Snort mailing list archives
RE: inside or outside
From: "McCammon, Keith" <Keith.McCammon () eadvancemed com>
Date: Fri, 19 Jul 2002 09:02:18 -0400
http://www.snort.org/docs/faq.html#2.3 If you run Snort on the external interface, pcap will see the traffic regardless. And if you only have one sensor at your disposal, the general recommendation is to place it outside of your firewall. If you really want a full picture of the traffic that's moving through your network, however, you'll want one sensor in and one sensor out. What I'm trying to spit out is that it's up to you.
-----Original Message----- From: Seth L. Thomas [mailto:s.thomas4 () comcast net] Sent: Friday, July 19, 2002 6:48 AM To: snort-users () lists sourceforge net Subject: [Snort-users] inside or outside Sorry if this was covered before but.. Where should snort go, inside or outside of a firewall? Lets say you have a standalone box so when you run snort against the interface to the net like snort -dv -i eth0 then you're actually running snort on the outside of the firewall because it binds to the raw socket so it gets the traffic before your kernel (ipchains/iptables) has time to react to it. But if the traffic your sniffing is being blocked by ipchains/iptables then snort wont give you much info because the blocked traffic wont be able to establish a connection so at most you'll capture a SYN. But if you run snort against traffic that you allow through the firewall then i mean, it's too late cause you're already letting it in. I always wanted to know a little bit more info about the traffic I'm blocking (more info than what ipchains/iptables gives you) but how can one do that without allowing it in? -- Join the Navy; sail to far-off exotic lands, meet exciting interesting people, and kill them. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- inside or outside Seth L. Thomas (Jul 19)
- Re: inside or outside Frank Knobbe (Jul 19)
- Re: inside or outside Erek Adams (Jul 19)
- key-logging patterns mflyger (Jul 19)
- <Possible follow-ups>
- RE: inside or outside McCammon, Keith (Jul 19)
- Re: inside or outside Seth L. Thomas (Jul 19)
- RE: inside or outside McCammon, Keith (Jul 19)
- Re: inside or outside Seth L. Thomas (Jul 19)
- RE: inside or outside McCammon, Keith (Jul 19)
- Re: inside or outside Seth L. Thomas (Jul 19)
- RE: inside or outside McCammon, Keith (Jul 19)
- Re: inside or outside Frank Knobbe (Jul 19)