[Snort-users] Wanting to run Snort on DMZ

Michael Thompson mike at ...10501...
Wed Dec 24 12:50:01 EST 2003

Hello everyone.

I am a Snort newbie, and have a few questions, if you could help I
would be grateful...

I have a hardware firewall that sits on my Network, now what I want to
do is use the DMZ and pass it to Snort running on Redhat 9 to see
exactly what is hitting the router. I have snort installed and
working in NIDs mode. Is this the correct way to have snort set to
monitor port scans Dos attacks etc?

The problem is this, the linux box that runs snort also hosts several
other services. It has two network cards (eth0 and eth1) eth0 is the
safe protected side of the network linked to the firewall, and eth1 is
the snort interface. Now when I connect eth1 to the DMZ, as you would
expect that machine bypasses the firewall and is completly open. I
asked in a newsgroup about seperating the two interfaces, so that any
traffic and services are not used on eth1. To all intents and purposes
they are seperate machines, and no services are exposed outside of the
LAN. I thought about using IPTables to protect eth1, but would that
block snort from listening? or is it working at a level below the

"I would think snort is checking the network stack at the kernel level
before the firewall is able to block it. If that is the case then you should
be able to safely see all activity on snort without opening the box to the

If I could use iptables is there any chance anyone out there could
give me a  pointer on how to set up iptables to protect eth1?

I apologise if I appear thick, learning curve is steep!
Many thanks for any help you can offer......

Best regards,
 Michael (mike at ...10501...)
Top Fifty Least-Known Facts About Saddam Hussein-- 
Busy burning all his valentines from Osama. 

PGP KeyID := 0xA9547E32

'To see a world in a grain of sand
And heaven in a wild flower
To hold infinity in the palm of your hand
And eternity in an hour'

Using TheBat! Version 2.02.3 CE
Running On Windows XP (2600, Service Pack 1)
Sent From newsgroups

More information about the Snort-users mailing list