Snort mailing list archives
RE: Running snort on a firewall
From: Saad Kadhi <bsdguy () docisland org>
Date: 20 Dec 2001 22:21:30 +0100
On Thu, 2001-12-20 at 20:02, Fraser Hugh wrote:
I prefer to run an IDS on a second box, either outside or inside the firewall (or better still both) depending upon what you want to see. Philosophically speaking, I like to keep firewalls as simple as possible, stripping them down to the bare necessities. Practically speaking, the firewall is likely to be the target of attacks, and may not be able to notify me when necessary if, for instance, it's suffering under the load of a DOS attack. The IDS, ideally, uses an un-configured NIC to monitor the network, and is for all intents and purposes invisible, generating no traffic on the network being monitored, and not likely to be profiled using the anti-sniffer tools.
I agree with that completely. I consider running the IDS on the firewall as the El Cheapo(tm) solution. Agreed, I have this setup on my home network and it works fine but my firewall is kind of "boosted" with lots of RAM & a fast HD & some kernel tweaks.
What you're asking to do is technically possible, but the small additional cost of a second machine for an IDS gives a more manageable, secure solution.
IMHO, if one is really serious about IDS stuff one would have two boxes listening on both the inside & the outside of the firewall plus a separate "logging" fast network with a db server to which the Snorts will send the logs. But I don't want to start a flame-war(tm) here ;) HTH
-----Original Message----- From: Linux Boy [mailto:cslinuxboy () hotmail com] Sent: Thursday, December 20, 2001 1:12 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Running snort on a firewall Hello Everyone, I am new to snort. I tried some examples on a LAN workstation, now I want to see and monitor it all. We have a linux firewall running netfilter/iptables. Can I run snort on the firewall without impacting the firewalls performace/security. Any advise would be good. Thanks in advance. Mike ------ Begin Geek CODE ------------------------------------ GCS/GCC d--(d++) s: a--<<a? C+++ L++++ P+ E- W++>>+++ N+ o+ K?? !!!!!!!!w O- M->L V PS+ !PE>PE!! Y++ PGP++ t+++@DATA !5 X+ !!!R->>R-- tv b++@!SAUNI DI D+ G e++>>AS400/HAL h++(h!) r-!r+++ y+ ------------ End of Geek CODE ----------------------------- _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- /Saad Kadhi --------------------------------------------------------------- bsdguy () docisland org pgp keyid: 35592A6D fingerprint: BF7D D73E 1FCF 4B4F AF63 65EB 34F1 DBBF 3559 2A6D --------------------------------------------------------------- .sig made with the six^Hvi editor _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Running snort on a firewall Linux Boy (Dec 20)
- Re: Running snort on a firewall Bruno Gimenes Pereti (Dec 20)
- <Possible follow-ups>
- RE: Running snort on a firewall Fraser Hugh (Dec 20)
- RE: Running snort on a firewall Saad Kadhi (Dec 20)
- RE: Running snort on a firewall J. Craig Woods (Dec 20)
- RE: Running snort on a firewall Saad Kadhi (Dec 20)
- RE: Running snort on a firewall Saad Kadhi (Dec 20)