[Snort-users] More explanation needed in Snort User Manual for "resp:"?
Jason.Haar at ...294...
Thu Nov 6 14:16:12 EST 2003
On Thu, Nov 06, 2003 at 04:58:59PM -0500, Kristofer T. Karas wrote:
> To deal with the NAT issues, just place your promiscuous feed inbound
> from your NAT box, e.g. in your DMZ. Snort will only see your inside IP
> addresses, which is, after all, what you really want anyway; there's no
> point in reporting issues with a shared IP address, as you can't (in
> general) track that back to a specific post-NAT machine.
I think you're pointing out one big assumption in my arguement. I want Snort
to be monitoring within our DMZes for two reasons:
1> it won't catch all the cr*p the Internet throws at our firewall - only that
which it deems appropriate gets into the DMZ - and into Snorts view
2> it can see DMZ - to - DMZ traffic
Putting Snort in front of the NAT firewall would remove my issues with
flexresp - but it doesn't fix the fact that my alerts would go up - let's
guess - 1000%?. Oh, and I wouldn't see DMZ - to - DMZ traffic anymore.
More Snort boxes would solve it - but I don't like that as a fix.
I think flexresp2 will fix my problem. Separate configs with separate
instances of Snort should mean I'll get to pump RESETs out the correct
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Snort-users