[Snort-users] Snort sensor on a Firewall
mkettler at ...4108...
Mon May 5 12:55:06 EDT 2003
At 07:19 PM 5/5/2003 +0100, sireesha gaddipati wrote:
>I actually want to place snort sensor on the same machine as firewall. My
>firewall has two interfaces one of which is connected to internet and
>other to the internal network. If I place two snort sensors one on each of
>those interfaces will that work same as snort sensors before and after the
>firewall (before and after in the sense on separate linux boxes)
For snort it does not matter if it is on the same box or not. Snort will
see whatever is on the wire of the interface it is listening to, no matter
what is blocked by ipchains, iptables, ipf, etc. My snort box is configured
with "block quick all" type rules on the interface it listens to and it
works just fine.
However the "far" and "near" side arguments that Michael made are still
valid to the extent that if you listen on the inside interface, obviously
only traffic that got through the firewall will be present there. So you do
still need to weigh which interface you configure snort to listen on.
More information about the Snort-users