[Snort-users] New IDS best practise

Michael Maymann michael at ...15437...
Wed Nov 16 14:59:54 EST 2011

Hi List,

we are a global multi-site organisation using switched network, firewalls
and proxies.
1. Where would be the best place(s) to put IDS(s), if we aim to have a
centralised view - e.g. can this be set-up as 1 central master (e.g.
Snorby) and site slaves (e.g. Snort) on each FW LAN ?
2. How would it best be implemented - what would be the preferred steps.
3. What could be the typical pitfalls - e.g. would traffic possibly slow
down because everything needs to go to a 100mbit port where IDS is located,

To begin with we would especially like to detect reverse ssh/corkscrew -
any ideas how to do this properly in a set-up like ours, with or without

Thanks in advance :-) !

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111116/ac122e48/attachment.html>

More information about the Snort-users mailing list