Snort mailing list archives
Snort and Bridge-Firewall
From: "Hyde, Jim (Omnifax)" <Jim.Hyde () omnifax xerox com>
Date: Fri, 5 Sep 2003 07:52:45 -0500
I have a question that hopefully someone can help me with: Does snort look through a bridge firewall or is my firewall being compromised? Here's the details: Snort-psql-ACID running on internal Linux box looking at entire network (x.x.0.0/24) Linux Bridge-Firewall sitting between RAS servers and internal network (using same subnet) Firewall set to block all ICMP (except network unreachable) from RAS dialed-in systems because some of them are still infected with Nachi. Firewall reports blocking ICMP by the hundreds from infected systems. Snort/ACID shows some of the Cyberkit 2.2 from infected machines, but not all that the firewall is logging being blocked. So, is snort crosing the bridge and seeing the infected systems, or do I have a problem with my firewall not blocking all of the Cyberkit 2.2 pings? We disable the RAS users and disconnect them from the RAS, so they have to call the help desk and we get them cleaned up, but I'm curious if I'm seeing crossover reports from snort or are the pings actually getting through the firewall-bridge. Thanks, Jim ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort and Bridge-Firewall Hyde, Jim (Omnifax) (Sep 05)