Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort and firewall all in one machine

From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 13 May 2004 12:09:26 -0400
At 09:52 AM 5/13/2004, Peggy Kam wrote:
I am currently running the firewall and snort within the same machine; and snort is having its detections before firewall blocks the packets. I would like to use snort to test if my firewall actually blocks the packets launched by attackers. Would anyone give me some advice on how I could configure IDS to do its detections after the firewall blocks the packets by its rules?
You can get some of what you want by forcing the IDS to sniff the inside interface instead of the outside. Packets from the outside that were blocked will never make it to the inside.
However, there's no way for snort to detect "post firewall".. snort uses libpcap. Libpcap is fundamentally very low-level and picks up packets at a very low level off the ethernet driver, long before the TCP/IP stack gets them. 


-------------------------------------------------------
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: