[Malvern] Use of SNORT.

[Andy Smith]

Hi Geoff,

On Thu, Jul 24, 2008 at 11:58:54AM +0100, Geoff Bagley wrote:
> Please can I have the views of "snort" users ?
> 
> On my small ether-network  I have from one to four computers at any one 
> time - not always the same one(s).
> 
> Where is the best place to run snort,  or should I have a copy on each 
> machine ?

Usually you run it at the boundary between two security zones.  So
for example you might put a snort sensor at the router between your
network of machines and the rest of the world.

Whether to put it in front of your firewall (so it sees all traffic
before it is dropped) as opposed to behind the firewall (so it only
sees what your machines see) is another call you have to make.

Also note that ideally you would have the snort sensor on a port
that is receiving mirrored traffic from the real port(s), and
passively sniffing it, as opposed to as an actual router in the path
of your traffic as this turns snort into a single point of failure.
Although you can go down the route of having multiple snort boxes and
failover.  Or anyway if your router/firewall in this instance are
just UNIX boxes then maybe it is acceptable to run snort on those as
well as their routing/firewall functions.

You generally would not run a sensor on every machine as that's a bit
of a heavyweight approach and much harder to manage - can you manage
all the machines, are they all even yours, what happens if someone
plugs their own machine into your network, etc. etc.

> Is there a better approach using one of the several other security progs ?

It depends what you are trying to achieve?

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.lug.org.uk/pipermail/malvern/attachments/20080724/6799428d/attachment.bin