Snort mailing list archives
Re: Snort on an OpenBSD firewall
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 28 Jun 2004 20:17:37 -0400
At 03:29 PM 6/28/2004, Sean Brown wrote:
If i read the documentation right, i should be able to have snort listen on pflog0 and just cpture and watch the traffic thats regected by my firewall, which is handy because snort isn't then logging all the arp traffic that shows up on the line.
You can do that, however, snort won't issue alerts very often this way.Most of the snort rules look for data patterns in established tcp connections.. firewalled packets will never be a part of such a thing, so all rules with "flow: established" will never fire.
Quite frankly, your approach strikes me as defeating 99% of the usefulness of an IDS. I actually take the exact opposite approach and snort only traffic which makes it past my first firewall.
let's face it, the most valuable information an IDS can provide you is telling you about attack attempts that are getting past your firewall because they are part of a connection to a legitimate service. Overflow attempts on your mailserver, webserver, etc generally go right past firewalls, and are the kind of thing that IDS/IPS products are really designed to detect and is what makes them useful.
If you want to know about malicious attacks that your firewall is blocking, your firewall logs will tell you that pretty well. Snort won't tell you much about firewalled packets that your firewall logs won't. Sure you can snort this stuff to get all the information in one place, but it's somewhat redundant and hardly critical.
------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training.Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort on an OpenBSD firewall Sean Brown (Jun 28)
- Re: Snort on an OpenBSD firewall Dragos Ruiu (Jun 28)
- Re: Snort on an OpenBSD firewall Sean Brown (Jun 28)
- Re: Snort on an OpenBSD firewall Matt Kettler (Jun 28)
- Re: Snort on an OpenBSD firewall Sean Brown (Jun 28)
- Re: Snort on an OpenBSD firewall Dragos Ruiu (Jun 28)