<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>

<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">


<meta name=Generator content="Microsoft Word 10 (filtered)">
<title>Message</title>

<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman";}
a:link, span.MsoHyperlink
        {color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {color:purple;
        text-decoration:underline;}
p
        {margin-right:0in;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman";}
span.emailstyle17
        {font-family:Arial;
        color:windowtext;}
span.emailstyle18
        {font-family:Arial;
        color:navy;}
span.emailstyle20
        {font-family:Arial;
        color:navy;}
span.EmailStyle21
        {font-family:Arial;
        color:navy;}
span.EmailStyle22
        {font-family:Arial;
        color:navy;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
        {page:Section1;}
-->
</style>

</head>

<body bgcolor=white lang=EN-US link=blue vlink=purple>

<div class=Section1>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>That’s exactly why I would want one
outside of the firewall.  If I were to find a successful break in, I could then
review logs from the external IDS and find that the same IP had done several
scans or whatever that were eventually blocked by the firewall and not picked
up by the internal IDS.  I would think that this would help build a better case
if any type of legal action were to be taken. </span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Matt</span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>

<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma'>-----Original Message-----<br>
<b><span style='font-weight:bold'>From:</span></b> Brian Laing
[mailto:Brian.Laing@...8609...] <br>
<b><span style='font-weight:bold'>Sent:</span></b> Thursday, April 03, 2003
11:28 AM<br>
<b><span style='font-weight:bold'>To:</span></b> 'David Glosser'; Brei, Matt;
'FWAdmin'; snort-users@lists.sourceforge.net<br>
<b><span style='font-weight:bold'>Subject:</span></b> RE: [Snort-users] IDS
Placement ideas for inside and outside a firewall.</span></font></p>

<p class=MsoNormal style='margin-left:.5in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'> </span></font></p>

<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>I would agree with this
sort of implementation, in many of the installs I have done I will setup the
external sensors to do nothing but logging and ignore the data till I see
something worth looking at on one of the internal servers.  I use this data to see
what else that IP has been doing or what other things have been attempted
against a specific host</span></font></p>

<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'> </span></font></p>

<div>

<p style='margin-right:0in;margin-bottom:12.0pt;margin-left:.5in'><font size=2
color=navy face="Times New Roman"><span style='font-size:10.0pt;color:navy'>-------------------------------------------------------------------<br>
Brian Laing<br>
CTO<br>
Blade Software<br>
Cellphone: +1 650.280.2389<br>
Telephone: +1 650 367.9376<br>
eFax: +1 208.575.1374<br>
Blade Software - Because Real Attacks Hurt<br>
<a href="http://www.Blade-Software.com">http://www.Blade-Software.com</a><br>
-------------------------------------------------------------------</span></font></p>

</div>

<p class=MsoNormal style='margin-left:1.0in'><font size=2 face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma'>-----Original Message-----<br>
<b><span style='font-weight:bold'>From:</span></b> snort-users-admin@...1753...s.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] <b><span style='font-weight:
bold'>On Behalf Of </span></b>David Glosser<br>
<b><span style='font-weight:bold'>Sent:</span></b> Wednesday, April 02, 2003
11:10 PM<br>
<b><span style='font-weight:bold'>To:</span></b> Brei, Matt; FWAdmin;
snort-users@lists.sourceforge.net<br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [Snort-users] IDS
Placement ideas for inside and outside a firewall.</span></font></p>

<p class=MsoNormal style='margin-left:1.0in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'> </span></font></p>

<div>

<p class=MsoNormal style='margin-left:1.0in'><font size=2 face="Times New Roman"><span
style='font-size:10.0pt'>If you've never set up any IDS before, I'm not sure
you would want to place it outside your firewall immediately You'lll get
overwhelmed with probes,scans, script kiddies etc. </span></font></p>

</div>

<div>

<p class=MsoNormal style='margin-left:1.0in'><font size=2 face="Times New Roman"><span
style='font-size:10.0pt'>First place the box (with the "snorting" NIC
unnumbered). On the port monitoring the *internal* interface of your firewall.
Let it work on all of the stuff your firewall lets through. Once you have that
under control, then place another box (or another NIC on the same box) to
monitor your internal servers (since breakins can come from internal users). </span></font></p>

</div>

<div>

<p class=MsoNormal style='margin-left:1.0in'><font size=2 face="Times New Roman"><span
style='font-size:10.0pt'>Once you have these two under control, then you can
worry monitoring stuff outside the firewall,  which I believe is called
*attack detection*. But do you care that much about the stuff your firewall is
successfully blocking?</span></font></p>

</div>

<div>

<p class=MsoNormal style='margin-left:1.0in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'> </span></font></p>

</div>

<div>

<p class=MsoNormal style='margin-left:1.0in'><font size=2 face="Times New Roman"><span
style='font-size:10.0pt'>--snip-</span></font></p>

</div>

<blockquote style='border:none;border-left:solid black 1.5pt;padding:0in 0in 0in 3.0pt;
margin-left:3.4pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'>

<div>

<p class=MsoNormal style='margin-left:1.0in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'> I am trying to convince my
company to implement IDS on our network but I have a few questions. I know
I would want one on both sides of the firewall, </span></font></p>

</div>

</blockquote>

</div>

</body>

</html>