Snort mailing list archives
Re: Snort with IPTables
From: Erek Adams <erek () theadamsfamily net>
Date: Sat, 12 Jan 2002 14:21:24 -0800 (PST)
On Sat, 12 Jan 2002, Mark Rowlands wrote:
I would like to be able to put Snort on this box to determine how much abuse we are getting. From the archive it seems like this is possible but I am not sure. Idealy I would like to bind snort to eth1 so I can see all the traffic that is coming at the firewall and then some how bind it also to eth0 to determine what is making it past the rule set of the firewall. But If I am forced to I would be happy to have it sitting on external interface.Nobody seems to have offered any answer so here is my .02 The various discussions I have seen on this list seems to indicate that this will not make a difference, snort will only see those packets that are not blocked My experience, albeit with ipfilter / ipnat seems to reflect this opinion.
If you'll have a look at the FAQ: http://www.snort.org/docs/faq.html#4.3 You'll want to consider if running snort on the same box as a firewall, then the only packets that it (snort) will see will be the ones that _aren't_ blocked by your firewall rules.
a real hub (make sure it is not one of those hub/switch type things) ahead of your firewall with the connection from the cable modem plugged into the (uplink ?) port, a second box with two interfaces, one with no address configured attached to the hub , the second attached to your nat'ed net may allow you to see what is coming to your firewall.
Yes, that would do it. You might also want to consider for extra security, using a R/O cable. I've come across a few pointers on them: http://www.theadamsfamily.net/~erek/snort/
otoh ... I could be talking absolute nonsense.
Aren't we all? ;-) ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort with IPTables jaalexan (Jan 10)
- Re: Snort with IPTables Mark Rowlands (Jan 12)
- Re: Snort with IPTables Erek Adams (Jan 12)
- Message not available
- Re: Snort with IPTables Matt Kettler (Jan 12)
- Re: Snort with IPTables Erek Adams (Jan 12)
- RE: Snort with IPTables Martijn Heemels (Jan 13)
- Re: Snort with IPTables Hasnain Atique (Jan 13)
- RE: Snort with IPTables neal (Jan 14)
- Re: Snort with IPTables David Lambert (Jan 13)
- Re: Snort with IPTables Fyodor (Jan 13)
- Re: Snort with IPTables John Sage (Jan 13)
- Re: Snort with IPTables Mark Rowlands (Jan 12)