[Snort-users] snort behind firewall - good?

hailjt hailjt at ...1871...
Sun Apr 22 18:15:25 EDT 2001


Hmmm....
Which interface are you pointing snort at?

On my system at home running kernel 2.2.17 and ipchains 1.3.9 snort can see 
all incoming traffic on the outside interface, even the blocked ports.

Sound as if your milage may vary...

Jed

On Sunday 22 April 2001 09:54, Martijn Heemels wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > This should work. I have never tried it.  If you're using ipchians
> > or iptables, these live in kernal space, and libpcap will capture
> > the packets before the firewall gets an opportunity to see them.
> >
> > > this maybe obvious to all of you but i just want to find out if
> > > it's advisable to install a firewall in the same box as snort is
> > > installed.
> >
> > will
> >
> > > i be missing things if i do it this way like portscans and all
> > > that?
>
> Hi, I'm running ipchains on a home gateway with both snort and
> portsentry as second level defenses.
> In my personal experience ipchains has first priority, and blocks
> anything unwanted, before allowing snort or portsentry to see the
> packets.
> I have even purposely opened some ports so that portsentry can detect
> scans on them and block the ip's completely.
> Snort has for example not logged any attempts by recent worms, until
> I brought down the firewall. Almost immediately both snort and
> portsentry started giving alerts about attempts on port 111.
>
> So, Dotslash, it is very well possible, and if you have limited
> resources (i.e. cash) you can make one machine do a lot. If you have
> the ipchains firewall locked down pretty well, you won't see much
> happening in the snort and portsentry logs, but in my opinion that's
> a good thing, and if someone happens to break through the firewall,
> there's still snort to tell me about it, and portsentry to throw them
> out the door.
>
> Since my internal masqueraded LAN network is left a lot more 'open'
> by ipchains, snort is showing a lot more stuff on that side. This
> allows me to monitor the LAN for strange traffic. My LAN is trusted
> enough, so I don't have to firewall that side as much. Snort will do
> just fine.
>
> Hope this helps,
>
> Martijn
>
> - --
> M. Heemels
> Eindhoven, NL
> martijn at ...1736...
> student :: webdesigner
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBOuL+mxLMC0rbivl4EQLzLwCgjozTU3N+xnZvZDLAzotH/4yZRG0AnjLy
> S9HQEBTfDR9A+D4EwcoV10T9
> =yRfv
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list