[Snort-users] Snort with IPTables

Mark Rowlands fuc952d at ...4457...
Sat Jan 12 12:09:03 EST 2002


On Thursday 10 January 2002 5:50 pm, jaalexan at ...4528... wrote:
> Hello all,
>
> I have done some reading of the archived message but I still have a few
> questions about Snort
> with IP  Tables.
>
> First some info about our environment.   I have a small SOHO setup where I
> have a cable modem
> providing the internet connection.   We have one linux server that has IP
> Tables on it with a IP Masq
> subnet behind it.   The server also runs various services (Web, Mail, SSH)
> and has those ports open on
> the firewall.   The external interface is eth1 and the internal interface
> is eth0.
>
> I would like to be able to put Snort on this box to determine how much
> abuse we are getting.  From the archive
> it seems like this is possible but I am not sure.   Idealy I would like to
> bind snort to eth1 so I can see all the traffic
> that is coming at the firewall and then some how bind it also to eth0 to
> determine what is making it past the rule
> set of the firewall.   But If I am forced to I would be happy to have it
> sitting on external interface.

Nobody seems to have offered any answer so here is my .02

The various  discussions I have seen on this list seems to indicate that this 
will not make a difference, snort will only see those packets that are not 
blocked

My experience, albeit with ipfilter / ipnat  seems to reflect this opinion. 

a real hub (make sure it is not one of those hub/switch type things) ahead of 
your firewall with the connection from the cable modem plugged into the 
(uplink ?)  port,  a second box with two interfaces, one with no  address 
configured  attached to the hub , the second attached to your nat'ed  net may 
allow you to see what is coming to your firewall.

otoh ... I could be talking absolute nonsense. 




More information about the Snort-users mailing list