[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Snort with PPoE and PF

To: Rodolphe ORTALO <rortalo@axians.com>
Subject: Re: Snort with PPoE and PF
From: Daniel Hartmeier <daniel@benzedrine.cx>
Date: Wed, 20 Nov 2002 21:38:39 +0100
Cc: "'ports@openbsd.org'" <ports@openbsd.org>
Content-Disposition: inline
References: <6FAC7AA906EAD311AA0B009027E573022AFDAC@proton.hof-toulouse.fr>
User-Agent: Mutt/1.4i

On Wed, Nov 20, 2002 at 01:25:08PM +0100, Rodolphe ORTALO wrote:

> I'm wondering if snort, that I started with:
> # snort -i tun0 -I -c ./snort-nr.conf
> (from /usr/local/share/examples/snort/)
> was seeing *all* the traffic coming from
> the ADSL line via tun0 or *only* the traffic
> allowed by the PF firewall?

snort is using pcap to tap into the interfaces, and bpf sees all packets
before they are filtered by pf. So, snort (and tcpdump, and any similar
tool) will see the traffic before it's filtered.

If you want the IDS to only see traffic that made it past the firewall,
run it on the internal interface or on an internal machine. Running it
on the external interface means it sees all traffic, which might be
desired to detect port scans and other blocked traffic. Your choice.

Daniel

References:
- Snort with PPoE and PF
  - From: Rodolphe ORTALO <rortalo@axians.com>

Prev by Date: Re: OpenBSD valgrind port?
Next by Date: Re: update: www/p5-Apache-MP3
Prev by thread: Snort with PPoE and PF
Next by thread: Re: Snort with PPoE and PF
Index(es):
- Date
- Thread