Snort mailing list archives
Re: Snort with IPTables
From: Mark Rowlands <fuc952d () tninet se>
Date: Sat, 12 Jan 2002 21:06:09 +0100
On Thursday 10 January 2002 5:50 pm, jaalexan () rockwellcollins com wrote:
Hello all, I have done some reading of the archived message but I still have a few questions about Snort with IP Tables. First some info about our environment. I have a small SOHO setup where I have a cable modem providing the internet connection. We have one linux server that has IP Tables on it with a IP Masq subnet behind it. The server also runs various services (Web, Mail, SSH) and has those ports open on the firewall. The external interface is eth1 and the internal interface is eth0. I would like to be able to put Snort on this box to determine how much abuse we are getting. From the archive it seems like this is possible but I am not sure. Idealy I would like to bind snort to eth1 so I can see all the traffic that is coming at the firewall and then some how bind it also to eth0 to determine what is making it past the rule set of the firewall. But If I am forced to I would be happy to have it sitting on external interface.
Nobody seems to have offered any answer so here is my .02 The various discussions I have seen on this list seems to indicate that this will not make a difference, snort will only see those packets that are not blocked My experience, albeit with ipfilter / ipnat seems to reflect this opinion. a real hub (make sure it is not one of those hub/switch type things) ahead of your firewall with the connection from the cable modem plugged into the (uplink ?) port, a second box with two interfaces, one with no address configured attached to the hub , the second attached to your nat'ed net may allow you to see what is coming to your firewall. otoh ... I could be talking absolute nonsense. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort with IPTables jaalexan (Jan 10)
- Re: Snort with IPTables Mark Rowlands (Jan 12)
- Re: Snort with IPTables Erek Adams (Jan 12)
- Message not available
- Re: Snort with IPTables Matt Kettler (Jan 12)
- Re: Snort with IPTables Erek Adams (Jan 12)
- RE: Snort with IPTables Martijn Heemels (Jan 13)
- Re: Snort with IPTables Hasnain Atique (Jan 13)
- RE: Snort with IPTables neal (Jan 14)
- Re: Snort with IPTables David Lambert (Jan 13)
- Re: Snort with IPTables Fyodor (Jan 13)
- Re: Snort with IPTables John Sage (Jan 13)
- Re: Snort with IPTables Mark Rowlands (Jan 12)