Snort mailing list archives
Re: Snort & Firewall
From: John Sage <jsage () finchhaven com>
Date: Mon, 06 Aug 2001 13:21:04 -0700
Stephen: Stephen Torri wrote:
I have one firewall protecting a home network connected via DSL (PPPoE). I have a few questions about using snort. 1) Can I use it on the same machine as the firewall? Is there a security risk running the outside NIC in promiscuous mode?
I am running snort 1.8.1-beta4 on my ipchains-based Linux firewall box and it works just fine.
I'm using ppp via a (conventional) modem, and if I understand ppp correctly, the concept of "promiscuous" is not relevant.
ppp is point-to-point, so on both ends of that connection are handling only packets specific to that connection (which isn't to say you mayn't get some broadcast or multicast packets, but even they should be *for* you...)
What snort means when it chats about "ppp0 entered promiscuous mode" or whatever, I haven't bothered to track down ;-)
2) If I can which will pick up an incoming packet first, snort or the firewall (ipchains)?
My experience is that snort sees everything ipchains does, and ipchain sees what comes in and does what it's supposed to...
3) I believe I read that snort can perform actions depending upon the outcome of a rule. For example a rule to protect against Code Red worm that was in the news is tripped. Can it add a rule to the firewall to block at host making the attack?
I've heard it can be done; don't do it myself. Check the archives, perhaps: http://archives.neohapsis.com/archives/snort/ HTH.. - John -- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ mailto:jsage () finchhaven com "The web is so, like, five minutes ago..." _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort & Firewall Stephen Torri (Aug 06)
- Re: Snort & Firewall John Sage (Aug 06)
- Re: Snort & Firewall Stephen Torri (Aug 06)
- Re: Snort & Firewall John Sage (Aug 06)
- Re: Snort & Firewall Stephen Torri (Aug 06)
- Re: Snort & Firewall John Sage (Aug 06)