<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">


<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 10">
<meta name=Originator content="Microsoft Word 10">
<link rel=File-List href="cid:filelist.xml@...8771...">
<title>Message</title>
<!--[if gte mso 9]><xml>
 <o:OfficeDocumentSettings>
  <o:DoNotRelyOnCSS/>
 </o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
 <w:WordDocument>
  <w:Zoom>110</w:Zoom>
  <w:SpellingState>Clean</w:SpellingState>
  <w:GrammarState>Clean</w:GrammarState>
  <w:DocumentKind>DocumentEmail</w:DocumentKind>
  <w:EnvelopeVis/>
  <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
 </w:WordDocument>
</xml><![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;
        mso-font-charset:0;
        mso-generic-font-family:swiss;
        mso-font-pitch:variable;
        mso-font-signature:553679495 -2147483648 8 0 66047 0;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {mso-style-parent:"";
        margin:0in;
        margin-bottom:.0001pt;
        mso-pagination:widow-orphan;
        font-size:12.0pt;
        font-family:"Times New Roman";
        mso-fareast-font-family:"Times New Roman";}
a:link, span.MsoHyperlink
        {color:blue;
        text-decoration:underline;
        text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
        {color:purple;
        text-decoration:underline;
        text-underline:single;}
p
        {mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        mso-pagination:widow-orphan;
        font-size:12.0pt;
        font-family:"Times New Roman";
        mso-fareast-font-family:"Times New Roman";}
span.emailstyle17
        {mso-style-name:emailstyle17;
        font-family:Arial;
        mso-ascii-font-family:Arial;
        mso-hansi-font-family:Arial;
        mso-bidi-font-family:Arial;
        color:windowtext;}
span.emailstyle18
        {mso-style-name:emailstyle18;
        font-family:Arial;
        mso-ascii-font-family:Arial;
        mso-hansi-font-family:Arial;
        mso-bidi-font-family:Arial;
        color:navy;}
span.emailstyle20
        {mso-style-name:emailstyle20;
        font-family:Arial;
        mso-ascii-font-family:Arial;
        mso-hansi-font-family:Arial;
        mso-bidi-font-family:Arial;
        color:navy;}
span.emailstyle21
        {mso-style-name:emailstyle21;
        font-family:Arial;
        mso-ascii-font-family:Arial;
        mso-hansi-font-family:Arial;
        mso-bidi-font-family:Arial;
        color:navy;}
span.emailstyle22
        {mso-style-name:emailstyle22;
        font-family:Arial;
        mso-ascii-font-family:Arial;
        mso-hansi-font-family:Arial;
        mso-bidi-font-family:Arial;
        color:navy;}
span.EmailStyle23
        {mso-style-type:personal-reply;
        mso-style-noshow:yes;
        mso-ansi-font-size:10.0pt;
        mso-bidi-font-size:10.0pt;
        font-family:Arial;
        mso-ascii-font-family:Arial;
        mso-hansi-font-family:Arial;
        mso-bidi-font-family:Arial;
        color:navy;}
span.SpellE
        {mso-style-name:"";
        mso-spl-e:yes;}
span.GramE
        {mso-style-name:"";
        mso-gram-e:yes;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.25in 1.0in 1.25in;
        mso-header-margin:.5in;
        mso-footer-margin:.5in;
        mso-paper-source:0;}
div.Section1
        {page:Section1;}
-->
</style>
<!--[if gte mso 10]>
<style>
 /* Style Definitions */ 
 table.MsoNormalTable
        {mso-style-name:"Table Normal";
        mso-tstyle-rowband-size:0;
        mso-tstyle-colband-size:0;
        mso-style-noshow:yes;
        mso-style-parent:"";
        mso-padding-alt:0in 5.4pt 0in 5.4pt;
        mso-para-margin:0in;
        mso-para-margin-bottom:.0001pt;
        mso-pagination:widow-orphan;
        font-size:10.0pt;
        font-family:"Times New Roman";}
</style>
<![endif]--><!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext="edit">
  <o:idmap v:ext="edit" data="1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body bgcolor=white lang=EN-US link=blue vlink=purple style='tab-interval:.5in'>

<div class=Section1>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>It can help, but I would not rely on it
for prosecution the fact is the data is too easy to spoof and is not collected
in a forensically sound manager either at the sensor or the management
console.<span style='mso-spacerun:yes'>  </span>By forensically sound I
mean certified to be free from tampering.<span style='mso-spacerun:yes'> 
</span>Not that this data wont help your case, but its better to rely on it to
see where and into what else the attacker may have gotten into.<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>

<div>

<p style='margin-bottom:12.0pt'><font size=2 color=navy face="Times New Roman"><span
style='font-size:10.0pt;color:navy;mso-no-proof:yes'>-------------------------------------------------------------------<br>
Brian Laing<br>
CTO<br>
Blade Software<br>
Cellphone: +1 650.280.2389<br>
Telephone: +1 650 367.9376<br>
eFax: +1 208.575.1374<br>
Blade Software - Because Real Attacks Hurt<br>
<a href="http://www.Blade-Software.com">http://www.Blade-Software.com</a><br>
-------------------------------------------------------------------</span></font><o:p></o:p></p>

</div>

<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma'>-----Original Message-----<br>
<b><span style='font-weight:bold'>From:</span></b> Brei, Matt
[mailto:mbrei@...8727...<span class=GramE>] <br>
<b><span style='font-weight:bold'>Sent</span></b></span><b><span
style='font-weight:bold'>:</span></b> Thursday, April 03, 2003 2:18 PM<br>
<b><span style='font-weight:bold'>To:</span></b>
brian.laing@...8607...; David Glosser; FWAdmin;
snort-users@lists.sourceforge.net<br>
<b><span style='font-weight:bold'>Subject:</span></b> RE: [Snort-users] IDS
Placement ideas for inside and outside a firewall.</span></font></p>

