Snort mailing list archives
Re: More explanation needed in Snort User Manual for "resp:"?
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Fri, 7 Nov 2003 11:15:44 +1300
On Thu, Nov 06, 2003 at 04:58:59PM -0500, Kristofer T. Karas wrote:
To deal with the NAT issues, just place your promiscuous feed inbound from your NAT box, e.g. in your DMZ. Snort will only see your inside IP addresses, which is, after all, what you really want anyway; there's no point in reporting issues with a shared IP address, as you can't (in general) track that back to a specific post-NAT machine.
I think you're pointing out one big assumption in my arguement. I want Snort to be monitoring within our DMZes for two reasons: 1> it won't catch all the cr*p the Internet throws at our firewall - only that which it deems appropriate gets into the DMZ - and into Snorts view 2> it can see DMZ - to - DMZ traffic Putting Snort in front of the NAT firewall would remove my issues with flexresp - but it doesn't fix the fact that my alerts would go up - let's guess - 1000%?. Oh, and I wouldn't see DMZ - to - DMZ traffic anymore. More Snort boxes would solve it - but I don't like that as a fix. I think flexresp2 will fix my problem. Separate configs with separate instances of Snort should mean I'll get to pump RESETs out the correct interface... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- More explanation needed in Snort User Manual for "resp:"? Jason Haar (Nov 06)
- Re: More explanation needed in Snort User Manual for "resp:"? Chris Green (Nov 06)
- Re: More explanation needed in Snort User Manual for "resp:"? Jason Haar (Nov 06)
- Re: More explanation needed in Snort User Manual for "resp:"? Kristofer T. Karas (Nov 06)
- Re: More explanation needed in Snort User Manual for "resp:"? Jason Haar (Nov 06)
- Re: More explanation needed in Snort User Manual for "resp:"? Jeff Nathan (Nov 20)
- Re: More explanation needed in Snort User Manual for "resp:"? Matt Kettler (Nov 06)
- Re: More explanation needed in Snort User Manual for "resp:"? Chris Green (Nov 06)