Snort mailing list archives

RE: snort behind firewall ??

From: "Jason Lewis" <jlewis () jasonlewis net>
Date: Mon, 30 Apr 2001 20:02:28 -0400

Linux 2.2.16-3
Redhat 6.2
IPchains

If I run snort on the same interface as IPchains, then snort doesn't pickup
anything.  If I run it on the internal interface then it sees traffic.

Jason Lewis
http://www.rivalpath.com
"All you can do is manage the risks. There is no security."


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Josh Oshiro
Sent: Monday, April 30, 2001 2:13 PM
To: ./
Cc: Robert D. Hughes; snort-users
Subject: Re: [Snort-users] snort behind firewall ??


"./" wrote:

What I've done is to run two instances of snort on the box. One listens

on

the outside xl0 interface, the other listens on xl1. That way I see

what's

coming in. Snort does see things in the tcp stream, but I've never been

able

to determine if its seeing things that are blocked by the firewall. It
definitely sees port scans, which tells me it probably does, but I like

to

be

absolutely positive.

Rob


still the question remains as to how to protect the snort box.  i too have
also verified that portscans are being seen by snort even with a firewall.
i'm just wondering why the binary-log-file doesn't contain anything during
the time when i was running the snort attack scripts.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



It is up in the air right now wether or not snort can see packets before
the firewall drop them. It seems  it is system dependant. I would like
to take a poll of who can snort through there firewall and who can't.
We'll need to know what kernal you are using, how it's configured, what
firewall your using, how it's configures, and what os your using.

--
josh () silicondefense com
Snort Support
Silicon Defense

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: snort behind firewall ?? ./ (Apr 29)
- <Possible follow-ups>
- Re: snort behind firewall ?? ./ (Apr 29)
  - Re: snort behind firewall ?? Dan Hollis (Apr 29)
  - Re: snort behind firewall ?? Josh Oshiro (Apr 30)
    - RE: snort behind firewall ?? Jason Lewis (Apr 30)
    - Re: snort behind firewall ?? Andre Goeree (May 01)
    - Re: snort behind firewall ?? Security (May 01)
    - RE: snort behind firewall ?? Martijn Heemels (May 01)
- RE: snort behind firewall ?? Jason Opperisano (May 01)
- RE: snort behind firewall ?? Hawrylkiw, Dan G (May 02)
  - Sound Alerting Preprocessor Andrea Barisani (May 02)