[Snort-users] firewalling snort machine

Salisko, Rick SaliskoR at ...1594...
Fri Feb 22 05:17:04 EST 2002

I have tried to get around a similar problem in the past by setting the default gateway of the sensor to the firewall external interface, which, of course, is set to deny all such packets. Each time a packet (scan or otherwise) is directed to the sensor ip address, any response it sends is sent to the firewall, which reports it as a packet forwarding attack.  

Other than opening the sensor to a DOS type attack, can anybody see any other blatant holes in this technique ?

-----Original Message-----
From: McCammon, Keith [mailto:Keith.McCammon at ...3497...]
Sent: Thursday, February 21, 2002 4:59 PM
To: Basil Saragoza; Erek Adams
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] firewalling snort machine

To answer your follow-up questions:

1) I would highly recommend that you rethink this.  It is generally
considered to be a VERY BAD practice to make your most critical security
systems available to the outside world.  You just don't do it.  Use an
internal interface for management.  Your sensor should never be visible,
in any fashion, to the outside world.  It should see without being seen.

2) You could, and it would not affect Snort's operation.  However, I
recommend that you read item 1.



More information about the Snort-users mailing list