If you only want to see the intrusion successes and not the intrusion
attempts, then you want your IDS inside your network. But that isn't
going to work properly.
You're right that an IDS probably shuoldn't run on the firewall, but
they are *supposed* to be inline outside your router. You can't detect
intrusions on the inside the same as the outside. Take port scanning for
instance. You want the IDS to detect the port scan and the create a rule
on the fly to block that IP address from the system. Or alert you so
that you can do so if necessary.
The best way to do this is get a system built as an IDS, hook it up to a
hub, or managed switch so you can do some port mirroring, on the WAN
side. Use some cat5 with the Tx pairs clipped so that the box is only
capable of receiving traffic.
Now you have an undetectable IDS that will alert you properly of attacks
on your system. It will do so via another network card that is jacked
internaly to a machine, or the network. It's obviously not going to be
able to do anything with the connection outside the WAN with no IP
I personally wouldn't mind having my firewall running Snort, or an IDS
as it saves me all that work. Also it would facilitate automatic
blocking of IP addresses on the m0n0wall, which you couldn't really have
without it built-in.
To have an IDS is to get alerts, so if you don't like getting alerts,
don't run an IDS.
> Personally I wouldn't run Snort on the firewall. I believe the best
> thing to do if you have the extra hardware is to run Snort
> inline/network based (after the m0n0wall - LAN side) if you run Snort
> before (WAN side) or on the m0n0wall you will probably have too many
> alerts to deal with...eventually leading to frustration and a lack of
> maintenance and tuning of your rules. Having the IDS after the m0n0wall
> will detect any malicious traffic passing through your m0n0wall, as long
> as your rules are up to date - just like virus definitions.
> Remember the IDS is just that a detection system NOT a prevention
> -----Original Message-----
> From: Lew Maggio [mailto:lew at lsfc dot org]
> Sent: Monday, October 25, 2004 12:41 AM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] snort or IDS
> I need to implement an IDS system soon, and I would prefer to use snort
> because it seems to be the most respected and most common. Has someone
> built monowall with snort integrated?
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch