Snort mailing list archives
Re: Wanting to run Snort on DMZ
From: "Josh Berry" <josh.berry () netschematics com>
Date: Wed, 24 Dec 2003 16:50:07 -0600 (CST)
You could just make sure that eth1 does not start up with an IP (doesn't initialize the tcp/ip stack). I do this by configuring /etc/sysconfig/network-scripts/ifcfg-eth1 with something like this: DEVICE=eth1 ONBOOT=yes USRCTL=no
Hello everyone. I am a Snort newbie, and have a few questions, if you could help I would be grateful... I have a hardware firewall that sits on my Network, now what I want to do is use the DMZ and pass it to Snort running on Redhat 9 to see exactly what is hitting the router. I have snort installed and working in NIDs mode. Is this the correct way to have snort set to monitor port scans Dos attacks etc? The problem is this, the linux box that runs snort also hosts several other services. It has two network cards (eth0 and eth1) eth0 is the safe protected side of the network linked to the firewall, and eth1 is the snort interface. Now when I connect eth1 to the DMZ, as you would expect that machine bypasses the firewall and is completly open. I asked in a newsgroup about seperating the two interfaces, so that any traffic and services are not used on eth1. To all intents and purposes they are seperate machines, and no services are exposed outside of the LAN. I thought about using IPTables to protect eth1, but would that block snort from listening? or is it working at a level below the iptables? quote "I would think snort is checking the network stack at the kernel level before the firewall is able to block it. If that is the case then you should be able to safely see all activity on snort without opening the box to the world." If I could use iptables is there any chance anyone out there could give me a pointer on how to set up iptables to protect eth1? I apologise if I appear thick, learning curve is steep! Many thanks for any help you can offer...... -- Best regards, Michael (mike () thompsonmike co uk) Top Fifty Least-Known Facts About Saddam Hussein-- Busy burning all his valentines from Osama. http://www.thompsonmike.co.uk/ PGP KeyID := 0xA9547E32 'To see a world in a grain of sand And heaven in a wild flower To hold infinity in the palm of your hand And eternity in an hour' Using TheBat! Version 2.02.3 CE Running On Windows XP (2600, Service Pack 1) Sent From newsgroups ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Thanks, Josh Berry, CTO LinkNet-Solutions 469-831-8543 josh.berry () linknet-solutions com ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Wanting to run Snort on DMZ Michael Thompson (Dec 24)
- Re: Wanting to run Snort on DMZ Josh Berry (Dec 24)