[Snort-users] snort behind firewall

chj at ...1888... chj at ...1888...
Thu Apr 26 05:03:37 EDT 2001


If the snort sensor is behind the firewall it is intrusion detection and 
if the snort sensor is in front of (or on) the firewall it is attack 
detection :-) 
(from Stephen Nortcuts book Network Intrusion Detection)

i.e. if the sensor is behind the firewall you would only see succesfull 
intrusions, and if the sensor is outside you will see every single 
probe...
 

Christian H. Jensen

.................................................................................. 


eSec A/S - Managed Security 

http://www.esec.dk 
Telefon: +45 7020 5585 
Direkte:  +45 4450 2073
Mobil:     +45 20192510
.................................................................................. 





"Prins, J.H." <J.H.Prins at ...1070...>
Sent by: snort-users-admin at lists.sourceforge.net
26-04-2001 10:04

 
        To:     "'dotslash'" <dotslash at ...1760...>, Snort 
<snort-users at lists.sourceforge.net>
        cc: 
        Subject:        RE: [Snort-users] snort behind firewall

This is indeed correct if snort runs on the same system as the firewall
software. If it is a system behind the firewall system then I only sees
packets on the internal network. 

-----Original Message-----
From: dotslash [mailto:dotslash at ...1760...]
Sent: donderdag 26 april 2001 9:37
To: Snort
Subject: [Snort-users] snort behind firewall


i'm not sure if this is already in the faq because i sure haven't found 
one.
this is an answer i found in the snort.org forum which, to me, is one of 
the
sought after answers of IDS newbies.  can someone verify if this answers 
the
question of "Can snort still do it's job if it's firewalled?":

"Yes, libpcap grabs the packets well before the linux kernel IPChains
filters things. Remember, libpcap is used by tcpdump, and tcpdump can see
packets which aren't even IP (ie: IPX frames), and also sees packets
filtered by the IP handling of the Kernel. If I'm not mistaken, libpcap
grabs as  raw socket.."  -- mattkettler




"So to be quite precise, it's just the kernel of the OS"

-- Bill Joy, (http://www.linux-mag.com/1999-11/joy_01.html)


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010426/33aa8721/attachment.html>


More information about the Snort-users mailing list