[svlug] running snort behind a firewall

Karen Shaeffer shaeffer at got.net
Tue Mar 20 22:47:01 PST 2001


On Tue, Mar 20, 2001 at 10:29:08PM -0800, Karen Shaeffer wrote:
> On Tue, Mar 20, 2001 at 03:01:46PM -0800, Wayne Earl wrote:
> > I've got a client that wants an IDS placed behind their firewall, which
> > protects their webserver farm. Everything behind the firewall is running
> > on switches (100baseT), and I am loathe to mirror traffic on the switches
> > so that a box running snort can sniff the packets.
> > 
> > I thought that I could run a hub immediately following the firewall, with
> > only the snort box on it and a crossover to the main switch. Basically:
> > 
> > ______      _______
> > | fw |______| hub |----> to IDS
> > |    |      |     |----> to switch (and rest of server farm)
> > ------      -------
> > 
> > That way, all traffic is broadcast to each port in the hub, allowing the
> > IDS machine to capture it's data. And I don't have to reconfigure the
> > switches to mirror data to the port that the IDS is connected to.
> > 
> > Will this work the way I suspect it to work?
> 
> Hi Wayne,
> 
> You might look into the experimental ethernet bridging in 2.4.x kernels:
> 
> Look in Configure.help:
> 
> Frame Diverter (EXPERIMENTAL)
> CONFIG_NET_DIVERT
> 
> Then you might be able to run snort on the bridge. How's that sound?

I'm just starting to work with snort, but looking in the source: Snort uses
libpcap, providing direct access to the datalink layer. So this should work,
and your proposed implementation should work as well. Take your pick.

HTH
Karen
-- 
 Karen Shaeffer
 Neuralscape; Santa Cruz, Ca. 95060
 shaeffer at neuralscape.com  http://www.neuralscape.com




More information about the svlug mailing list