Clicky

For a SNORT installaion, what is the correct topology, should this reside right behind the outbound interface only?  Or should it have an interface on each subnet?

asked 11/06/2011 10:15

Jack_son_'s gravatar image

Jack_son_ ♦♦


5 Answers:
If it’s for educational reasons, would you consider putting Snort on the outside of the firewall,however if otherwise on the inside will be better as you’ll only see stuff that your firewall lets through.
link

answered

wiz1order's gravatar image

wiz1order

no, its not for educational;   so right behind the firewall?
link

answered 2011-11-07 at 12:49:17

Jack_son_'s gravatar image

Jack_son_

yes..if it was helpful please indicate by clicking yes
link

answered 2011-11-07 at 14:37:07

wiz1order's gravatar image

wiz1order

hmmm, do you have a network diagram?
link

answered 2011-11-07 at 16:42:16

Jack_son_'s gravatar image

Jack_son_

Internet <-->Firewall<-->Switch<--Snort
or
Internet <-->Firewall<--Router-->Switch<--Snort (router/firewall can be transposed)

Typically Snort is serves you better on the inside watching the traffic going in/out. If you can get two NIC's to sniff with, you can split the IN and OUT between the snort "sensors"
-rich
link

answered 2011-11-08 at 05:06:46

richrumble's gravatar image

richrumble

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

Asked: 11/06/2011 10:15

Seen: 205 times

Last updated: 12/11/2011 05:50