Snort mailing list archives
RE: inside or outside
From: "McCammon, Keith" <Keith.McCammon () eadvancemed com>
Date: Fri, 19 Jul 2002 11:45:34 -0400
Standard example: One computer connected to the net through eth0. Computer runs ipchains which is configured to block port 80. snort -dv -i eth0 -l /var/log/snort port 80
OK. So when ipchains sees src port 80, it drops. And you're telling Snort to inspect port 80. This doesn't make sense. If you're dropping it, then why waste your IDS's time watching that port?
According to the docs snort is on the "outside" of your firewall because it see's the traffic on the iface before ipchains/iptables. Since ipchains/iptables is configured to block port 80 then snort will only capture the SYN packet because the full connection couldn't go through.
Right. Because that's what firewalls do.
That SYN packet capture is practically useless.
I guess???
Now if you tell ipchains/iptables to open up port 80, then technically snort will be on the "inside" of your firewall and will be able to capture the entire packet's payload. But assuming you were running apache on that port and it was vuln to whatever, then you're screwed anyway.
First, I would take issue with the use of the word "inside" here. Snort is still looking at the external interface; you just punched a hole in your firewall, that's all. Inside would typically indicate looking at traffic to and from the internal interface. But I digress... And yes, now Snort can see the entire session. Although it now sounds as though you're talking about punching a hole in the firewall to benefit the IDS, which is a** backwards, to be blunt. I'd be more concerned with blocking the traffic and protecting my hosts, than I would with seeing the traffic and putting the network at risk. I wouldn't open up RPC on my firewall just to see what I've been missing!
So unless you have a bunch of boxes to play around with I don't see how you can use snort in any effective way in a standalone box on traffic that you block.
I think you're missing the point of an IDS. I would define using Snort in an "effective way" as inspecting the traffic that I *allow* to try and identify nasties. If you're dropping the traffic anyway, then you shouldn't waste resources by having your IDS (try to) inspect it.
I can see what you're saying for like DMZ's and people who use layers of dedicated router and firewalls, just not for standalone boxes.
The architecture is irrelevant. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- inside or outside Seth L. Thomas (Jul 19)
- Re: inside or outside Frank Knobbe (Jul 19)
- Re: inside or outside Erek Adams (Jul 19)
- key-logging patterns mflyger (Jul 19)
- <Possible follow-ups>
- RE: inside or outside McCammon, Keith (Jul 19)
- Re: inside or outside Seth L. Thomas (Jul 19)
- RE: inside or outside McCammon, Keith (Jul 19)
- Re: inside or outside Seth L. Thomas (Jul 19)
- RE: inside or outside McCammon, Keith (Jul 19)
- Re: inside or outside Seth L. Thomas (Jul 19)
- RE: inside or outside McCammon, Keith (Jul 19)
- Re: inside or outside Frank Knobbe (Jul 19)