[Snort-users] running snort on webserver

Josh Oshiro josh at ...155...
Wed Apr 25 19:29:50 EDT 2001


dotslash wrote:
> 
> ouch.  i too am in the same situation where i can't afford a separate snort
> box.  i have ipfilter and snort on the same machine.
> 
> my findings are that snort will not be sensing much if it's behind a
> firewall since the firewall will be dropping the sessions snort is supposed
> to scan.  however, i read somewhere that with egress filtering i could get
> snort do it's job even if it's behind a firewall.  i'm still looking for how
> to do it.
> 
> my 2cents.
> 
> ----- Original Message -----
> From: "Simon Frohn" <sf at ...1883...>
> To: <snort-users at lists.sourceforge.net>
> Sent: Tuesday, April 24, 2001 2:32 PM
> Subject: [Snort-users] running snort on webserver
> 
> > Hi,
> >
> > at the moment I am using ipchains to
> > block everything except ftp, http and ssh
> > on a webserver.
> > Nevertheless I would like getting informend
> > about break-in attempts, scans and dos-attacks
> > especially those using the http-service.
> >
> > Would you recommend putting snort on
> > the same machine the webserver is running?
> > I do not have the possibility to set up
> > a special snort server ...
> > Or is it safer to rely on ip-firewalling and not
> > to scan http-traffic?
> >
> >
> > tia,
> > Simon
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


  Your Firewire should be filtering packets before snort gets them.
However it may be possible to configure your firewall to allow traffic
through far enough for snort to see it. There should be a way for you
configure the fire wall to let external traffic though and then block
that traffic internaly.

-- 
josh at ...155...
Snort Support
Silicon Defense




More information about the Snort-users mailing list