RE: inside or outside

["McCammon, Keith" <Keith.McCammon () eadvancemed com>]

> Standard example: 
>
> One computer connected to the net through eth0. Computer runs ipchains
> which is configured to block port 80. snort -dv -i eth0 -l 
> /var/log/snort
> port 80

OK.  So when ipchains sees src port 80, it drops.  And you're telling Snort to inspect port 80.  This doesn't make 
sense.  If you're dropping it, then why waste your IDS's time watching that port?
 
> According to the docs snort is on the "outside" of your 
> firewall because it
> see's the traffic on the iface before ipchains/iptables. Since
> ipchains/iptables is configured to block port 80 then snort will only
> capture the SYN packet because the full connection couldn't 
> go through.

Right.  Because that's what firewalls do.  

> That SYN packet capture is practically useless.

I guess??? 

> Now if you tell ipchains/iptables to open up port 80, then technically
> snort will be on the "inside" of your firewall and will be 
> able to capture
> the entire packet's payload. But assuming you were running 
> apache on that
> port and it was vuln to whatever, then you're screwed anyway.  

First, I would take issue with the use of the word "inside" here.  Snort is still looking at the external interface; 
you just punched a hole in your firewall, that's all.  Inside would typically indicate looking at traffic to and from 
the internal interface.  But I digress...

And yes, now Snort can see the entire session.  Although it now sounds as though you're talking about punching a hole 
in the firewall to benefit the IDS, which is a** backwards, to be blunt.  I'd be more concerned with blocking the 
traffic and protecting my hosts, than I would with seeing the traffic and putting the network at risk.  I wouldn't open 
up RPC on my firewall just to see what I've been missing!  

> So unless you have a bunch of boxes to play around with I 
> don't see how you
> can use snort in any effective way in a standalone box on 
> traffic that you
> block.

I think you're missing the point of an IDS.  I would define using Snort in an "effective way" as inspecting the traffic 
that I *allow* to try and identify nasties.  If you're dropping the traffic anyway, then you shouldn't waste resources 
by having your IDS (try to) inspect it.  

> I can see what you're saying for like DMZ's and people who 
> use layers of
> dedicated router and firewalls, just not for standalone boxes. 

The architecture is irrelevant.


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users