[Snort-users] snort behind firewall

Josh Oshiro josh at ...155...
Thu Apr 26 12:27:04 EDT 2001


"Searle, Robert (XRCC)" wrote:
> 
> Is there a way to see but separate both it two separate log files?  What is
> the best way of viewing these files?
> 
> -----Original Message-----
> From: Piers Williams [mailto:PiersW at ...1865...]
> Sent: Thursday, April 26, 2001 7:24 AM
> To: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] snort behind firewall
> 
> Of course if snort is on the firewall then in fact you get the choice:
> monitoring attacks or intrusion (sucessfull attacks), based on which NIC you
> monitor (internal vs external)...
> 
> -----Original Message-----
> From: chj at ...1888... [mailto:chj at ...1888...]
> Sent: 26 April 2001 10:04
> To: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] snort behind firewall
> 
> If the snort sensor is behind the firewall it is intrusion detection and if
> the snort sensor is in front of (or on) the firewall it is attack detection
> :-)
> (from Stephen Nortcuts book Network Intrusion Detection)
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


Acid has a nice way of viewing logs sorted by sensor. The database can
be sorted by sensor ip address so one sensor could be external_net
208.x.x.x and internal_net could be 10.x.x.x 
 .
 
--
josh at ...155...
Snort Support
Silicon Defense




More information about the Snort-users mailing list