Snort mailing list archives
Re: How to monitor two different traffics with snort
From: Jeremy <cjeremy () gmail com>
Date: Fri, 5 Jun 2009 11:38:10 -0500
I believe he asking "why are you logging outside the firewall"? Let the
firewall do it's job and block things that are supposed to be blocked, let your IDS analyze what is actually getting through. What is getting through is what you need to worry about, not what is being blocked. Isn't most rules in snort "TCP" and connection oriented with "established"? So the inside or outside question would not be applicable to any rules that require and established state, right? Am I missing something here? Now with the UDP stuff this goes out the window and firewall position would matter, but I don't think there are all that many UDP rules in the VRT set or Emerging Set if you exclude the IP matching stuff from Emerging. --jeremy On Fri, Jun 5, 2009 at 11:05 AM, Joel Esler <jesler () sourcefire com> wrote:
On Fri, Jun 5, 2009 at 11:27 AM, Sandro guly Zaccarini <guly () luv guly org>wrote:On Fri, Jun 05, 2009 at 10:29:17AM -0400, Nigel Houghton wrote:On Fri, Jun 5, 2009 at 10:10 AM, Luis Daniel LucioWait to 2.8.5 it has multi-iface capabilities.Here's a better idea: Two interfaces on the snort box, one connected to one side of the firewall and the other to the inside of the firewall. Then start two instances of snort, one per interface.so you are saying that multi-interface doesn't work very well?I believe he asking "why are you logging outside the firewall"? Let the firewall do it's job and block things that are supposed to be blocked, let your IDS analyze what is actually getting through. What is getting through is what you need to worry about, not what is being blocked. -- joel esler | Sourcefire | gtalk: jesler () sourcefire com | 302-223-5974 ------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How to monitor two different traffics with snort Bruno Noronha (Jun 05)
- Re: How to monitor two different traffics with snort Luis Daniel Lucio Quiroz (Jun 05)
- Re: How to monitor two different traffics with snort Nigel Houghton (Jun 05)
- Re: How to monitor two different traffics with snort Sandro guly Zaccarini (Jun 05)
- Re: How to monitor two different traffics with snort Joel Esler (Jun 05)
- Re: How to monitor two different traffics with snort Jeremy (Jun 05)
- Re: How to monitor two different traffics with snort YARICK (Jun 05)
- Re: How to monitor two different traffics with snort Richard Bejtlich (Jun 05)
- Re: How to monitor two different traffics with snort Nigel Houghton (Jun 05)
- Re: How to monitor two different traffics with snort Nigel Houghton (Jun 05)
- Re: How to monitor two different traffics with snort JJ Cummings (Jun 05)
- Re: How to monitor two different traffics with snort Luis Daniel Lucio Quiroz (Jun 05)
- Re: How to monitor two different traffics with snort Bamm Visscher (Jun 05)