[svlug] running snort behind a firewall

Karen Shaeffer shaeffer at got.net
Tue Mar 20 22:29:01 PST 2001


On Tue, Mar 20, 2001 at 03:01:46PM -0800, Wayne Earl wrote:
> I've got a client that wants an IDS placed behind their firewall, which
> protects their webserver farm. Everything behind the firewall is running
> on switches (100baseT), and I am loathe to mirror traffic on the switches
> so that a box running snort can sniff the packets.
> 
> I thought that I could run a hub immediately following the firewall, with
> only the snort box on it and a crossover to the main switch. Basically:
> 
> ______      _______
> | fw |______| hub |----> to IDS
> |    |      |     |----> to switch (and rest of server farm)
> ------      -------
> 
> That way, all traffic is broadcast to each port in the hub, allowing the
> IDS machine to capture it's data. And I don't have to reconfigure the
> switches to mirror data to the port that the IDS is connected to.
> 
> Will this work the way I suspect it to work?

Hi Wayne,

You might look into the experimental ethernet bridging in 2.4.x kernels:

Look in Configure.help:

Frame Diverter (EXPERIMENTAL)
CONFIG_NET_DIVERT

Then you might be able to run snort on the bridge. How's that sound?

c,
-- 
 Karen Shaeffer
 Neuralscape; Santa Cruz, Ca. 95060
 shaeffer at neuralscape.com  http://www.neuralscape.com




More information about the svlug mailing list