Re: Application proxy firewall?

[Erek Adams <erek () snort org>]

On Thu, 20 Feb 2003, Brian Conte wrote:

> Will snort v1.9 that is watching traffic behind an application proxy
> firewall see the internal interface of the firewall as the SRC or DEST for
> any traffic going through the firewall or is snort capable of finding the
> real IP that the traffic is going to?
>
> If snort is capable of doing this, can someone point me to some
> documentation on this feature?

Snort is capable of reading frames off of the wire.  Inside the frame
there is a src and a dst IP.  How your firewall may or may not rewrite the
packets...  That's something to ask your firewall vendor.  :)

Simple test.

Open two windows/shells.  In one, start snort in sniffer mode.  "snort -vd"
Then in the other window type "ping -c 5 12.129.193.235" (that's
route-server.cerf.net).  You'll have 5 packets sent, and 5 returned.  You
should be able to see rather quickly if the IP is being changed by your
Firewall.  Don't want to or can't use ping?  Fire up a browser at
google.com.

Finding out will take all of about 2 seconds.  :)

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users