[Snort-users] snort and firewall all in one machine
mkettler at ...4108...
Thu May 13 09:10:06 EDT 2004
At 09:52 AM 5/13/2004, Peggy Kam wrote:
>I am currently running the firewall and snort within the same machine; and
>snort is having its detections before firewall blocks the packets.
>I would like to use snort to test if my firewall actually blocks the
>packets launched by attackers. Would anyone give me some advice on how I
>could configure IDS to do its detections after the firewall blocks the
>packets by its rules?
You can get some of what you want by forcing the IDS to sniff the inside
interface instead of the outside. Packets from the outside that were
blocked will never make it to the inside.
However, there's no way for snort to detect "post firewall".. snort uses
libpcap. Libpcap is fundamentally very low-level and picks up packets at a
very low level off the ethernet driver, long before the TCP/IP stack gets them.
More information about the Snort-users