[Snort-users] Snort Deployment Configurations
wkitty42 at ...14940...
Thu Feb 3 20:48:42 EST 2011
On 2/3/2011 19:31, Michael Lubinski wrote:
> I find myself thinking more and more in the realm of NSM and Snort. I have been
> running different theoretical deployment situations in my head on how / where I
> would deploy a snort sensor. I thought "Why don't I just ask the people that
> work with it everyday." I would imagine running Snort on the outside of your
> network would net a different set of rules being active as would a Snort sensor
> running internally.
this is very true... in my world, snort is run against all traffic entering and
leaving the perimeter of the network being monitored... yes, that means that it
is, in our case, being run on the perimeter device(s)... internal traffic is not
monitored unless an internal mechanism is specifically set up but it is possible
that the perimeter device is also monitoring internal traffic... for this it
also means that certain vars in the snort config are altered so they fit the
internal network parameters... however, in my neck of the woods, internal
monitoring is best done with sniffers on the internal network(s)...
> Does anyone run Snort in multiple locations with varied purposes like this example?
not yet but the principle is the same with the note of the HOME_NET and
EXTERNAL_NET var changes needed ;)
> Before I started to really dig into snort I always thought of it as a inline
> gateway monitor / filter between you and the world, but the more I learn that it
> can be much more universal depending on the rules included.
absolutely! in my world, snort's alert file is the main feed to an "active
response" tool which initiates a firewall DROP rule immediately based on the
alert file and the tools configured watch parameters...
yes, this can, and does, result in some false positives but things are also
being looked over by a human and as such, until the rules and active response
tool are tuned to the networks' needs, FPs will happen... in the cases that they
do happen, i'm firmly on the side of shoot first, ask questions later :P
> What other considerations might someone new to snort such as myself overlook at
> first thought?
this is hard to answer without further knowledge of your networking and security
related background... i say that with the knowledge that i'm self taught with
30+ years in the industry and many many many hours of OJT plus the development
of numerous methods of monitoring and protection as well as having been in the
position of teaching classes related to networking...
More information about the Snort-users