Personally I wouldn't run Snort on the firewall. I believe the best
thing to do if you have the extra hardware is to run Snort
inline/network based (after the m0n0wall - LAN side) if you run Snort
before (WAN side) or on the m0n0wall you will probably have too many
alerts to deal with...eventually leading to frustration and a lack of
maintenance and tuning of your rules. Having the IDS after the m0n0wall
will detect any malicious traffic passing through your m0n0wall, as long
as your rules are up to date - just like virus definitions.
Remember the IDS is just that a detection system NOT a prevention
From: Lew Maggio [mailto:lew at lsfc dot org]
Sent: Monday, October 25, 2004 12:41 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] snort or IDS
I need to implement an IDS system soon, and I would prefer to use snort
because it seems to be the most respected and most common. Has someone
built monowall with snort integrated?