Snort mailing list archives
Re: Configuration issue, Part II
From: John Sage <jsage () finchhaven com>
Date: Mon, 24 Sep 2001 06:54:07 -0700
I've just posted in this thread to this issue (firewall affecting snort..) and just as I clicked "send" I realized the answer to my earlier post (maybe..) and realized that the FAQ may not be entirely clear on this issue.
<snip>Q: Snort is behind a firewall (ipf/pf/ipchains/ipfilter) and awfully quiet...
A: Your firewall rules will also block traffic to the snort processes. <snip>Just as I clicked "send" it dawned on me that this is refering to a configuration where snort is on a *separate* box behind the firewall.
I'm running both snort 1.8.1-RELEASE in -b binary mode, logging everything, and ipchains on the *same* box, and I can tell you that snort sees everything ipchains does.
Maybe this needs to be re-written:Q: Snort is behind a firewall (ipf/pf/ipchains/ipfilter) on a separate box and is awfully quiet...
- John -- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ mailto:jsage () finchhaven com "The web is so, like, five minutes ago..." Greg Sarsons wrote:
Erek Adams wrote:?>http://snort.sourcefire.com/docs/faq.html#4.3 Basically, snort sits 'behind' the ipchains and ipf programs. They see the packets before snort does. If you've got things setup to drop/deny packets that you are expecting to see with snort, then you won't.who, but all traffic passes across this machine. All the interfaces have been put into PROMISC mode (as I believed snort needed this). It's placement on this machine would make me think it can see everything that goes in and out of the network.? Okay I've got snort running collecting a big binary dump file and not doing anything else but it is on a machine running iptables (the dump file will be looked at latter on another machine). So is it the case that much of the traffic will be killed by iptables even if snort is running in promiscuous mode? Does that mean that I have to take down my iptables firewall to collect everything? Greg
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- -i switch, (continued)
- -i switch Matthew Francis (Sep 24)
- Re: Configuration issue, Part II Chris Keladis (Sep 24)
- Re: Configuration issue, Part II Erek Adams (Sep 24)
- RE: Configuration issue, Part II DJDave Sobel (Sep 24)
- RE: Configuration issue, Part II DJDave Sobel (Sep 24)
- RE: Configuration issue, Part II Erek Adams (Sep 24)
- RE: Configuration issue, Part II Erek Adams (Sep 24)
- Re: Configuration issue, Part II Greg Sarsons (Sep 24)
- Re: Configuration issue, Part II Erek Adams (Sep 24)
- RE: Configuration issue, Part II John Berkers (Sep 25)
- Re: Configuration issue, Part II John Sage (Sep 24)
- Re: Configuration issue, Part II John Sage (Sep 24)
- Re: Configuration issue, Part II Erek Adams (Sep 24)
- Re: Configuration issue, Part II John Sage (Sep 24)
- Re: Configuration issue, Part II Erek Adams (Sep 24)