Snort mailing list archives

(no subject)

From: "Nanabhay Mohamed * Group (GP)" <MohamedN () Transnet co za>
Date: Thu, 17 Oct 2002 08:24:26 +0200

Hi,

I'm trying to set up snort behind and in front of a firewall. The results of
my endevours are mysterious indeed... any help would be appreciated. (Excuse
the drawings)

=====switch======O<--- Snort box on a mirrored port (Outside network)
             |
             |
*******Firewall*********
             |
         |
=Cisco Local Redirector=
             |
         |
=====switch======O<--- Snort box on a mirrored port (Inside network)
         |
----lan-----------------------

Now, the box on the outside is picking up all sorts of interesting traffic
including a stack of IIS and WEB CGI attacks on port 80. The funny thing is,
the snort sensor on the inside isn't picking up any of them. The firewall is
set to allow all HTTP traffic. The snort sensor is working and if I dump the
traffic I can see HTTP traffic as well. 

I'm not sure if it's the local redirector doing something (but the network
admin has assured me it's just directing all the traffic so it shouldn't be
a problem). 

Another thing is they are using virtual IP's. So the external snort sensor
picks up attacks for say XXX.XXX.151.30. The real address of the machine is
XXX.XXX.151.40. Would this make any difference?

Thanks in advance,
 

Mohamed Nanabhay
Information Systems Security Services (IS3)
Transnet Group Audit Services
Tel : 011 308 4298

---
The information contained in this communication is intended only for the use
of the addressee(s). Unauthorised use, disclosure, or copying is strictly
prohibited. If you have received this communication in error, please notify
the sender.



-------------------------------------------------------
This sf.net email is sponsored by: viaVerio will pay you up to
$1,000 for every account that you consolidate with us.
http://ad.doubleclick.net/clk;4749864;7604308;v?
http://www.viaverio.com/consolidator/osdn.cfm
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

(no subject) Abimbola Abiola (Oct 08)
- <Possible follow-ups>
- (no subject) counterping (Oct 08)
  - Re: (no subject) Matt Kettler (Oct 08)
- RE: (no subject) Beckett, Josh (Oct 08)
- RE: (no subject) Beckett, Josh (Oct 08)
- (no subject) Adrienne Kotze (Oct 10)
- (no subject) Nathan Whitehouse (Oct 14)
  - Re: (no subject) hackerwacker (Oct 14)
  - Re: (no subject) Erek Adams (Oct 14)
- RE: (no subject) Bob Dehnhardt (Oct 14)
- (no subject) Nanabhay Mohamed * Group (GP) (Oct 16)
- (no subject) Kreimendahl, Chad J (Oct 22)
- (no subject) Ha Tu (Oct 27)
  - Re: (no subject) Erek Adams (Oct 27)
- (no subject) Philippe Dhont (Sea-ro) (Nov 18)
  - Re: (no subject) Xavi Altafulla (Nov 18)
- (no subject) counterping (Dec 10)
  - Re: (no subject) Erick Mechler (Dec 10)
    - Error using the -T option Mike Koponick (Dec 10)
    - Re: Error using the -T option Erick Mechler (Dec 10)
    - RE: Error using the -T option Mike Koponick (Dec 10)

(Thread continues...)