[Snort-users] inside or outside

McCammon, Keith Keith.McCammon at ...3497...
Fri Jul 19 06:03:03 EDT 2002


If you run Snort on the external interface, pcap will see the traffic regardless.  And if you only have one sensor at your disposal, the general recommendation is to place it outside of your firewall.

If you really want a full picture of the traffic that's moving through your network, however, you'll want one sensor in and one sensor out.

What I'm trying to spit out is that it's up to you.

> -----Original Message-----
> From: Seth L. Thomas [mailto:s.thomas4 at ...5068...]
> Sent: Friday, July 19, 2002 6:48 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] inside or outside
> Sorry if this was covered before but..
> Where should snort go, inside or outside of a firewall? Lets 
> say you have a
> standalone box so when you run snort against the interface to 
> the net like
> snort -dv -i eth0 then you're actually running snort on the 
> outside of the
> firewall because it binds to the raw socket so it gets the 
> traffic before
> your kernel (ipchains/iptables) has time to react to it. 
> But if the traffic your sniffing is being blocked by 
> ipchains/iptables then
> snort wont give you much info because the blocked traffic 
> wont be able to
> establish a connection so at most you'll capture a SYN. 
> But if you run snort against traffic that you allow through 
> the firewall
> then i mean, it's too late cause you're already letting it 
> in. I always
> wanted to know a little bit more info about the traffic I'm 
> blocking (more
> info than what ipchains/iptables gives you) but how can one 
> do that without
> allowing it in?
> -- 
> Join the Navy; sail to far-off exotic lands, meet 
> exciting interesting people, and kill them.
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list