[Snort-users] snort and firewall all in one machine

Matt Kettler mkettler at ...4108...
Thu May 13 09:10:06 EDT 2004

At 09:52 AM 5/13/2004, Peggy Kam wrote:
>I am currently running the firewall and snort within the same machine; and 
>snort is having its detections before firewall blocks the packets.
>I would like to use snort to test if my firewall actually blocks the 
>packets launched by attackers.  Would anyone give me some advice on how I 
>could configure IDS to do its detections after the firewall blocks the 
>packets by its rules?

You can get some of what you want by forcing the IDS to sniff the inside 
interface instead of the outside. Packets from the outside that were 
blocked will never make it to the inside.

However, there's no way for snort to detect "post firewall".. snort uses 
libpcap. Libpcap is fundamentally very low-level and picks up packets at a 
very low level off the ethernet driver, long before the TCP/IP stack gets them. 

More information about the Snort-users mailing list