Re: Wanting to run Snort on DMZ

["Josh Berry" <josh.berry () netschematics com>]

You could just make sure that eth1 does not start up with an IP (doesn't
initialize the tcp/ip stack).  I do this by configuring
/etc/sysconfig/network-scripts/ifcfg-eth1 with something like this:

DEVICE=eth1
ONBOOT=yes
USRCTL=no


> Hello everyone.
>
> I am a Snort newbie, and have a few questions, if you could help I
> would be grateful...
>
> I have a hardware firewall that sits on my Network, now what I want to
> do is use the DMZ and pass it to Snort running on Redhat 9 to see
> exactly what is hitting the router. I have snort installed and
> working in NIDs mode. Is this the correct way to have snort set to
> monitor port scans Dos attacks etc?
>
> The problem is this, the linux box that runs snort also hosts several
> other services. It has two network cards (eth0 and eth1) eth0 is the
> safe protected side of the network linked to the firewall, and eth1 is
> the snort interface. Now when I connect eth1 to the DMZ, as you would
> expect that machine bypasses the firewall and is completly open. I
> asked in a newsgroup about seperating the two interfaces, so that any
> traffic and services are not used on eth1. To all intents and purposes
> they are seperate machines, and no services are exposed outside of the
> LAN. I thought about using IPTables to protect eth1, but would that
> block snort from listening? or is it working at a level below the
> iptables?
>
> quote
> "I would think snort is checking the network stack at the kernel level
> before the firewall is able to block it. If that is the case then you
> should
> be able to safely see all activity on snort without opening the box to the
> world."
>
> If I could use iptables is there any chance anyone out there could
> give me a  pointer on how to set up iptables to protect eth1?
>
>
> I apologise if I appear thick, learning curve is steep!
> Many thanks for any help you can offer......
> --
>
> Best regards,
>  Michael (mike () thompsonmike co uk)
>
> Top Fifty Least-Known Facts About Saddam Hussein--
> Busy burning all his valentines from Osama.
>
> http://www.thompsonmike.co.uk/
> PGP KeyID := 0xA9547E32
>
> 'To see a world in a grain of sand
> And heaven in a wild flower
> To hold infinity in the palm of your hand
> And eternity in an hour'
>
> Using TheBat! Version 2.02.3 CE
> Running On Windows XP (2600, Service Pack 1)
> Sent From newsgroups
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


Thanks,
Josh Berry, CTO
LinkNet-Solutions
469-831-8543
josh.berry () linknet-solutions com



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users