[Snort-users] inside or outside

Seth L. Thomas s.thomas4 at ...5068...
Fri Jul 19 09:24:05 EDT 2002

"McCammon, Keith" wrote:

> OK.  So when ipchains sees src port 80, it drops.  And you're telling Snort to inspect port 80.  This > doesn't make sense.  If you're dropping it, then why waste your IDS's time watching that port?

Chalk it up to curiosity. Some people would like to know what they are
blocking and the log output for ipchains or iptables doesn't give you what
snort can. *shrug*

> Right.  Because that's what firewalls do.

On a standalone box with one interface to the net I guess snort is kind of
on both sides of your firewall (firewall being just ipchains or iptables
from your kernel). It captures part of the packet if the packet isn't
allowed to transverse the firewall and will capture the entire payload if
it is allowed through. 

> First, I would take issue with the use of the word "inside" here.  Snort is still looking at the 
> external interface; you just punched a hole in your firewall, that's all.  Inside would typically 
> indicate looking at traffic to and from the internal interface.  But I digress...

I guess what I considered "inside" was in reference to traffic you allow
through your firewall. 

And yes, now Snort can see the entire session.  Although it now sounds as
though you're talking about punching a hole in the firewall to benefit the
IDS, which is a** backwards, to be blunt.  I'd be more concerned with
blocking the traffic and protecting my hosts, than I would with seeing the
traffic and putting the network at risk.  I wouldn't open up RPC on my
firewall just to see what I've been missing!

The purpose of me running an IDS was to identify the stuff that I block so
I can learn more about why I'm blocking it. That didn't come out right but
frankly I rather find out why I dropped packets to port 111, than to just
assume blindly it's an rpc exploit. I'd like to find out more info like was
it an old rpc exploit, a new one, a simple nmap scan to 111, someone
sending erroneous info to 111 with netcat etc etc etc.

Afterall it's not like I'm running any services on these ports, so even in
an open state they are useless since nothing is bound to them. I don't run
any mission critical server where data and lives are at stake. I just
wanted to learn more about what other people are running on me. 

Join the Navy; sail to far-off exotic lands, meet 
exciting interesting people, and kill them.

More information about the Snort-users mailing list