OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Gregor Binder (gbindersysfive.com)
Date: Fri Mar 16 2001 - 12:40:50 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Burleson, Lee (IA) on Fri, Mar 16, 2001 at 09:51:07AM -0600:

    Lee,

    > I will be bringing up a firewall soon at one of my network borders, and will
    > likely put my existing Snort box behind it. I have had thoughts about
    > putting up a separate box outside the firewall as well. I can see being
    > able to compare logs and so forth to provide more meaningful information by
    > way of differential analysis. I suppose the external IDS logs will be of
    > less use if the firewall provides useful-enough reporting (Gauntlet) though.
    >
    > Any thoughts on this?

    Yep, good idea :) .. allows you to have a record of both very likely
    successfull attacks and probably unsuccessfull attacks (which you might
    want to keep as well, since they might have penetrated your firewall due
    to something unexpected (a bug, packetfilters/proxies not being up ..)).

    Correlation of those logs will be especially easy if you don't do any
    NAT/masquerading. You will still have to deal with varying timestamps
    and things like that.

    In addition to that, depending on what this network is actually doing,
    you can eliminate more false positives as opposed to just running a
    sensor on the inside. Say if this a server farm for example (penetration
    originating from the inside less likely), there could be some things
    like DNS queries triggering alerts, and since you would expect to see
    successful penetrations from the outside on both sensors, there you go.
    (This example assumes internal DNS servers).

    Note that the inside sensor will much more likely drop packets, unless
    you have a really fat pipe coming into your net (or you are running a
    10baseT net on the inside :)).

    regards, 

    -- 
Gregor Binder       <gregor.bindersysfive.com>      http://sysfive.com/
sysfive.com GmbH               UNIX. Networking. Security. Applications.
PGP id: 0x20C6DA55 fp: 18AB 2DD0 F8FA D710 1EDC A97A B128 01C0 20C6 DA55

    _______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users