inside or outside

["Seth L. Thomas" <s.thomas4 () comcast net>]

Sorry if this was covered before but..

Where should snort go, inside or outside of a firewall? Lets say you have a
standalone box so when you run snort against the interface to the net like
snort -dv -i eth0 then you're actually running snort on the outside of the
firewall because it binds to the raw socket so it gets the traffic before
your kernel (ipchains/iptables) has time to react to it. 

But if the traffic your sniffing is being blocked by ipchains/iptables then
snort wont give you much info because the blocked traffic wont be able to
establish a connection so at most you'll capture a SYN. 

But if you run snort against traffic that you allow through the firewall
then i mean, it's too late cause you're already letting it in. I always
wanted to know a little bit more info about the traffic I'm blocking (more
info than what ipchains/iptables gives you) but how can one do that without
allowing it in?

 


-- 
Join the Navy; sail to far-off exotic lands, meet 
exciting interesting people, and kill them.


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users