<p class=MsoNormal style='margin-left:.5in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'><o:p> </o:p></span></font></p>

<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>That’s exactly why
I would want one outside of the firewall.  If I were to find a successful
break in, I could then review logs from the external IDS and find that the same
IP had done several scans or whatever that were eventually blocked by the
firewall and not picked up by the internal IDS.  I would think that this
would help build a better case if any type of legal action were to be taken. </span></font><o:p></o:p></p>

<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'> </span></font><o:p></o:p></p>

<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>Matt</span></font><o:p></o:p></p>

<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'> </span></font><o:p></o:p></p>

<p class=MsoNormal style='margin-left:1.0in'><font size=2 face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma'>-----Original Message-----<br>
<b><span style='font-weight:bold'>From:</span></b> Brian Laing
[mailto:Brian.Laing@...8609...] <br>
<b><span style='font-weight:bold'>Sent:</span></b> Thursday, April 03, 2003
11:28 AM<br>
<b><span style='font-weight:bold'>To:</span></b> 'David Glosser'; Brei, Matt;
'FWAdmin'; snort-users@lists.sourceforge.net<br>
<b><span style='font-weight:bold'>Subject:</span></b> RE: [Snort-users] IDS
Placement ideas for inside and outside a firewall.</span></font><o:p></o:p></p>

<p class=MsoNormal style='margin-left:1.0in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'> <o:p></o:p></span></font></p>

<p class=MsoNormal style='margin-left:1.0in'><font size=2 color=navy
face=Arial><span style='font-size:10.0pt;font-family:Arial;color:navy'>I would
agree with this sort of implementation, in many of the installs I have done I
will setup the external sensors to do nothing but logging and ignore the data
till I see something worth looking at on one of the internal servers.  I
use this data to see what else that IP has been doing or what other things have
been attempted against a specific host</span></font><o:p></o:p></p>

<p class=MsoNormal style='margin-left:1.0in'><font size=2 color=navy
face=Arial><span style='font-size:10.0pt;font-family:Arial;color:navy'> </span></font><o:p></o:p></p>

<div>

<p style='mso-margin-top-alt:5.0pt;margin-right:0in;margin-bottom:12.0pt;
margin-left:1.0in'><font size=2 color=navy face="Times New Roman"><span
style='font-size:10.0pt;color:navy'>-------------------------------------------------------------------<br>
Brian Laing<br>
CTO<br>
Blade Software<br>
Cellphone: +1 650.280.2389<br>
Telephone: +1 650 367.9376<br>
eFax: +1 208.575.1374<br>
Blade Software - Because Real Attacks Hurt<br>
<a href="http://www.Blade-Software.com">http://www.Blade-Software.com</a><br>
-------------------------------------------------------------------</span></font><o:p></o:p></p>

</div>

<p class=MsoNormal style='margin-left:1.5in'><font size=2 face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma'>-----Original Message-----<br>
<b><span style='font-weight:bold'>From:</span></b>
snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] <b><span style='font-weight:
bold'>On Behalf Of </span></b>David Glosser<br>
<b><span style='font-weight:bold'>Sent:</span></b> Wednesday, April 02, 2003
11:10 PM<br>
<b><span style='font-weight:bold'>To:</span></b> Brei, Matt; FWAdmin;
snort-users@lists.sourceforge.net<br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [Snort-users] IDS
Placement ideas for inside and outside a firewall.</span></font><o:p></o:p></p>

<p class=MsoNormal style='margin-left:1.5in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'> <o:p></o:p></span></font></p>

<div>

<p class=MsoNormal style='margin-left:1.5in'><font size=2 face="Times New Roman"><span
style='font-size:10.0pt'>If you've never set up any IDS before, I'm not sure
you would want to place it outside your firewall immediately You'lll get
overwhelmed with probes,scans, script kiddies etc. </span></font><o:p></o:p></p>

</div>

<div>

<p class=MsoNormal style='margin-left:1.5in'><font size=2 face="Times New Roman"><span
style='font-size:10.0pt'>First place the box (with the "snorting" NIC
unnumbered). On the port monitoring the *internal* interface of your firewall.
Let it work on all of the stuff your firewall lets through. Once you have that
under control, then place another box (or another NIC on the same box) to
monitor your internal servers (since breakins can come from internal users). </span></font><o:p></o:p></p>

</div>

<div>

<p class=MsoNormal style='margin-left:1.5in'><font size=2 face="Times New Roman"><span
style='font-size:10.0pt'>Once you have these two under control, then you can
worry monitoring stuff outside the firewall,  which I believe is called
*attack detection*. But do you care that much about the stuff your firewall is
successfully blocking?</span></font><o:p></o:p></p>

</div>

<div>

<p class=MsoNormal style='margin-left:1.5in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'> <o:p></o:p></span></font></p>

</div>

<div>

<p class=MsoNormal style='margin-left:1.5in'><font size=2 face="Times New Roman"><span
style='font-size:10.0pt'>--snip-</span></font><o:p></o:p></p>

</div>

<blockquote style='border:none;border-left:solid black 1.5pt;padding:0in 0in 0in 3.0pt;
margin-left:3.4pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'>

<div>

<p class=MsoNormal style='margin-left:1.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'> I am trying to convince my
company to implement IDS on our network but I have a few questions. I know
I would want one on both sides of the firewall, </span></font><o:p></o:p></p>

</div>

</blockquote>

</div>

</body>

</html>