[Snort-users] Snort and Firewall on the same box

Hawrylkiw, Dan G dan.g.hawrylkiw at ...1966...
Mon May 14 13:28:49 EDT 2001


I'm assuming that you're using Linux/IPchains given the ethX designations.
Snort sees everything before IPchains, so you won't need eth0 listening to
have snort monitor all traffic inbound on eth1.  Just set up snort to listen
on eth1.  If you are using another product such as Firewall-1, you might
need to test it to be sure.  This is because IPchains runs in the kernel
space, while many 3rd party firewall applications run in higher layers..

I have been testing snort on a 3 interface ipchains firewall with a second
snort box (same rules) also listening on the same outside hub.  After ~3
weeks, both boxes have alerted on the same traffic whether the firewall
blocks it or not. This includes light security scanning on my part to
supplement the usual script kiddie noise....

/Dan Hawrylkiw   RHCE
Server Specialist
Intel Corp. / Home Products Group
-----Original Message-----
From: Paul D. Shaffer [mailto:paulshaf at ...741...]
Sent: Friday, May 11, 2001 7:37 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort and Firewall on the same box

	Sorry to dig up an old thread which I don't recall ever being
satisfactorily resolved, but I've been pondering a good way to run snort and
an FW on the same box and came up with this angle:  Your box has three NICs:
eth0, 1, and 2.  Snort listens on eth0.  Eth1 and 2 form a stealthed,
bridged firewall with say, eth1 on the outside.  Eth0 and eth1 are jacked
into the same hub right behind the external router, ISP, whatever.  Does
that not pretty much eliminate any doubt about what snort is seeing,
regardless what the firewall is doing?  I might give this a try unless
someone can point out something wrong with the idea...


Longtime lurker

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list