[Snort-users] Snort and Bridge-Firewall

Hyde, Jim (Omnifax) Jim.Hyde at ...10033...
Fri Sep 5 05:53:11 EDT 2003


I have a question that hopefully someone can help me with:

Does snort look through a bridge firewall or is my firewall being
compromised?

Here's the details:

Snort-psql-ACID running on internal Linux box looking at entire network
(x.x.0.0/24)

Linux Bridge-Firewall sitting between RAS servers and internal network
(using same subnet)

Firewall set to block all ICMP (except network unreachable) from RAS
dialed-in systems because some of them are still infected with Nachi.

Firewall reports blocking ICMP by the hundreds from infected systems.

Snort/ACID shows some of the Cyberkit 2.2 from infected machines, but not
all that the firewall is logging being blocked.

So, is snort crosing the bridge and seeing the infected systems, or do I
have a problem with my firewall not blocking all of the Cyberkit 2.2 pings?

We disable the RAS users and disconnect them from the RAS, so they have to
call the help desk and we get them cleaned up, but I'm curious if I'm seeing
crossover reports from snort or are the pings actually getting through the
firewall-bridge.

Thanks,
Jim




More information about the Snort-users mailing list