Re: in or out this is the problem!!

[Matt Kettler <mkettler () evi-inc com>]

Both interfaces should see the packet, unless the router that routes 
between your DMZ and your LAN does not allow them to pass, in which case 
only the DMZ one will see the syn packet.

So if you want to see all syn's sent from the DMZ to the lan, watch on the 
DMZ interface. If you want to see all syns sent from the DMZ which actually 
get to the lan, watch on the lan interface.

If your router is properly configured only syn packets which are explicitly 
allowed should make it from the DMZ to the LAN. Otherwise you don't really 
have a very effective DMZ (one of the main points of having a DMZ is so 
that a compromise of a machine there won't easily lead to a compromise of 
your lan).


 I'd recommend adding rules to both snort sensors and comparing.



At 02:59 PM 3/21/2002 +0100, Federico Lombardo wrote:
> I've two interfaces.
> 1) is the LAN interface
> 2) is the DMZ interface
> Each interface has a snort sensor.
>
> if I want for example log syn packets from dmz to lan... where I must put 
> this rules ?
>
> in the LAN interface or in the DMZ one ?


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users