Re: Snort & Firewall

[John Sage <jsage () finchhaven com>]

Stephen:

Stephen Torri wrote:

> I have one firewall protecting a home network connected via DSL (PPPoE).
> I have a few questions about using snort.
>
> 1) Can I use it on the same machine as the firewall? Is there a security
> risk running the outside NIC in promiscuous mode?


I am running snort 1.8.1-beta4 on my ipchains-based Linux firewall box 
and it works just fine.

I'm using ppp via a (conventional) modem, and if I understand ppp 
correctly, the concept of "promiscuous" is not relevant.

ppp is point-to-point, so on both ends of that connection are handling 
only packets specific to that connection (which isn't to say you mayn't 
get some broadcast or multicast packets, but even they should be *for* 
you...)

What snort means when it chats about "ppp0 entered promiscuous mode" or 
whatever, I haven't bothered to track down ;-)


> 2) If I can which will pick up an incoming packet first, snort or the
> firewall (ipchains)?


My experience is that snort sees everything ipchains does, and ipchain 
sees what comes in and does what it's supposed to...


> 3) I believe I read that snort can perform actions depending upon the
> outcome of a rule. For example a rule to protect against Code Red worm
> that was in the news is tripped. Can it add a rule to the firewall to
> block at host making the attack?


I've heard it can be done; don't do it myself. Check the archives, perhaps:

http://archives.neohapsis.com/archives/snort/

HTH..

- John


--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage () finchhaven com
"The web is so, like, five minutes ago..."


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users