[Snort-users] snort behind firewall ??

Robert D. Hughes rob at ...1932...
Sat Apr 28 10:08:00 EDT 2001


What I've done is to run two instances of snort on the box. One listens on
the outside xl0 interface, the other listens on xl1. That way I see what's
coming in. Snort does see things in the tcp stream, but I've never been able
to determine if its seeing things that are blocked by the firewall. It
definitely sees port scans, which tells me it probably does, but I like to be
absolutely positive.

Rob

-----Original Message-----
From: dotslash [mailto:dotslash at ...1760...]
Sent: Saturday, April 28, 2001 1:26 AM
To: Steve Halligan; 'centipede'; snort-users
Subject: Re: [Snort-users] snort behind firewall ??


so where and how should one install snort then?  if it's installed outside
the firewall and the snort box is not protected (by a firewall) then it
would get h4x0r right?



----- Original Message -----
From: "Steve Halligan" <agent33 at ...187...>
To: "'centipede'" <centiped at ...1832...>; "snort-users"
<snort-users at lists.sourceforge.net>
Sent: Friday, April 27, 2001 4:31 AM
Subject: RE: [Snort-users] snort behind firewall ??


> a ppp0 int is at layer2...so ipchains will block it and snort wont see it.
> If you had a ethernet int on the outside, pcap would be able to see the
> packets before ipchains blocked it.
>
> > Don't know, guys, really.
> > I run snort on the same linux machine I use ipchains.
> > I configured it to serve and protect my ppp0 interface.
> > Until today, it has alerted me of nothing but an ICMP scan, thanks to
> > ipchains.
> > The moment I remove ipchains, snort usually begins its barking.
> > And of course I heavily tested it with self initiated scannings.
> > My conclusion, and of course your remarks are more than
> > welcomed, is that
> >
> > snort  DO  NOT   see packets blocked by ipchains.
> >
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list