[Snort-users] SNORT on a firewall?

Robert.Searle at ...1614... Robert.Searle at ...1614...
Mon Mar 19 14:00:12 EST 2001


So, how do I tell it to ignore the stuff that ipchains blocks.  I think I
want to run it in non promiscuous mode?

-----Original Message-----
From: Chris Green [mailto:cmg at ...671...]
Sent: Monday, March 19, 2001 12:20 PM
To: Robert.Searle at ...1614...
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] SNORT on a firewall?


Robert.Searle at ...1614... writes:

> Hi,
> 	I have snort running on my firewall.  The log directory contains
> various pieces of information (I am still not sure what they all mean).
Is
> the information about things that went through ipchains (my Linux\RedHat
7.0
> firewall) or is this a list of everything that hit my firewall?

Are you running snort on the external interface or the interface used
to talk to the firewalled hosts?  If snort is in promiscuous mode (
default ), it should log everything sent ot the fire wall if running
on external interface ( I *think* ipchains get applied after pcap has
its way ) and it should see what goes through on the internal
interface.

-- 
Chris Green <cmg at ...671...>
Laugh and the world laughs with you, snore and you sleep alone.




More information about the Snort-users mailing list