Snort mailing list archives

Re: Snort with IPTables

From: Mark Rowlands <fuc952d () tninet se>
Date: Sat, 12 Jan 2002 21:06:09 +0100

On Thursday 10 January 2002 5:50 pm, jaalexan () rockwellcollins com wrote:

Hello all,

I have done some reading of the archived message but I still have a few
questions about Snort
with IP  Tables.

First some info about our environment.   I have a small SOHO setup where I
have a cable modem
providing the internet connection.   We have one linux server that has IP
Tables on it with a IP Masq
subnet behind it.   The server also runs various services (Web, Mail, SSH)
and has those ports open on
the firewall.   The external interface is eth1 and the internal interface
is eth0.

I would like to be able to put Snort on this box to determine how much
abuse we are getting.  From the archive
it seems like this is possible but I am not sure.   Idealy I would like to
bind snort to eth1 so I can see all the traffic
that is coming at the firewall and then some how bind it also to eth0 to
determine what is making it past the rule
set of the firewall.   But If I am forced to I would be happy to have it
sitting on external interface.


Nobody seems to have offered any answer so here is my .02

The various  discussions I have seen on this list seems to indicate that this 
will not make a difference, snort will only see those packets that are not 
blocked

My experience, albeit with ipfilter / ipnat  seems to reflect this opinion. 

a real hub (make sure it is not one of those hub/switch type things) ahead of 
your firewall with the connection from the cable modem plugged into the 
(uplink ?)  port,  a second box with two interfaces, one with no  address 
configured  attached to the hub , the second attached to your nat'ed  net may 
allow you to see what is coming to your firewall.

otoh ... I could be talking absolute nonsense. 

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort with IPTables jaalexan (Jan 10)
- Re: Snort with IPTables Mark Rowlands (Jan 12)
  - Re: Snort with IPTables Erek Adams (Jan 12)
  - Message not available
    - Re: Snort with IPTables Matt Kettler (Jan 12)
    - Re: Snort with IPTables Erek Adams (Jan 12)
    - RE: Snort with IPTables Martijn Heemels (Jan 13)
    - Re: Snort with IPTables Hasnain Atique (Jan 13)
    - RE: Snort with IPTables neal (Jan 14)
    - Re: Snort with IPTables David Lambert (Jan 13)
    - Re: Snort with IPTables Fyodor (Jan 13)
    - Re: Snort with IPTables John Sage (Jan 13)