[Snort-users] Bad Traffic, Port 0

Erwin Van de Velde erwin.vandevelde at ...10361...
Thu Dec 25 02:38:00 EST 2003


If snort and iptables are running on the same machine, you allways see those 
packets with snort, even if iptables blocks them. Why don't you use a snort 
sensor behind the firewalling machine? You will see then if you blocked the 
traffic or not.
Anyway, I'm writing my master thesis about security logging... I'll try to 
implement the following solution: log all security logs into a database, then 
compare the information of the snort sensors with the firewalling logs and 
mark all snort alerts that do not have a matching firewall log entry. This is 
only part of my master thesis, but I think this can give a tremendous comfort 
to sysadmins, as they will have to check a lot less data. All other data is 
kept for 'curious' sysadmins or for further checks. I think for instance of a 
layered network: one big network with several smaller ones inside: if a type 
of traffic is blocked on all firewalls of the smaller networks, why don't 
already block it on the outer firewall to? Such things will lead to a 
performance gain in the outer network too. But, as I said, this is still on 
its way :-)

Erwin Van de Velde
Student of Antwerp University,

More information about the Snort-users mailing list