[ previous ] [ next ] [ threads ]
 From:  Ziekke <ziekke at ziekke dot net>
 To:  forums <forums at deleos dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] snort or IDS
 Date:  Mon, 25 Oct 2004 09:03:00 -0400
If you only want to see the intrusion successes and not the intrusion 
attempts, then you want your IDS inside your network. But that isn't 
going to work properly.

You're right that an IDS probably shuoldn't run on the firewall, but 
they are *supposed* to be inline outside your router. You can't detect 
intrusions on the inside the same as the outside. Take port scanning for 
instance. You want the IDS to detect the port scan and the create a rule 
on the fly to block that IP address from the system. Or alert you so 
that you can do so if necessary.

The best way to do this is get a system built as an IDS, hook it up to a 
hub, or managed switch so you can do some port mirroring, on the WAN 
side. Use some cat5 with the Tx pairs clipped so that the box is only 
capable of receiving traffic.

Now you have an undetectable IDS that will alert you properly of attacks 
on your system. It will do so via another network card that is jacked 
internaly to a machine, or the network. It's obviously not going to be 
able to do anything with the connection outside the WAN with no IP 
address :)

I personally wouldn't mind having my firewall running Snort, or an IDS 
as it saves me all that work. Also it would facilitate automatic 
blocking of IP addresses on the m0n0wall, which you couldn't really have 
without it built-in.

To have an IDS is to get alerts, so if you don't like getting alerts, 
don't run an IDS.

forums wrote:
> Personally I wouldn't run Snort on the firewall.  I believe the best
> thing to do if you have the extra hardware is to run Snort
> inline/network based (after the m0n0wall - LAN side) if you run Snort
> before (WAN side) or on the m0n0wall you will probably have too many
> alerts to deal with...eventually leading to frustration and a lack of
> maintenance and tuning of your rules.  Having the IDS after the m0n0wall
> will detect any malicious traffic passing through your m0n0wall, as long
> as your rules are up to date - just like virus definitions.
> Remember the IDS is just that a detection system NOT a prevention
> system.
> -Puma
> -----Original Message-----
> From: Lew Maggio [mailto:lew at lsfc dot org] 
> Sent: Monday, October 25, 2004 12:41 AM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] snort or IDS
> I need to implement an IDS system soon, and I would prefer to use snort
> because it seems to be the most respected and most common.  Has someone
> built monowall with snort integrated?
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch