RE: snort behind firewall ??

["Martijn Heemels" <martijn () yggdrasil yi org>]

Hi Josh,

I'm not seeing packets that are stopped by the firewall... So, in effect
I'm seeing a lot of traffic on the internal interface and barely none on
the external.

My setup:
pentium-1 233MHz, 128Mb SDRAM
Linux RedHat 6.2 with all updates applied...
kernel 2.2.16-3 (I don't know how it's configured... standard redhat
kernel from rpm package)
firewall: ipchains 1.3.9-5 (using a ruleset from
http://linux-firewall-tools.com/linux/firewall/index.html but customized)
Also running portsentry 1.0-9 in stealth tcp/udp mode.
External interface is a 3com 3c509
Internal interface is a Realtek NE2000 compatible
I'm running snort with:
/usr/sbin/snort -u snort -g snort -s -d -D -l /var/log/snort -i
$INTERFACE -c /etc/snort/snort.conf
When running ifconfig no interfaces seem to be in Promiscuos mode... Is
that bad?


If any more info is needed, let me know... I'll be glad to help...
I didn't know snort was supposed to see these packets until this was
brought up on the list.

Hope this helps,
Martijn

--
M. Heemels          | Yoda of Borg are we.
Eindhoven, NL       | Futile is resistance.
martijn () heemels com | Assimilate you, we will.
   *** encrypt for secure email ***

> It is up in the air right now wether or not snort can see packets before
> the firewall drop them. It seems  it is system dependant. I would like
> to take a poll of who can snort through there firewall and who can't.
> We'll need to know what kernal you are using, how it's configured, what
> firewall your using, how it's configures, and what os your using.

Attachment: smime.p7s
Description: