I suffer from a logic deficiency and I've been tossing an idea around in my head. I thought it might be a good idea to run the logic past the people here. I have a firewall between my network and the world and Snort behind my firewall. That Snort station reports to ARIS. I'm toying with the idea of putting another Snort station on the outside between my firewall and the world and having it also report to ARIS.
If I do that, can I reasonably assume that any incidents that show up in the outside Snort ARIS logs AND NOT in the firewall logs got through the firewall? Can I also reasonably assume that, should something show up in the outside Snort ARIS logs AND NOT in the firewall logs AND NOT in the inside Snort ARIS logs, that the inside Snort station is not functioning properly? By not functioning properly I mean anything from "bad NIC" to "improper configuration" to "Snort sucks". It makes sense to me that this would work but, you know, the logic thing.
