RE: firewall and snort on the same machine

["Martijn Heemels" <martijn () yggdrasil yi org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Snort should be able to see all the traffic before the firewall 
> sees it.  It
> doesn't need a second IP address since it is not the IP that goes
> promiscuous, it is the whole 'real' interface'.  This means that 
> even if you
> are actually blocking traffic, snort should still see it.
>
> At least this is how it works for IPChains & Firewall-1, so you 
> mileage may
> vary.


My mileage does vary...

On my Linux 2.2 box with ipchains firewall and snort 1.8.1 (and
previously 1.7 and up), snort only sees traffic that the firewall
lets through...
According to the snort FAQ
(http://snort.sourcefire.com/docs/faq.html#4.3) this is supposed to
happen.
As a result i've seen some codered probes because i run apache but
nothing more for months!

In my logs I don't see the "eth1 has entered promiscuous mode"
message that other people are reporting. How can I enable that
option?

Running Redhat 6.2 with all relevant patches.
kernel 2.2.16-3 stock from redhat rpm.
eth1 is a 3com 3C509 on a chello cablemodem

Any tips are welcome!

Martijn


- -- 
.: M. Heemels .:. webdesigner :.
.: Eindhoven, NL, martijn () heemels com :.
.: PGP of S/MIME encrypted e-mail preferred :.


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO3sDYxLMC0rbivl4EQLjiQCgiofGONiyNZITp5wVM6rY6iG8B0AAnjBW
AzBxZ4EQFSY7a3G4HpuOcQBT
=kYzq
-----END PGP SIGNATURE-----


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users