[svlug] running snort behind a firewall

Paul Jasa Paul.Jasa at qcs-us.com
Wed Mar 21 07:55:02 PST 2001


Where can one get a safe copy of snort??   does it come with man pages and
some kinda installation help??   If anyoneknows I'd appreciate it!! 

Paul Jasa

-----Original Message-----
From: Karen Shaeffer [mailto:shaeffer at got.net]
Sent: Tuesday, March 20, 2001 10:48 PM
To: Wayne Earl
Cc: svlug at svlug.org
Subject: Re: [svlug] running snort behind a firewall
Importance: High


On Tue, Mar 20, 2001 at 10:29:08PM -0800, Karen Shaeffer wrote:
> On Tue, Mar 20, 2001 at 03:01:46PM -0800, Wayne Earl wrote:
> > I've got a client that wants an IDS placed behind their firewall, which
> > protects their webserver farm. Everything behind the firewall is running
> > on switches (100baseT), and I am loathe to mirror traffic on the
switches
> > so that a box running snort can sniff the packets.
> > 
> > I thought that I could run a hub immediately following the firewall,
with
> > only the snort box on it and a crossover to the main switch. Basically:
> > 
> > ______      _______
> > | fw |______| hub |----> to IDS
> > |    |      |     |----> to switch (and rest of server farm)
> > ------      -------
> > 
> > That way, all traffic is broadcast to each port in the hub, allowing the
> > IDS machine to capture it's data. And I don't have to reconfigure the
> > switches to mirror data to the port that the IDS is connected to.
> > 
> > Will this work the way I suspect it to work?
> 
> Hi Wayne,
> 
> You might look into the experimental ethernet bridging in 2.4.x kernels:
> 
> Look in Configure.help:
> 
> Frame Diverter (EXPERIMENTAL)
> CONFIG_NET_DIVERT
> 
> Then you might be able to run snort on the bridge. How's that sound?

I'm just starting to work with snort, but looking in the source: Snort uses
libpcap, providing direct access to the datalink layer. So this should work,
and your proposed implementation should work as well. Take your pick.

HTH
Karen
-- 
 Karen Shaeffer
 Neuralscape; Santa Cruz, Ca. 95060
 shaeffer at neuralscape.com  http://www.neuralscape.com

_______________________________________________
svlug mailing list
svlug at lists.svlug.org
http://lists.svlug.org/mailman/listinfo/svlug


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The information in this email is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this
email by anyone else is unauthorized.

If you are not the intended recipient, any disclosure, copying, 
distribution or any action taken or omitted to be taken in reliance on
it, is prohibited and may be unlawful. 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.svlug.org/archives/svlug/attachments/20010321/4b5747e7/attachment.htm


More information about the svlug mailing list