[Snort-users] More explanation needed in Snort User Manual for "resp:"?

Jason Haar Jason.Haar at ...294...
Thu Nov 6 14:16:12 EST 2003


On Thu, Nov 06, 2003 at 04:58:59PM -0500, Kristofer T. Karas wrote:
> To deal with the NAT issues, just place your promiscuous feed inbound 
> from your NAT box, e.g. in your DMZ.  Snort will only see your inside IP 
> addresses, which is, after all, what you really want anyway; there's no 
> point in reporting issues with a shared IP address, as you can't (in 
> general) track that back to a specific post-NAT machine.

I think you're pointing out one big assumption in my arguement. I want Snort
to be monitoring within our DMZes for two reasons:

1> it won't catch all the cr*p the Internet throws at our firewall - only that
   which it deems appropriate gets into the DMZ - and into Snorts view
2> it can see DMZ - to - DMZ traffic

Putting Snort in front of the NAT firewall would remove my issues with
flexresp - but it doesn't fix the fact that my alerts would go up - let's
guess - 1000%?. Oh, and I wouldn't see DMZ - to - DMZ traffic anymore.

More Snort boxes would solve it - but I don't like that as a fix.

I think flexresp2 will fix my problem. Separate configs with separate
instances of Snort should mean I'll get to pump RESETs out the correct
interface...

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




More information about the Snort-users mailing list