[Snort-users] SNORT on a firewall?

Robert.Searle at ...1614... Robert.Searle at ...1614...
Mon Mar 19 15:37:48 EST 2001


Great!  How do I tell linux to pass the info from eth0 (outside world) to
eth1 (internal)?  How do I tell snort to only look at eth1?


-----Original Message-----
From: Avleen Vig [mailto:avleen at ...396...]
Sent: Monday, March 19, 2001 2:12 PM
To: Robert.Searle at ...1613...
Subject: Re: [Snort-users] SNORT on a firewall?


You can set up a bridge, so that all data comes in on one interface and is
checked /
blocked by IPChains, and the remaining data is passed on to another
interface where it
it checked by snort


----- Original Message -----
From: <Robert.Searle at ...1614...>
To: <cmg at ...671...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Monday, March 19, 2001 7:00 PM
Subject: RE: [Snort-users] SNORT on a firewall?


> So, how do I tell it to ignore the stuff that ipchains blocks.  I think I
> want to run it in non promiscuous mode?
>
> -----Original Message-----
> From: Chris Green [mailto:cmg at ...671...]
> Sent: Monday, March 19, 2001 12:20 PM
> To: Robert.Searle at ...1614...
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] SNORT on a firewall?
>
>
> Robert.Searle at ...1614... writes:
>
> > Hi,
> > I have snort running on my firewall.  The log directory contains
> > various pieces of information (I am still not sure what they all mean).
> Is
> > the information about things that went through ipchains (my Linux\RedHat
> 7.0
> > firewall) or is this a list of everything that hit my firewall?
>
> Are you running snort on the external interface or the interface used
> to talk to the firewalled hosts?  If snort is in promiscuous mode (
> default ), it should log everything sent ot the fire wall if running
> on external interface ( I *think* ipchains get applied after pcap has
> its way ) and it should see what goes through on the internal
> interface.
>
> --
> Chris Green <cmg at ...671...>
> Laugh and the world laughs with you, snore and you sleep alone.
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list