[Snort-users] Snort behind host's firewall

Hawrylkiw, Dan G dan.g.hawrylkiw at ...1966...
Fri Jun 8 12:08:43 EDT 2001


  I think you already answered your question.. Put snort behind YOUR
firewall.  If snort is behind your firewall (assuming it is in front of only
your servers and passing traffic to/from your servers only), snort should
not hear anything from the other servers.  

If the firewall is shared with the "other guys", you're probably on a switch
(at least, I'd expect a co-lo to put you on a switch), so you shouldn't see
most of their traffic (maybe some ARP/chatter that is easily ignored).

You're better off not having snort 'ignore' the other guys by IP, since this
wouldn't detect things like smurf attacks or if their boxes were breached
and were being used to attack the subnet..

/Dan Hawrylkiw

-----Original Message-----
From: RoBSD [mailto:robsd at ...2198...]
Sent: Friday, June 08, 2001 1:14 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort behind host's firewall

And sorry if I ask a question that has already a answer on the list!
I want to deploy 4 servers on one collocation center and my servers
will be in one network with servers that are not ours and I don't want
to provide IDS for them. So, if it's possible to configure snort to
not use promiscuous mode and to analyze only packets that pass through
my firewall. I know that I can use "-h IP" but on 2 servers I will
have multiple IP's (more than 20) and for this I will have to add for
every new IP a new configuration! And in the same time I want to spare
same CPU time and only analyze what pass the firewall!

Thank you for your response!

Radu Coroi

Best regards,
 RoBSD                          mailto:robsd at ...2198...

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list