Snort mailing list archives
Architecture Issue: Attack alerts not picked up on internal senso r
From: "Nanabhay Mohamed * Group (GP)" <MohamedN () Transnet co za>
Date: Mon, 21 Oct 2002 08:44:11 +0200
(sorry for posting without a subject earlier, slip of the finger) Hi, I'm trying to set up snort behind and in front of a firewall. The results of my endevours are mysterious indeed... any help would be appreciated. (Excuse the drawings) =====switch======O<--- Snort box on a mirrored port (Outside network) | | *******Firewall********* | | =Cisco Local Redirector= | | =====switch======O<--- Snort box on a mirrored port (Inside network) | ----lan----------------------- Now, the box on the outside is picking up all sorts of interesting traffic including a stack of IIS and WEB CGI attacks on port 80. The funny thing is, the snort sensor on the inside isn't picking up any of them. The firewall is set to allow all HTTP traffic. The snort sensor is working and if I dump the traffic I can see HTTP traffic as well. I'm not sure if it's the local redirector doing something (but the network admin has assured me it's just directing all the traffic so it shouldn't be a problem). Another thing is they are using virtual IP's. So the external snort sensor picks up attacks for say XXX.XXX.151.30. The real address of the machine is XXX.XXX.151.40. Would this make any difference? Thanks in advance, Mohamed Nanabhay Information Systems Security Services (IS3) Transnet Group Audit Services Tel : 011 308 4298 --- The information contained in this communication is intended only for the use of the addressee(s). Unauthorised use, disclosure, or copying is strictly prohibited. If you have received this communication in error, please notify the sender. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Architecture Issue: Attack alerts not picked up on internal senso r Nanabhay Mohamed * Group (GP) (Oct 21)