[Snort-users] in or out this is the problem!!
mkettler at ...4108...
Thu Mar 21 15:12:03 EST 2002
Both interfaces should see the packet, unless the router that routes
between your DMZ and your LAN does not allow them to pass, in which case
only the DMZ one will see the syn packet.
So if you want to see all syn's sent from the DMZ to the lan, watch on the
DMZ interface. If you want to see all syns sent from the DMZ which actually
get to the lan, watch on the lan interface.
If your router is properly configured only syn packets which are explicitly
allowed should make it from the DMZ to the LAN. Otherwise you don't really
have a very effective DMZ (one of the main points of having a DMZ is so
that a compromise of a machine there won't easily lead to a compromise of
I'd recommend adding rules to both snort sensors and comparing.
At 02:59 PM 3/21/2002 +0100, Federico Lombardo wrote:
>I've two interfaces.
>1) is the LAN interface
>2) is the DMZ interface
>Each interface has a snort sensor.
>if I want for example log syn packets from dmz to lan... where I must put
>this rules ?
>in the LAN interface or in the DMZ one ?
More information about the Snort-users