[Snort-users] running snort on webserver

Jon Bentley jon at ...1741...
Wed Apr 25 19:56:32 EDT 2001


Hey, guys.  The easiest way to make this happen is to
forward all packets to a local loopback device, and then
nat/filter off of that.  SNORT gets configured to view the
packets on the loopback device, and you're in business.

----- Original Message -----
From: "Josh Oshiro" <josh at ...155...>
To: "dotslash" <dotslash at ...1760...>
Cc: "Simon Frohn" <sf at ...1883...>; <snort-users at lists.sourceforge.net>
Sent: Wednesday, April 25, 2001 7:29 PM
Subject: Re: [Snort-users] running snort on webserver


> dotslash wrote:
> >
> > ouch.  i too am in the same situation where i can't afford a separate
snort
> > box.  i have ipfilter and snort on the same machine.
> >
> > my findings are that snort will not be sensing much if it's behind a
> > firewall since the firewall will be dropping the sessions snort is
supposed
> > to scan.  however, i read somewhere that with egress filtering i could
get
> > snort do it's job even if it's behind a firewall.  i'm still looking for
how
> > to do it.
> >
> > my 2cents.
> >
> > ----- Original Message -----
> > From: "Simon Frohn" <sf at ...1883...>
> > To: <snort-users at lists.sourceforge.net>
> > Sent: Tuesday, April 24, 2001 2:32 PM
> > Subject: [Snort-users] running snort on webserver
> >
> > > Hi,
> > >
> > > at the moment I am using ipchains to
> > > block everything except ftp, http and ssh
> > > on a webserver.
> > > Nevertheless I would like getting informend
> > > about break-in attempts, scans and dos-attacks
> > > especially those using the http-service.
> > >
> > > Would you recommend putting snort on
> > > the same machine the webserver is running?
> > > I do not have the possibility to set up
> > > a special snort server ...
> > > Or is it safer to rely on ip-firewalling and not
> > > to scan http-traffic?
> > >
> > >
> > > tia,
> > > Simon
> > >
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>   Your Firewire should be filtering packets before snort gets them.
> However it may be possible to configure your firewall to allow traffic
> through far enough for snort to see it. There should be a way for you
> configure the fire wall to let external traffic though and then block
> that traffic internaly.
>
> --
> josh at ...155...
> Snort Support
> Silicon Defense
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list