RE: Snort sensor on a Firewall

[Matt Kettler <mkettler () evi-inc com>]

At 07:19 PM 5/5/2003 +0100, sireesha gaddipati wrote:
> Hi,
>
> I actually want to place snort sensor on the same machine as firewall. My 
> firewall has two interfaces one of which is connected to internet and 
> other to the internal network. If I place two snort sensors one on each of 
> those interfaces will that work same as snort sensors before and after the 
> firewall (before and after in the sense on separate linux boxes)

For snort it does not matter if it is on the same box or not. Snort will 
see whatever is on the wire of the interface it is listening to, no matter 
what is blocked by ipchains, iptables, ipf, etc. My snort box is configured 
with "block quick all" type rules on the interface it listens to and it 
works just fine.

 However the "far" and "near" side arguments that Michael made are still 
valid to the extent that if you listen on the inside interface, obviously 
only traffic that got through the firewall will be present there. So you do 
still need to weigh which interface you configure snort to listen on.



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users