Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort & Firewall

From: John Sage <jsage () finchhaven com>
Date: Mon, 06 Aug 2001 20:47:02 -0700
Stephen:

Stephen Torri wrote:


On Mon, 6 Aug 2001, John Sage wrote:


I am running snort 1.8.1-beta4 on my ipchains-based Linux firewall box
and it works just fine.

I'm using ppp via a (conventional) modem, and if I understand ppp
correctly, the concept of "promiscuous" is not relevant.

ppp is point-to-point, so on both ends of that connection are handling
only packets specific to that connection (which isn't to say you mayn't
get some broadcast or multicast packets, but even they should be *for*
you...)



I am satisfied with the firewall. What my concern was first if the NIC is
in promiscuous mode would that be a problem? Which to that you are not
concerned. You state that because PPP by its nature only works for one IP
address, mine. Yet with a typical NIC on a ethernet based network I get
traffic which is not for me being in promiscuous mode. How are they
different? Just trying to understand the comparison. Is the other end of
the link for the connection (my ISP) filtered so that only I get traffic
"for" me?
Yes. As I understand ppp (standard disclaimer.. ;-) the other end by design is specific to your connection only. 

ppp = point-to-point
Again, when snort says "ppp0 entered promiscuous mode" I don't believe that's literally correct. 



2) If I can which will pick up an incoming packet first, snort or the
firewall (ipchains)?


My experience is that snort sees everything ipchains does, and ipchain
sees what comes in and does what it's supposed to...



So if snort notices an attack of a particular type it can update ipchains
to protect the network from this new attack as well. Right? For example if
an attack of type A is noticed, a rule is added to the ipchains to prevent
said ip address from continuing to attack the service (i.e. HTTP on port
80).



Not by it's basic nature, no.

Snort does not modify any kind of firewall rules in and of itself.
Again, I have heard of methods of doing this, but I have no personal experience. 

- John

--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage () finchhaven com
"The web is so, like, five minutes ago..."


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: