[Snort-users] inside or outside

Seth L. Thomas s.thomas4 at ...5068...
Fri Jul 19 08:04:03 EDT 2002

"McCammon, Keith" wrote:
> http://www.snort.org/docs/faq.html#2.3
> If you run Snort on the external interface, pcap will see the traffic regardless.  And if you only have one sensor at your disposal, the general recommendation is to place it outside of your firewall.
> If you really want a full picture of the traffic that's moving through your network, however, you'll want one sensor in and one sensor out.
> What I'm trying to spit out is that it's up to you.

The problem is it wont capture the complete packets' payload if placed on
the outside of a firewall atleast on a standalone computer.

Standard example: 

One computer connected to the net through eth0. Computer runs ipchains
which is configured to block port 80. snort -dv -i eth0 -l /var/log/snort
port 80

According to the docs snort is on the "outside" of your firewall because it
see's the traffic on the iface before ipchains/iptables. Since
ipchains/iptables is configured to block port 80 then snort will only
capture the SYN packet because the full connection couldn't go through.
That SYN packet capture is practically useless.

Now if you tell ipchains/iptables to open up port 80, then technically
snort will be on the "inside" of your firewall and will be able to capture
the entire packet's payload. But assuming you were running apache on that
port and it was vuln to whatever, then you're screwed anyway.  

So unless you have a bunch of boxes to play around with I don't see how you
can use snort in any effective way in a standalone box on traffic that you

I can see what you're saying for like DMZ's and people who use layers of
dedicated router and firewalls, just not for standalone boxes. 

Join the Navy; sail to far-off exotic lands, meet 
exciting interesting people, and kill them.

More information about the Snort-users mailing list