[Snort-users] inside or outside

Seth L. Thomas s.thomas4 at ...5068...
Fri Jul 19 03:52:03 EDT 2002

Sorry if this was covered before but..

Where should snort go, inside or outside of a firewall? Lets say you have a
standalone box so when you run snort against the interface to the net like
snort -dv -i eth0 then you're actually running snort on the outside of the
firewall because it binds to the raw socket so it gets the traffic before
your kernel (ipchains/iptables) has time to react to it. 

But if the traffic your sniffing is being blocked by ipchains/iptables then
snort wont give you much info because the blocked traffic wont be able to
establish a connection so at most you'll capture a SYN. 

But if you run snort against traffic that you allow through the firewall
then i mean, it's too late cause you're already letting it in. I always
wanted to know a little bit more info about the traffic I'm blocking (more
info than what ipchains/iptables gives you) but how can one do that without
allowing it in?


Join the Navy; sail to far-off exotic lands, meet 
exciting interesting people, and kill them.

More information about the Snort-users mailing list