Snort mailing list archives
(no subject)
From: "Nanabhay Mohamed * Group (GP)" <MohamedN () Transnet co za>
Date: Thu, 17 Oct 2002 08:24:26 +0200
Hi, I'm trying to set up snort behind and in front of a firewall. The results of my endevours are mysterious indeed... any help would be appreciated. (Excuse the drawings) =====switch======O<--- Snort box on a mirrored port (Outside network) | | *******Firewall********* | | =Cisco Local Redirector= | | =====switch======O<--- Snort box on a mirrored port (Inside network) | ----lan----------------------- Now, the box on the outside is picking up all sorts of interesting traffic including a stack of IIS and WEB CGI attacks on port 80. The funny thing is, the snort sensor on the inside isn't picking up any of them. The firewall is set to allow all HTTP traffic. The snort sensor is working and if I dump the traffic I can see HTTP traffic as well. I'm not sure if it's the local redirector doing something (but the network admin has assured me it's just directing all the traffic so it shouldn't be a problem). Another thing is they are using virtual IP's. So the external snort sensor picks up attacks for say XXX.XXX.151.30. The real address of the machine is XXX.XXX.151.40. Would this make any difference? Thanks in advance, Mohamed Nanabhay Information Systems Security Services (IS3) Transnet Group Audit Services Tel : 011 308 4298 --- The information contained in this communication is intended only for the use of the addressee(s). Unauthorised use, disclosure, or copying is strictly prohibited. If you have received this communication in error, please notify the sender. ------------------------------------------------------- This sf.net email is sponsored by: viaVerio will pay you up to $1,000 for every account that you consolidate with us. http://ad.doubleclick.net/clk;4749864;7604308;v? http://www.viaverio.com/consolidator/osdn.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- (no subject) Abimbola Abiola (Oct 08)
- <Possible follow-ups>
- (no subject) counterping (Oct 08)
- Re: (no subject) Matt Kettler (Oct 08)
- RE: (no subject) Beckett, Josh (Oct 08)
- RE: (no subject) Beckett, Josh (Oct 08)
- (no subject) Adrienne Kotze (Oct 10)
- (no subject) Nathan Whitehouse (Oct 14)
- Re: (no subject) hackerwacker (Oct 14)
- Re: (no subject) Erek Adams (Oct 14)
- RE: (no subject) Bob Dehnhardt (Oct 14)
- (no subject) Nanabhay Mohamed * Group (GP) (Oct 16)
- (no subject) Kreimendahl, Chad J (Oct 22)
- (no subject) Ha Tu (Oct 27)
- Re: (no subject) Erek Adams (Oct 27)
- (no subject) Philippe Dhont (Sea-ro) (Nov 18)
- Re: (no subject) Xavi Altafulla (Nov 18)
- (no subject) counterping (Dec 10)
- Re: (no subject) Erick Mechler (Dec 10)
- Error using the -T option Mike Koponick (Dec 10)
- Re: Error using the -T option Erick Mechler (Dec 10)
- RE: Error using the -T option Mike Koponick (Dec 10)
- Re: (no subject) Erick Mechler (Dec 10)