[svlug] running snort behind a firewall
shaeffer at got.net
Tue Mar 20 22:47:01 PST 2001
On Tue, Mar 20, 2001 at 10:29:08PM -0800, Karen Shaeffer wrote:
> On Tue, Mar 20, 2001 at 03:01:46PM -0800, Wayne Earl wrote:
> > I've got a client that wants an IDS placed behind their firewall, which
> > protects their webserver farm. Everything behind the firewall is running
> > on switches (100baseT), and I am loathe to mirror traffic on the switches
> > so that a box running snort can sniff the packets.
> > I thought that I could run a hub immediately following the firewall, with
> > only the snort box on it and a crossover to the main switch. Basically:
> > ______ _______
> > | fw |______| hub |----> to IDS
> > | | | |----> to switch (and rest of server farm)
> > ------ -------
> > That way, all traffic is broadcast to each port in the hub, allowing the
> > IDS machine to capture it's data. And I don't have to reconfigure the
> > switches to mirror data to the port that the IDS is connected to.
> > Will this work the way I suspect it to work?
> Hi Wayne,
> You might look into the experimental ethernet bridging in 2.4.x kernels:
> Look in Configure.help:
> Frame Diverter (EXPERIMENTAL)
> Then you might be able to run snort on the bridge. How's that sound?
I'm just starting to work with snort, but looking in the source: Snort uses
libpcap, providing direct access to the datalink layer. So this should work,
and your proposed implementation should work as well. Take your pick.
Neuralscape; Santa Cruz, Ca. 95060
shaeffer at neuralscape.com http://www.neuralscape.com
More information about the svlug