[Snort-users] WAN IPS + LAN Snort IDS: Signature events visible on both sides?

Snort IPS snortvsips at gmail.com
Tue Dec 18 15:15:40 EST 2018


I currently use snort as a backup IDS to inspect LAN traffic.  I find
myself in the unusual position that a commercial IPS that I have deployed
on the WAN side will identify signatures and label them as blocked, but our
Snort IDS on the LAN side sees the exact same signature events on our LAN
side.  I must be old, but I was certain that blocked traffic at our WAN
edge IPS system should NOT be visible by our internal LAN snort IDS.

The commercial IPS claims that a TCP reset flag is set to break the
connection to prevent the exploit payload from delivering, but I don't see
the flag within the same signature packet on the LAN side.

I don't know if I'm just stupid and unaware of this newer firewall
technique, or if the commercial IPS that we use is broken in some way
(intentional or otherwise).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20181218/125a5dbc/attachment.html>


More information about the Snort-users mailing list