[Snort-users] Wanting to run Snort on DMZ

Josh Berry josh.berry at ...10221...
Wed Dec 24 14:49:00 EST 2003


You could just make sure that eth1 does not start up with an IP (doesn't
initialize the tcp/ip stack).  I do this by configuring
/etc/sysconfig/network-scripts/ifcfg-eth1 with something like this:

DEVICE=eth1
ONBOOT=yes
USRCTL=no


> Hello everyone.
>
> I am a Snort newbie, and have a few questions, if you could help I
> would be grateful...
>
> I have a hardware firewall that sits on my Network, now what I want to
> do is use the DMZ and pass it to Snort running on Redhat 9 to see
> exactly what is hitting the router. I have snort installed and
> working in NIDs mode. Is this the correct way to have snort set to
> monitor port scans Dos attacks etc?
>
> The problem is this, the linux box that runs snort also hosts several
> other services. It has two network cards (eth0 and eth1) eth0 is the
> safe protected side of the network linked to the firewall, and eth1 is
> the snort interface. Now when I connect eth1 to the DMZ, as you would
> expect that machine bypasses the firewall and is completly open. I
> asked in a newsgroup about seperating the two interfaces, so that any
> traffic and services are not used on eth1. To all intents and purposes
> they are seperate machines, and no services are exposed outside of the
> LAN. I thought about using IPTables to protect eth1, but would that
> block snort from listening? or is it working at a level below the
> iptables?
>
> quote
> "I would think snort is checking the network stack at the kernel level
> before the firewall is able to block it. If that is the case then you
> should
> be able to safely see all activity on snort without opening the box to the
> world."
>
> If I could use iptables is there any chance anyone out there could
> give me a  pointer on how to set up iptables to protect eth1?
>
>
> I apologise if I appear thick, learning curve is steep!
> Many thanks for any help you can offer......
> --
>
> Best regards,
>  Michael (mike at ...10501...)
>
> Top Fifty Least-Known Facts About Saddam Hussein--
> Busy burning all his valentines from Osama.
>
> http://www.thompsonmike.co.uk/
> PGP KeyID := 0xA9547E32
>
> 'To see a world in a grain of sand
> And heaven in a wild flower
> To hold infinity in the palm of your hand
> And eternity in an hour'
>
> Using TheBat! Version 2.02.3 CE
> Running On Windows XP (2600, Service Pack 1)
> Sent From newsgroups
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>


Thanks,
Josh Berry, CTO
LinkNet-Solutions
469-831-8543
josh.berry at ...10268...





More information about the Snort-users mailing list