[Snort-users] Snort and Bridge-Firewall
Hyde, Jim (Omnifax)
Jim.Hyde at ...10033...
Fri Sep 5 05:53:11 EDT 2003
I have a question that hopefully someone can help me with:
Does snort look through a bridge firewall or is my firewall being
Here's the details:
Snort-psql-ACID running on internal Linux box looking at entire network
Linux Bridge-Firewall sitting between RAS servers and internal network
(using same subnet)
Firewall set to block all ICMP (except network unreachable) from RAS
dialed-in systems because some of them are still infected with Nachi.
Firewall reports blocking ICMP by the hundreds from infected systems.
Snort/ACID shows some of the Cyberkit 2.2 from infected machines, but not
all that the firewall is logging being blocked.
So, is snort crosing the bridge and seeing the infected systems, or do I
have a problem with my firewall not blocking all of the Cyberkit 2.2 pings?
We disable the RAS users and disconnect them from the RAS, so they have to
call the help desk and we get them cleaned up, but I'm curious if I'm seeing
crossover reports from snort or are the pings actually getting through the
More information about the Snort-users