Snort and Bridge-Firewall

["Hyde, Jim (Omnifax)" <Jim.Hyde () omnifax xerox com>]

I have a question that hopefully someone can help me with:

Does snort look through a bridge firewall or is my firewall being
compromised?

Here's the details:

Snort-psql-ACID running on internal Linux box looking at entire network
(x.x.0.0/24)

Linux Bridge-Firewall sitting between RAS servers and internal network
(using same subnet)

Firewall set to block all ICMP (except network unreachable) from RAS
dialed-in systems because some of them are still infected with Nachi.

Firewall reports blocking ICMP by the hundreds from infected systems.

Snort/ACID shows some of the Cyberkit 2.2 from infected machines, but not
all that the firewall is logging being blocked.

So, is snort crosing the bridge and seeing the infected systems, or do I
have a problem with my firewall not blocking all of the Cyberkit 2.2 pings?

We disable the RAS users and disconnect them from the RAS, so they have to
call the help desk and we get them cleaned up, but I'm curious if I'm seeing
crossover reports from snort or are the pings actually getting through the
firewall-bridge.

Thanks,
Jim


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users