mon, May 3, 2010 at 9:20 PM, Kum Weng Luey <kumwengluey at ...11827...> wrote:

> Thanks for the insights. I guess what I would really want is to monitor
> what actually passes the firewall security and into the internal network.
>
> Having my bosses are skeptical about snort and are doing their best to put
> me down. I am only given a old P4 computer with a small HDD.
>
> Therefore the only logical and economical way is to have spanned a port
> that traverse between the core-switch router and the firewall and having the
> other interface sending the mysql data out.
>
> Questions:
>
> 1. Do I have to put an ip address on the interface connected to the spanned
> port?
>
No

> 2. What might the impact be on the core-switch in terms of load and
> processing power?
>
Depends on the switch make/model (capacity) and the amount of throughput
that you are SPANNING, i.e. it will be in the manual for the switch.

> 3. What might be some of the problems that I could face that might impeed
> the detection of threats?
>
Improper configuration of the SPAN port, High number of false positives
causing you to overlook the real b33f, inability to understand the events
and if / how them impact your environment.. the list goes on and on.... The
short of it is take your time to setup properly, learn how to interpret the
events as they relate to your network and tune as much as you can!

>
> Thank you guys for all the help
>
> Regards,
> KW
>
> On Mon, May 3, 2010 at 11:17 PM, Joel Esler <jesler at ...1935...> wrote:
>
>> Plugplugplug
>>
>> http://blog.joelesler.net/2009/03/why-is-your-ids-outside-your-firewall.html
>>
>> <http://blog.joelesler.net/2009/03/why-is-your-ids-outside-your-firewall.html>Food
>> for thought, I wrote this last year some time.  (Yes, the blog post is meant
>> to provoke a discussion)
>>
>> J
>>
>> On Mon, May 3, 2010 at 9:45 AM, <akos.daniel at ...14798...> wrote:
>>
>>> Hi all,
>>>
>>> In case of this Topic I can understand the answers, but is it
>>> considerable
>>> to use IPS before the firewall as well?
>>> I mean if I put the IPS behind the FW then I loose the monitoring for
>>> attacks against the firewall. Today firewalls terminate many services
>>> like
>>> sslvpn, ravpn, auth services... and for those services they have many
>>> 'shortcomings' (just an example is the Sockstress TCP DoS attacks).
>>> What would be the best practice for an IPS topology?
>>> If the firewall has not just 2 interfaces but many more DMZs then should
>>> we implement as many IPS as many Firewall interfaces we have?
>>> Is there a basic concept for the IPS topo or depends it always on the
>>> business requirements /what the management want to protect.../ ?
>>>
>>>
>>> > I usually recommend that people implement Snort behind a firewall.
>>> >
>>> > As for interfaces, 2 is a good start.  One for management, one for
>>> > sniffing.
>>> >  However, if you have a tap, you might need 3 depending on the model of
>>> > tap.
>>> >
>>> > J
>>> >
>>> > On Mon, May 3, 2010 at 4:30 AM, Kum Weng Luey <kumwengluey at ...11827...>
>>> > wrote:
>>> >
>>> >> Hi guys,
>>> >>
>>> >> I have been trying out snort for quite some time now and it works
>>> great.
>>> >> I
>>> >> do want to try implementing snort in a live environment but am kinda
>>> >> clueless how. I want to sniff for traffic before it hits the firewall
>>> >> and
>>> >> enters the internal network. What would be the most optimal setup for
>>> >> the PC
>>> >> and how many interfaces do I need?
>>> >>
>>> >> Hope to get some advice. Thanks a lot.
>>> >>
>>> >> Regards,
>>> >> KW
>>> >>
>>> >>
>>> >>
>>> ------------------------------------------------------------------------------
>>> >>
>>> >> _______________________________________________
>>> >> Snort-users mailing list
>>> >> Snort-users at lists.sourceforge.net
>>> >> Go to this URL to change user options or unsubscribe:
>>> >> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> >> Snort-users list archive:
>>> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> >>
>>> >
>>> ------------------------------------------------------------------------------
>>> > _______________________________________________
>>> > Snort-users mailing list
>>> > Snort-users at lists.sourceforge.net
>>> > Go to this URL to change user options or unsubscribe:
>>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>>> > Snort-users list archive:
>>> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100504/8572c8a4/attachment.html>


More information about the Snort-users mailing list