[Snort-users] Snort sensor on a Firewall

Matt Kettler mkettler at ...4108...
Mon May 5 12:55:06 EDT 2003

At 07:19 PM 5/5/2003 +0100, sireesha gaddipati wrote:
>I actually want to place snort sensor on the same machine as firewall. My 
>firewall has two interfaces one of which is connected to internet and 
>other to the internal network. If I place two snort sensors one on each of 
>those interfaces will that work same as snort sensors before and after the 
>firewall (before and after in the sense on separate linux boxes)

For snort it does not matter if it is on the same box or not. Snort will 
see whatever is on the wire of the interface it is listening to, no matter 
what is blocked by ipchains, iptables, ipf, etc. My snort box is configured 
with "block quick all" type rules on the interface it listens to and it 
works just fine.

  However the "far" and "near" side arguments that Michael made are still 
valid to the extent that if you listen on the inside interface, obviously 
only traffic that got through the firewall will be present there. So you do 
still need to weigh which interface you configure snort to listen on.

More information about the Snort-users mailing list