[Snort-users] New IDS best practise
michael at ...15437...
Wed Nov 16 14:59:54 EST 2011
we are a global multi-site organisation using switched network, firewalls
1. Where would be the best place(s) to put IDS(s), if we aim to have a
centralised view - e.g. can this be set-up as 1 central master (e.g.
Snorby) and site slaves (e.g. Snort) on each FW LAN ?
2. How would it best be implemented - what would be the preferred steps.
3. What could be the typical pitfalls - e.g. would traffic possibly slow
down because everything needs to go to a 100mbit port where IDS is located,
To begin with we would especially like to detect reverse ssh/corkscrew -
any ideas how to do this properly in a set-up like ours, with or without
Thanks in advance :-) !
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users