I'm not quite clear on the placement of snort. I would think that external interface/internet side would be the best placement because it would see possible attempts as apposed to an IDS on the internal network that sees what could have been blocked ...? Or would the optimal/paranoid solution be to have both?

Thanks

both would be ideal. people get carried away with external IDS when really the majority of threats originate internally.

The best method (according to the Snort 2.0 book) is to add one at the entry of your network, and then one on each network after for a single level network. Otherwise one on the gateway/firewall, and then one on each network.

I've getting used to both interfaces now.. kinda nice actually.. getta see what kinda gargadge my roomates pc spits out..

Having a sensor on both is ideal. But, you definately want to tune your signatures to cut down on the 1000's of false positives you will get from the external interface. ie, there is no need to log the millions of IIS sploits that hit daily if your not running it on your network.

oh you mean things like this:

[code:1:eb9c6917e5]
[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
[Classification: Misc activity] [Priority: 3]
09/16-09:25:34.146106 XX.X.X.XXX -> XX.X.X.XXX.XXX
ICMP TTL:125 TOS:0x0 ID:25911 IpLen:20 DgmLen:92
Type:8 Code:0 ID:1024 Seq:27752 ECHO
[Xref => http://www.whitehats.com/info/IDS154]
[/code:1:eb9c6917e5]

I used to run Mandrake on my webserver for quite a while and I decided to load up Snort on it to see what I could see on an internal host. I think it was mdk8.0 release but it was setup to automatically block windows worms and a couple other fairly obvious attacks. I'm sure they got some feedback on that setup because the next release didn't have all that setup automatically when you installed Snort. http/https was the only thing coming through from the outside but I liked having the added info to see what was going on internally as well as externally on the firewall. I would get one hit in the weblogs from a bad IP and then it was blocked on the firewall on the webserver even though the external firewall was still letting it through. At least it made the weblogs usable instead of how it was before with more attacks than legit traffic.

I was hooked on having an internal IDS to go with my external one. Use whatever is most feasible for you whether it's watching an internal interface on the firewall or actually installing IDS on an internal machine too. It's all layers upon layers. One failure shouldn't leave you wide open.