Re: How to monitor two different traffics with snort

[Bamm Visscher <bamm.visscher () gmail com>]

Say the FW isn't an external FW. Or maybe it has more than two
interfaces inside (PAT), outside, DMZ1 (NATed mailserver and DNS),
DMZ2 (NATed webservers), and DMZ3 (HTTP proxy).  You could tap each of
those individually, but only tapping the internal and external
interface would give you the required data.

There, now you have a reason beyond to detect reconn acty.

Bamm

On Fri, Jun 5, 2009 at 8:29 AM, Nigel Houghton <nhoughton () sourcefire com> wrote:
> On Fri, Jun 5, 2009 at 10:10 AM, Luis Daniel Lucio
> Quiroz<luis.daniel.lucio () gmail com> wrote:
> > Le vendredi 5 juin 2009 08:26:20, Bruno Noronha a écrit :
> > > Buddies,
> > >
> > >              Is there a way to use just one snort server to monitor the
> > > traffic before and after the firewall? I know that I can log separate
> > > informations in two databases and exibite then in different sites throught
> > > base, but I didn't find any feature in snort.conf that allow me to
> > > segregate what is coming from outside interface and inside interface...
> > >
> > > regards,
> > >             Bruno
> > Wait to 2.8.5 it has multi-iface capabilities.
>
> Here's a better idea:
>
> Two interfaces on the snort box, one connected to one side of the
> firewall and the other to the inside of the firewall. Then start two
> instances of snort, one per interface.
>
>  snort -i fxp0 -c /usr/local/etc/snort/snort_fxp0.conf
>
>  snort -i fxp1 -c /usr/local/etc/snort/snort_fxp1.conf
>
> Of course, if you want to run snort inline at each point then it
> requires more interfaces and it gets more complicated.
>
> (I still do not understand why folks insist on placing an IDS outside
> the firewall)
>
> --
> Nigel Houghton
> Head Mentalist
> SF VRT
> http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
>
> ------------------------------------------------------------------------------
> OpenSolaris 2009.06 is a cutting edge operating system for enterprises
> looking to deploy the next generation of Solaris that includes the latest
> innovations from Sun and the OpenSource community. Download a copy and
> enjoy capabilities such as Networking, Storage and Virtualization.
> Go to: http://p.sf.net/sfu/opensolaris-get
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net

------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises 
looking to deploy the next generation of Solaris that includes the latest 
innovations from Sun and the OpenSource community. Download a copy and 
enjoy capabilities such as Networking, Storage and Virtualization. 
Go to: http://p.sf.net/sfu/opensolaris-get
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users