[Snort-users] inside or outside

McCammon, Keith Keith.McCammon at ...3497...
Fri Jul 19 08:46:09 EDT 2002


> Standard example: 
> 
> One computer connected to the net through eth0. Computer runs ipchains
> which is configured to block port 80. snort -dv -i eth0 -l 
> /var/log/snort
> port 80

OK.  So when ipchains sees src port 80, it drops.  And you're telling Snort to inspect port 80.  This doesn't make sense.  If you're dropping it, then why waste your IDS's time watching that port?
 
> According to the docs snort is on the "outside" of your 
> firewall because it
> see's the traffic on the iface before ipchains/iptables. Since
> ipchains/iptables is configured to block port 80 then snort will only
> capture the SYN packet because the full connection couldn't 
> go through.

Right.  Because that's what firewalls do.  

> That SYN packet capture is practically useless.

I guess??? 

> Now if you tell ipchains/iptables to open up port 80, then technically
> snort will be on the "inside" of your firewall and will be 
> able to capture
> the entire packet's payload. But assuming you were running 
> apache on that
> port and it was vuln to whatever, then you're screwed anyway.  

First, I would take issue with the use of the word "inside" here.  Snort is still looking at the external interface; you just punched a hole in your firewall, that's all.  Inside would typically indicate looking at traffic to and from the internal interface.  But I digress...

And yes, now Snort can see the entire session.  Although it now sounds as though you're talking about punching a hole in the firewall to benefit the IDS, which is a** backwards, to be blunt.  I'd be more concerned with blocking the traffic and protecting my hosts, than I would with seeing the traffic and putting the network at risk.  I wouldn't open up RPC on my firewall just to see what I've been missing!  

> So unless you have a bunch of boxes to play around with I 
> don't see how you
> can use snort in any effective way in a standalone box on 
> traffic that you
> block.

I think you're missing the point of an IDS.  I would define using Snort in an "effective way" as inspecting the traffic that I *allow* to try and identify nasties.  If you're dropping the traffic anyway, then you shouldn't waste resources by having your IDS (try to) inspect it.  

> I can see what you're saying for like DMZ's and people who 
> use layers of
> dedicated router and firewalls, just not for standalone boxes. 

The architecture is irrelevant.




More information about the Snort-users mailing list