[Snort-users] Snort with IPTables
fuc952d at ...4457...
Sat Jan 12 12:09:03 EST 2002
On Thursday 10 January 2002 5:50 pm, jaalexan at ...4528... wrote:
> Hello all,
> I have done some reading of the archived message but I still have a few
> questions about Snort
> with IP Tables.
> First some info about our environment. I have a small SOHO setup where I
> have a cable modem
> providing the internet connection. We have one linux server that has IP
> Tables on it with a IP Masq
> subnet behind it. The server also runs various services (Web, Mail, SSH)
> and has those ports open on
> the firewall. The external interface is eth1 and the internal interface
> is eth0.
> I would like to be able to put Snort on this box to determine how much
> abuse we are getting. From the archive
> it seems like this is possible but I am not sure. Idealy I would like to
> bind snort to eth1 so I can see all the traffic
> that is coming at the firewall and then some how bind it also to eth0 to
> determine what is making it past the rule
> set of the firewall. But If I am forced to I would be happy to have it
> sitting on external interface.
Nobody seems to have offered any answer so here is my .02
The various discussions I have seen on this list seems to indicate that this
will not make a difference, snort will only see those packets that are not
My experience, albeit with ipfilter / ipnat seems to reflect this opinion.
a real hub (make sure it is not one of those hub/switch type things) ahead of
your firewall with the connection from the cable modem plugged into the
(uplink ?) port, a second box with two interfaces, one with no address
configured attached to the hub , the second attached to your nat'ed net may
allow you to see what is coming to your firewall.
otoh ... I could be talking absolute nonsense.
More information about the Snort-users