[Snort-users] Snort with IPTables
erek at ...577...
Sat Jan 12 14:22:04 EST 2002
On Sat, 12 Jan 2002, Mark Rowlands wrote:
> > I would like to be able to put Snort on this box to determine how much
> > abuse we are getting. From the archive
> > it seems like this is possible but I am not sure. Idealy I would like to
> > bind snort to eth1 so I can see all the traffic
> > that is coming at the firewall and then some how bind it also to eth0 to
> > determine what is making it past the rule
> > set of the firewall. But If I am forced to I would be happy to have it
> > sitting on external interface.
> Nobody seems to have offered any answer so here is my .02
> The various discussions I have seen on this list seems to indicate that this
> will not make a difference, snort will only see those packets that are not
> My experience, albeit with ipfilter / ipnat seems to reflect this opinion.
If you'll have a look at the FAQ: http://www.snort.org/docs/faq.html#4.3
You'll want to consider if running snort on the same box as a firewall, then
the only packets that it (snort) will see will be the ones that _aren't_
blocked by your firewall rules.
> a real hub (make sure it is not one of those hub/switch type things) ahead of
> your firewall with the connection from the cable modem plugged into the
> (uplink ?) port, a second box with two interfaces, one with no address
> configured attached to the hub , the second attached to your nat'ed net may
> allow you to see what is coming to your firewall.
Yes, that would do it. You might also want to consider for extra security,
using a R/O cable. I've come across a few pointers on them:
> otoh ... I could be talking absolute nonsense.
Aren't we all? ;-)
More information about the Snort-users