[Snort-users] snort behind firewall

dotslash dotslash at ...1760...
Sat Apr 28 02:07:24 EDT 2001


correct but the issue here is both snort and ipfilter are on the same box using the same nic.  as far as i can tell snort does see what's happening on my $HOME_NET and at the same time ipfilter is blocking and logging it.

it would be better of course if the ids gurus can confirm this.  :-)


  ----- Original Message ----- 
  From: chj at ...1888... 
  To: snort-users at lists.sourceforge.net 
  Sent: Thursday, April 26, 2001 1:03 PM
  Subject: RE: [Snort-users] snort behind firewall



  If the snort sensor is behind the firewall it is intrusion detection and if the snort sensor is in front of (or on) the firewall it is attack detection :-) 
  (from Stephen Nortcuts book Network Intrusion Detection) 

  i.e. if the sensor is behind the firewall you would only see succesfull intrusions, and if the sensor is outside you will see every single probe... 
    

  Christian H. Jensen

  .................................................................................. 

  eSec A/S - Managed Security 

  http://www.esec.dk 
  Telefon: +45 7020 5585 
  Direkte:  +45 4450 2073
  Mobil:     +45 20192510
  .................................................................................. 


       "Prins, J.H." <J.H.Prins at ...1070...> 
        Sent by: snort-users-admin at lists.sourceforge.net 
        26-04-2001 10:04 

               
                To:        "'dotslash'" <dotslash at ...1760...>, Snort <snort-users at lists.sourceforge.net> 
                cc:         
                Subject:        RE: [Snort-users] snort behind firewall 


  This is indeed correct if snort runs on the same system as the firewall
  software. If it is a system behind the firewall system then I only sees
  packets on the internal network. 

  -----Original Message-----
  From: dotslash [mailto:dotslash at ...1760...]
  Sent: donderdag 26 april 2001 9:37
  To: Snort
  Subject: [Snort-users] snort behind firewall


  i'm not sure if this is already in the faq because i sure haven't found one.
  this is an answer i found in the snort.org forum which, to me, is one of the
  sought after answers of IDS newbies.  can someone verify if this answers the
  question of "Can snort still do it's job if it's firewalled?":

  "Yes, libpcap grabs the packets well before the linux kernel IPChains
  filters things. Remember, libpcap is used by tcpdump, and tcpdump can see
  packets which aren't even IP (ie: IPX frames), and also sees packets
  filtered by the IP handling of the Kernel. If I'm not mistaken, libpcap
  grabs as  raw socket.."  -- mattkettler




  "So to be quite precise, it's just the kernel of the OS"

  -- Bill Joy, (http://www.linux-mag.com/1999-11/joy_01.html)


  _______________________________________________
  Snort-users mailing list
  Snort-users at lists.sourceforge.net
  Go to this URL to change user options or unsubscribe:
  http://lists.sourceforge.net/lists/listinfo/snort-users
  Snort-users list archive:
  http://www.geocrawler.com/redir-sf.php3?list=snort-users

  _______________________________________________
  Snort-users mailing list
  Snort-users at lists.sourceforge.net
  Go to this URL to change user options or unsubscribe:
  http://lists.sourceforge.net/lists/listinfo/snort-users
  Snort-users list archive:
  http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010428/495a3203/attachment.html>


More information about the Snort-users mailing list