[Snort-users] snort behind firewall ??
jlewis at ...1831...
Mon Apr 30 20:02:28 EDT 2001
If I run snort on the same interface as IPchains, then snort doesn't pickup
anything. If I run it on the internal interface then it sees traffic.
"All you can do is manage the risks. There is no security."
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Josh Oshiro
Sent: Monday, April 30, 2001 2:13 PM
Cc: Robert D. Hughes; snort-users
Subject: Re: [Snort-users] snort behind firewall ??
> >What I've done is to run two instances of snort on the box. One listens
> >the outside xl0 interface, the other listens on xl1. That way I see
> >coming in. Snort does see things in the tcp stream, but I've never been
> >to determine if its seeing things that are blocked by the firewall. It
> >definitely sees port scans, which tells me it probably does, but I like
> >absolutely positive.
> still the question remains as to how to protect the snort box. i too have
> also verified that portscans are being seen by snort even with a firewall.
> i'm just wondering why the binary-log-file doesn't contain anything during
> the time when i was running the snort attack scripts.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
It is up in the air right now wether or not snort can see packets before
the firewall drop them. It seems it is system dependant. I would like
to take a poll of who can snort through there firewall and who can't.
We'll need to know what kernal you are using, how it's configured, what
firewall your using, how it's configures, and what os your using.
josh at ...155...
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users