[Snort-users] Snort Deployment Configurations

Jason Wallace jason.r.wallace at ...11827...
Fri Feb 4 09:02:12 EST 2011

A large part of answering the "where to deploy" question will be
related to what are you are planning to look for or protect your
network from. If your goal is to detect malware and client side
attacks you might want to deploy closer to your gateway/firewall. Some
people advocate deploying outside (ie. the Internet side) of the
firewall. I'm not one of them, and if your new to snort (or IDS in
general) I'd recommend staying inside your firewall for now.

If you want to protect critical services, say your externally facing
web farm, then you want to deploy as close to the assets you're
protecting as you can get. If the devices you want to protect are
behind a NAT device you probably want to deploy at a point where you
can see the real external and the real internal addresses involved.

Also, are you planning to deploy inline as an IPS or passively as an
IDS? If your new to snort I'd recommend starting off with a passive
IDS deployment until you are comfortable with tuning and rule
management. Even devices I plan to deploy inline, I typically will
deploy them in a passive mode until they are well tuned and then cut
them over to inline mode.

Hope that helps,

On Thu, Feb 3, 2011 at 7:31 PM, Michael Lubinski
<michael.lubinski at ...11827...> wrote:
> I find myself thinking more and more in the realm of NSM and Snort. I have
> been running different theoretical deployment situations in my head on how /
> where I would deploy a snort sensor. I thought "Why don't I just ask the
> people that work with it everyday." I would imagine running Snort on the
> outside of your network would net a different set of rules being active as
> would a Snort sensor running internally.
> Does anyone run Snort in multiple locations with varied purposes like this
> example?
> Before I started to really dig into snort I always thought of it as a inline
> gateway monitor / filter between you and the world, but the more I learn
> that it can be much more universal depending on the rules included.
> What other considerations might someone new to snort such as myself overlook
> at first thought?
> ------------------------------------------------------------------------------
> The modern datacenter depends on network connectivity to access resources
> and provide services. The best practices for maximizing a physical server's
> connectivity to a physical network are well understood - see how these
> rules translate into the virtual world?
> http://p.sf.net/sfu/oracle-sfdevnlfb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list