Re: Snort on an OpenBSD firewall

[Sean Brown <sblinux () shaw ca>]

On June 28, 2004 06:17 pm, Matt Kettler wrote
> At 03:29 PM 6/28/2004, Sean Brown wrote:
> >  If i read the documentation right, i should be
> > able to have snort listen on pflog0 and just cpture and watch the traffic
> > thats regected by my firewall, which is handy because snort isn't then
> > logging all the arp traffic that shows up on the line.
>
> You can do that, however, snort won't issue alerts very often this way.
>
> Most of the snort rules look for data patterns in established tcp
> connections.. firewalled packets will never be a part of such a thing, so
> all rules with "flow: established" will never fire.
>
> Quite frankly, your approach strikes me as defeating 99% of the usefulness
> of an IDS. I actually take the exact opposite approach and snort only
> traffic which makes it past my first firewall.
>
> let's face it, the most valuable information an IDS can provide you is
> telling you about attack attempts that are getting past your firewall
> because they are part of a connection to a legitimate service. Overflow
> attempts on your mailserver, webserver, etc generally go right past
> firewalls, and are the kind of thing that IDS/IPS products are really
> designed to detect and is what makes them useful.
>
> If you want to know about malicious attacks that your firewall is blocking,
> your firewall logs will tell you that pretty well. Snort won't tell you
> much about firewalled packets that your firewall logs won't. Sure you can
> snort this stuff to get all the information in one place, but it's somewhat
> redundant and hardly critical.
OK I can understand that, and if this was more of an important thing, then I 
probably would just have it listen on the raw interfaces, actually I probably 
will.
This is at home though on my own network, and I'm running Snort at the moment 
pretty much just to play around right now, though I am interested in what my 
firewall is doing. Since I'm just learning it, and the FAQ says I should be 
able to listen on pflog0 and read the pflog files, I'm wondering what I did 
that its not. After a weekend of searching and trying different things, I had 
to break down and ask.
Having all the logs in one place might be redundant, but it really makes using 
them a whole lot easier.

-Sean Brown


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users