Snort mailing list archives

Re: Snort with IPTables

From: Erek Adams <erek () theadamsfamily net>
Date: Sat, 12 Jan 2002 14:21:24 -0800 (PST)

On Sat, 12 Jan 2002, Mark Rowlands wrote:

I would like to be able to put Snort on this box to determine how much
abuse we are getting.  From the archive
it seems like this is possible but I am not sure.   Idealy I would like to
bind snort to eth1 so I can see all the traffic
that is coming at the firewall and then some how bind it also to eth0 to
determine what is making it past the rule
set of the firewall.   But If I am forced to I would be happy to have it
sitting on external interface.


Nobody seems to have offered any answer so here is my .02

The various discussions I have seen on this list seems to indicate that this
will not make a difference, snort will only see those packets that are not
blocked

My experience, albeit with ipfilter / ipnat  seems to reflect this opinion.


If you'll have a look at the FAQ:  http://www.snort.org/docs/faq.html#4.3

You'll want to consider if running snort on the same box as a firewall, then
the only packets that it (snort) will see will be the ones that _aren't_
blocked by your firewall rules.

a real hub (make sure it is not one of those hub/switch type things) ahead of
your firewall with the connection from the cable modem plugged into the
(uplink ?)  port,  a second box with two interfaces, one with no  address
configured  attached to the hub , the second attached to your nat'ed  net may
allow you to see what is coming to your firewall.


Yes, that would do it.  You might also want to consider for extra security,
using a R/O cable.  I've come across a few pointers on them:

http://www.theadamsfamily.net/~erek/snort/

otoh ... I could be talking absolute nonsense.


Aren't we all?  ;-)

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort with IPTables jaalexan (Jan 10)
- Re: Snort with IPTables Mark Rowlands (Jan 12)
  - Re: Snort with IPTables Erek Adams (Jan 12)
  - Message not available
    - Re: Snort with IPTables Matt Kettler (Jan 12)
    - Re: Snort with IPTables Erek Adams (Jan 12)
    - RE: Snort with IPTables Martijn Heemels (Jan 13)
    - Re: Snort with IPTables Hasnain Atique (Jan 13)
    - RE: Snort with IPTables neal (Jan 14)
    - Re: Snort with IPTables David Lambert (Jan 13)
    - Re: Snort with IPTables Fyodor (Jan 13)
    - Re: Snort with IPTables John Sage (Jan 13)