[Snort-users] (no subject)

Blake Frantz blake at ...319...
Tue Apr 10 11:58:09 EDT 2001


If you are simply NATing one IP and you have snort listening on your
outside (public) interface, snort will see all traffic with respect to the
IP of that interface.  If you have snort listen on your inside
(private) interface, snort will pick up the NAT'ed traffic -- which will
allow you to determine which box the traffic is really comming/going
from/to.

Snort will see the same traffic, but the ingress destination and egress
source will be different depending on which interface you have it
listening on.

To answer your question; if your snort box is also your firewall then yes
your assumption is correct.  Disallowed traffic will be discarded before
it ever reaches the inside interface (for inbound traffic), thus snort
will not see this traffic unless it is listening on the outside interface.

Hope this helps.
 
(if any of this seems bass ackwards...I'm blaming it on the NyQuil)

Blake


On Mon, 9 Apr 2001, Phil wrote:

> 
> Thanks. My question is, what all is the difference. It
> seems like the first catches all attacks while the
> second catches either attacks that make it through the
> firewall... is that somewhat accurate? Am I missing
> something here?
> 
> Thanks again.
> 
> Phil
> 
> __________________________________________________
> Do You Yahoo!?
> Get email at your own domain with Yahoo! Mail. 
> http://personal.mail.yahoo.com/
> 






More information about the Snort-users mailing list