[Snort-users] Architecture Issue: Attack alerts not picked up on internal senso r

Nanabhay Mohamed * Group (GP) MohamedN at ...7021...
Mon Oct 21 00:02:24 EDT 2002

(sorry for posting without a subject earlier, slip of the finger)


I'm trying to set up snort behind and in front of a firewall. The results of
my endevours are mysterious indeed... any help would be appreciated. (Excuse
the drawings)

=====switch======O<--- Snort box on a mirrored port (Outside network)
=Cisco Local Redirector=
=====switch======O<--- Snort box on a mirrored port (Inside network)

Now, the box on the outside is picking up all sorts of interesting traffic
including a stack of IIS and WEB CGI attacks on port 80. The funny thing is,
the snort sensor on the inside isn't picking up any of them. The firewall is
set to allow all HTTP traffic. The snort sensor is working and if I dump the
traffic I can see HTTP traffic as well. 

I'm not sure if it's the local redirector doing something (but the network
admin has assured me it's just directing all the traffic so it shouldn't be
a problem). 

Another thing is they are using virtual IP's. So the external snort sensor
picks up attacks for say XXX.XXX.151.30. The real address of the machine is
XXX.XXX.151.40. Would this make any difference?

Thanks in advance,

Mohamed Nanabhay
Information Systems Security Services (IS3)
Transnet Group Audit Services
Tel : 011 308 4298

The information contained in this communication is intended only for the use
of the addressee(s). Unauthorised use, disclosure, or copying is strictly
prohibited. If you have received this communication in error, please notify
the sender.

More information about the Snort-users mailing list