Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: inside or outside

From: "Seth L. Thomas" <s.thomas4 () comcast net>
Date: Fri, 19 Jul 2002 11:02:32 -0400
"McCammon, Keith" wrote:


http://www.snort.org/docs/faq.html#2.3

If you run Snort on the external interface, pcap will see the traffic regardless.  And if you only have one sensor at 
your disposal, the general recommendation is to place it outside of your firewall.

If you really want a full picture of the traffic that's moving through your network, however, you'll want one sensor 
in and one sensor out.

What I'm trying to spit out is that it's up to you.


The problem is it wont capture the complete packets' payload if placed on
the outside of a firewall atleast on a standalone computer.

Standard example: 

One computer connected to the net through eth0. Computer runs ipchains
which is configured to block port 80. snort -dv -i eth0 -l /var/log/snort
port 80

According to the docs snort is on the "outside" of your firewall because it
see's the traffic on the iface before ipchains/iptables. Since
ipchains/iptables is configured to block port 80 then snort will only
capture the SYN packet because the full connection couldn't go through.
That SYN packet capture is practically useless.

Now if you tell ipchains/iptables to open up port 80, then technically
snort will be on the "inside" of your firewall and will be able to capture
the entire packet's payload. But assuming you were running apache on that
port and it was vuln to whatever, then you're screwed anyway.  

So unless you have a bunch of boxes to play around with I don't see how you
can use snort in any effective way in a standalone box on traffic that you
block.

I can see what you're saying for like DMZ's and people who use layers of
dedicated router and firewalls, just not for standalone boxes. 



-- 
Join the Navy; sail to far-off exotic lands, meet 
exciting interesting people, and kill them.


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: