Snort mailing list archives
Re: Snort on an OpenBSD firewall
From: Sean Brown <sblinux () shaw ca>
Date: Mon, 28 Jun 2004 18:29:18 -0600
On June 28, 2004 06:17 pm, Matt Kettler wrote
At 03:29 PM 6/28/2004, Sean Brown wrote:If i read the documentation right, i should be able to have snort listen on pflog0 and just cpture and watch the traffic thats regected by my firewall, which is handy because snort isn't then logging all the arp traffic that shows up on the line.You can do that, however, snort won't issue alerts very often this way. Most of the snort rules look for data patterns in established tcp connections.. firewalled packets will never be a part of such a thing, so all rules with "flow: established" will never fire. Quite frankly, your approach strikes me as defeating 99% of the usefulness of an IDS. I actually take the exact opposite approach and snort only traffic which makes it past my first firewall. let's face it, the most valuable information an IDS can provide you is telling you about attack attempts that are getting past your firewall because they are part of a connection to a legitimate service. Overflow attempts on your mailserver, webserver, etc generally go right past firewalls, and are the kind of thing that IDS/IPS products are really designed to detect and is what makes them useful. If you want to know about malicious attacks that your firewall is blocking, your firewall logs will tell you that pretty well. Snort won't tell you much about firewalled packets that your firewall logs won't. Sure you can snort this stuff to get all the information in one place, but it's somewhat redundant and hardly critical.
OK I can understand that, and if this was more of an important thing, then I probably would just have it listen on the raw interfaces, actually I probably will. This is at home though on my own network, and I'm running Snort at the moment pretty much just to play around right now, though I am interested in what my firewall is doing. Since I'm just learning it, and the FAQ says I should be able to listen on pflog0 and read the pflog files, I'm wondering what I did that its not. After a weekend of searching and trying different things, I had to break down and ask. Having all the logs in one place might be redundant, but it really makes using them a whole lot easier. -Sean Brown ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort on an OpenBSD firewall Sean Brown (Jun 28)
- Re: Snort on an OpenBSD firewall Dragos Ruiu (Jun 28)
- Re: Snort on an OpenBSD firewall Sean Brown (Jun 28)
- Re: Snort on an OpenBSD firewall Matt Kettler (Jun 28)
- Re: Snort on an OpenBSD firewall Sean Brown (Jun 28)
- Re: Snort on an OpenBSD firewall Dragos Ruiu (Jun 28)