[Snort-users] Snort Deployment Configurations

waldo kitty wkitty42 at ...14940...
Thu Feb 3 20:48:42 EST 2011

On 2/3/2011 19:31, Michael Lubinski wrote:
> I find myself thinking more and more in the realm of NSM and Snort. I have been
> running different theoretical deployment situations in my head on how / where I
> would deploy a snort sensor. I thought "Why don't I just ask the people that
> work with it everyday." I would imagine running Snort on the outside of your
> network would net a different set of rules being active as would a Snort sensor
> running internally.

this is very true... in my world, snort is run against all traffic entering and 
leaving the perimeter of the network being monitored... yes, that means that it 
is, in our case, being run on the perimeter device(s)... internal traffic is not 
monitored unless an internal mechanism is specifically set up but it is possible 
that the perimeter device is also monitoring internal traffic... for this it 
also means that certain vars in the snort config are altered so they fit the 
internal network parameters... however, in my neck of the woods, internal 
monitoring is best done with sniffers on the internal network(s)...

> Does anyone run Snort in multiple locations with varied purposes like this example?

not yet but the principle is the same with the note of the HOME_NET and 
EXTERNAL_NET var changes needed ;)

> Before I started to really dig into snort I always thought of it as a inline
> gateway monitor / filter between you and the world, but the more I learn that it
> can be much more universal depending on the rules included.

absolutely! in my world, snort's alert file is the main feed to an "active 
response" tool which initiates a firewall DROP rule immediately based on the 
alert file and the tools configured watch parameters...

yes, this can, and does, result in some false positives but things are also 
being looked over by a human and as such, until the rules and active response 
tool are tuned to the networks' needs, FPs will happen... in the cases that they 
do happen, i'm firmly on the side of shoot first, ask questions later :P

> What other considerations might someone new to snort such as myself overlook at
> first thought?

this is hard to answer without further knowledge of your networking and security 
related background... i say that with the knowledge that i'm self taught with 
30+ years in the industry and many many many hours of OJT plus the development 
of numerous methods of monitoring and protection as well as having been in the 
position of teaching classes related to networking...

More information about the Snort-users mailing list