On Friday 17 May 2002 02:03 pm, Adam Shephard wrote: > I suffer from a logic deficiency and I've been tossing an idea around in my > head. I thought it might be a good idea to run the logic past the people > here. I have a firewall between my network and the world and Snort behind > my firewall. That Snort station reports to ARIS. I'm toying with the idea > of putting another Snort station on the outside between my firewall and the > world and having it also report to ARIS. > > If I do that, can I reasonably assume that any incidents that show up in > the outside Snort ARIS logs AND NOT in the firewall logs got through the > firewall? Can I also reasonably assume that, should something show up in > the outside Snort ARIS logs AND NOT in the firewall logs AND NOT in the > inside Snort ARIS logs, that the inside Snort station is not functioning > properly? By not functioning properly I mean anything from "bad NIC" to > "improper configuration" to "Snort sucks". > > It makes sense to me that this would work but, you know, the logic thing.
not what you asked, but i'll go on anyway it's possible(depending on what your firewall is) to mirror all external traffic to your internal ids sensor. in that situation, it might be best to put the snort sensor with a direct link only to tthe firewall, and configure it so it can only talk out to the ARIS stuff. that should eliminate an extra machine to deal with.
