[Snort-users] running snort on webserver

Simon Frohn sf at ...1883...
Tue Apr 24 08:31:11 EDT 2001


> my findings are that snort will not be sensing much if it's behind a
> firewall since the firewall will be dropping the sessions snort is supposed
> to scan.  however, i read somewhere that with egress filtering i could get
> snort do it's job even if it's behind a firewall.  i'm still looking for how
> to do it.

Snort receives the packets when they have passed the kernel with
its firewalling rules? Is it possible to 'grep' them directly after they
are received by the (ethernet)-interface?
In which way snort is working?

eth0 ______snort_____ port 80

eth0_______port 80

As I said I am mainly interessted in scanning the http-connections,
which are not blocked, of course. Are there, despite of http://www.snort.org/snort-files.htm#Rules,
other rules avaiable? Using PHP and MySQL, I am very interessted
in attempts to pass "unusal arguments" to scripts, attempts to
enter .htaccess limited areas or attempts to exploit server / php / MySQL-bugs.


More information about the Snort-users mailing list