Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Sniffing on eth0 and reseting on eth1

From: "Dave Thornburgh" <dave_thornburgh () hotmail com>
Date: Mon, 25 Nov 2002 13:01:09 -0800
"Chris Green" <cmg () snort org> wrote...

"¤" <nico33b () yahoo fr> writes:



Hello,

I would like to know if it is possible to start snort sniffing on a
specific ethernet interface (for example eth0) and configuring it to
send TCP_RST via another interface (for example eth1).


The libnet stuff follows default routing rules so that's actually the
way it has to work if eth0 is stealth :)


So, does that mean that if eth0 is stealth, and eth1 is connected to an
isolated snort-management-lan (not able to see the segment that eth0 is
connected to, and not connected into my main lan), that flex_resp resets
cannot be sent at all?  I was about to install a few sensors in our lan, but
since one of them will be outside the firewall and two of them will be in
DMZ's, I wanted to keep the logging to mysql (for ACID) and the SnortCenter
traffic in a disconnected lan - I thought that was the only way I'd be safe
from any of these boxes being hacked.  Have I missed something?  An earlier
message and response implied that the resets could go out the stealthed
interface.

Dave Thornburgh


-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: