[Snort-users] in or out this is the problem!!

Matt Kettler mkettler at ...4108...
Thu Mar 21 15:12:03 EST 2002

Both interfaces should see the packet, unless the router that routes 
between your DMZ and your LAN does not allow them to pass, in which case 
only the DMZ one will see the syn packet.

So if you want to see all syn's sent from the DMZ to the lan, watch on the 
DMZ interface. If you want to see all syns sent from the DMZ which actually 
get to the lan, watch on the lan interface.

If your router is properly configured only syn packets which are explicitly 
allowed should make it from the DMZ to the LAN. Otherwise you don't really 
have a very effective DMZ (one of the main points of having a DMZ is so 
that a compromise of a machine there won't easily lead to a compromise of 
your lan).

  I'd recommend adding rules to both snort sensors and comparing.

At 02:59 PM 3/21/2002 +0100, Federico Lombardo wrote:
>I've two interfaces.
>1) is the LAN interface
>2) is the DMZ interface
>Each interface has a snort sensor.
>if I want for example log syn packets from dmz to lan... where I must put 
>this rules ?
>in the LAN interface or in the DMZ one ?

More information about the Snort-users mailing list