[Snort-users] Wanting to run Snort on DMZ

Josh Berry josh.berry at ...10221...
Wed Dec 24 14:49:00 EST 2003

You could just make sure that eth1 does not start up with an IP (doesn't
initialize the tcp/ip stack).  I do this by configuring
/etc/sysconfig/network-scripts/ifcfg-eth1 with something like this:


> Hello everyone.
> I am a Snort newbie, and have a few questions, if you could help I
> would be grateful...
> I have a hardware firewall that sits on my Network, now what I want to
> do is use the DMZ and pass it to Snort running on Redhat 9 to see
> exactly what is hitting the router. I have snort installed and
> working in NIDs mode. Is this the correct way to have snort set to
> monitor port scans Dos attacks etc?
> The problem is this, the linux box that runs snort also hosts several
> other services. It has two network cards (eth0 and eth1) eth0 is the
> safe protected side of the network linked to the firewall, and eth1 is
> the snort interface. Now when I connect eth1 to the DMZ, as you would
> expect that machine bypasses the firewall and is completly open. I
> asked in a newsgroup about seperating the two interfaces, so that any
> traffic and services are not used on eth1. To all intents and purposes
> they are seperate machines, and no services are exposed outside of the
> LAN. I thought about using IPTables to protect eth1, but would that
> block snort from listening? or is it working at a level below the
> iptables?
> quote
> "I would think snort is checking the network stack at the kernel level
> before the firewall is able to block it. If that is the case then you
> should
> be able to safely see all activity on snort without opening the box to the
> world."
> If I could use iptables is there any chance anyone out there could
> give me a  pointer on how to set up iptables to protect eth1?
> I apologise if I appear thick, learning curve is steep!
> Many thanks for any help you can offer......
> --
> Best regards,
>  Michael (mike at ...10501...)
> Top Fifty Least-Known Facts About Saddam Hussein--
> Busy burning all his valentines from Osama.
> http://www.thompsonmike.co.uk/
> PGP KeyID := 0xA9547E32
> 'To see a world in a grain of sand
> And heaven in a wild flower
> To hold infinity in the palm of your hand
> And eternity in an hour'
> Using TheBat! Version 2.02.3 CE
> Running On Windows XP (2600, Service Pack 1)
> Sent From newsgroups
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Josh Berry, CTO
josh.berry at ...10268...

More information about the Snort-users mailing list