On 17 May 2002 at 14:03, Adam Shephard wrote: > I suffer from a logic deficiency and I've been tossing an idea around > in my head. I thought it might be a good idea to run the logic past > the people here. I have a firewall between my network and the world > and Snort behind my firewall. That Snort station reports to ARIS. I'm > toying with the idea of putting another Snort station on the outside > between my firewall and the world and having it also report to ARIS. > > If I do that, can I reasonably assume that any incidents that show up > in the outside Snort ARIS logs AND NOT in the firewall logs got > through the firewall?
It sounds like you're comparing apples with oranges. The roles of Snort and that of a firewall logging all dropped packets really are quite different. Snort will log events such as IIS direcory traversals which most firewalls will blissfully ignore. Similarly, a Nimda attempt to an IP address for which the firewall is dropping incoming web connections will not be noticed by Snort, but will generate an entry in the firewall log (if all drops are logged). > Can I also reasonably assume that, should > something show up in the outside Snort ARIS logs AND NOT in the > firewall logs AND NOT in the inside Snort ARIS logs, that the inside > Snort station is not functioning properly? By not functioning properly > I mean anything from "bad NIC" to "improper configuration" to "Snort > sucks". > Not necessarily. There may be traffic on the firewall's external network segment which a promiscuously-capturing IDS box would see, but which the firewall's interface would not. Such as traffic to other machines outside the firewall. Traffic to the Snort box's network interface (if it is not transparent). Traffic destined for the firewall itself. Personally I don't run IDS outside the firewall, I'm only interested in what gets through.
