[Snort-users] Snort with IPTables

Erek Adams erek at ...577...
Sat Jan 12 14:22:04 EST 2002


On Sat, 12 Jan 2002, Mark Rowlands wrote:

> > I would like to be able to put Snort on this box to determine how much
> > abuse we are getting.  From the archive
> > it seems like this is possible but I am not sure.   Idealy I would like to
> > bind snort to eth1 so I can see all the traffic
> > that is coming at the firewall and then some how bind it also to eth0 to
> > determine what is making it past the rule
> > set of the firewall.   But If I am forced to I would be happy to have it
> > sitting on external interface.
>
> Nobody seems to have offered any answer so here is my .02
>
> The various discussions I have seen on this list seems to indicate that this
> will not make a difference, snort will only see those packets that are not
> blocked
>
> My experience, albeit with ipfilter / ipnat  seems to reflect this opinion.

If you'll have a look at the FAQ:  http://www.snort.org/docs/faq.html#4.3

You'll want to consider if running snort on the same box as a firewall, then
the only packets that it (snort) will see will be the ones that _aren't_
blocked by your firewall rules.

> a real hub (make sure it is not one of those hub/switch type things) ahead of
> your firewall with the connection from the cable modem plugged into the
> (uplink ?)  port,  a second box with two interfaces, one with no  address
> configured  attached to the hub , the second attached to your nat'ed  net may
> allow you to see what is coming to your firewall.

Yes, that would do it.  You might also want to consider for extra security,
using a R/O cable.  I've come across a few pointers on them:

http://www.theadamsfamily.net/~erek/snort/

> otoh ... I could be talking absolute nonsense.

Aren't we all?  ;-)

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list