[Snort-users] running snort on webserver

Josh Oshiro josh at ...155...
Thu Apr 26 13:15:50 EDT 2001


 Put the firewall on your internal ip. This should allow external_net
through to your kernal where snort can read it. This of course presents
other security issues.
for example external_net is 208.x.x.x and internal_net is 10.x.x.x let
every thing through 208.x.x.x and firewall 10.x.x.x . This way snort can
read the packets before the firewall blocks them. Some folks seem to be
able to firewall external_net and read all incoming packets with snort
and some apparently can not.
This may have to do with the kernal version. libpcap reads eth data at
the kernal level and it does not access the eth divice directly
therefore the firewall rules should apply before snort can see the
network traffic.
-- 

josh at ...155...
Snort Support
Silicon Defense


dotslash wrote:
> 
> alright. i'm rather new to firewalling although i've managed to block stuff
> i don't want in my snort box successfully.  could you tell us just how would
> one achieve what you're suggesting?  AFAIK, you can either block incoming
> traffic or allow them in.  that's all.
> 
> appreciate response on this.
> 
> ----- Original Message -----
> From: "Jon Bentley" <jon at ...1741...>
> To: "Josh Oshiro" <josh at ...155...>; "dotslash" <dotslash at ...1760...>
> Cc: "Simon Frohn" <sf at ...1883...>; <snort-users at lists.sourceforge.net>
> Sent: Thursday, April 26, 2001 3:56 AM
> Subject: Re: [Snort-users] running snort on webserver
> 
> > Hey, guys.  The easiest way to make this happen is to
> > forward all packets to a local loopback device, and then
> > nat/filter off of that.  SNORT gets configured to view the
> > packets on the loopback device, and you're in business.
> >
> > ----- Original Message -----
> > From: "Josh Oshiro" <josh at ...155...>
> > To: "dotslash" <dotslash at ...1760...>
> > Cc: "Simon Frohn" <sf at ...1883...>; <snort-users at lists.sourceforge.net>
> > Sent: Wednesday, April 25, 2001 7:29 PM
> > Subject: Re: [Snort-users] running snort on webserver
> >
> >
> > > dotslash wrote:
> > > >
> > > > ouch.  i too am in the same situation where i can't afford a separate
> > snort
> > > > box.  i have ipfilter and snort on the same machine.
> > > >
> > > > my findings are that snort will not be sensing much if it's behind a
> > > > firewall since the firewall will be dropping the sessions snort is
> > supposed
> > > > to scan.  however, i read somewhere that with egress filtering i could
> > get
> > > > snort do it's job even if it's behind a firewall.  i'm still looking
> for
> > how
> > > > to do it.
> > > >
> > > > my 2cents.




More information about the Snort-users mailing list