[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Snort with PPoE and PF

To: "'ports@openbsd.org'" <ports@openbsd.org>
Subject: Re: Snort with PPoE and PF
From: Rodolphe ORTALO <rortalo@axians.com>
Date: Thu, 21 Nov 2002 16:04:08 +0100

Thank you very much. Rodolphe.

> -----Message d'origine-----
> De : owner-ports@openbsd.org 
> [mailto:owner-ports@openbsd.org]De la part
> de Daniel Hartmeier
> Envoye : mercredi 20 novembre 2002 21:39
> A : Rodolphe ORTALO
> Cc : 'ports@openbsd.org'
> Objet : Re: Snort with PPoE and PF
> 
> 
> On Wed, Nov 20, 2002 at 01:25:08PM +0100, Rodolphe ORTALO wrote:
> 
> > I'm wondering if snort, that I started with:
> > # snort -i tun0 -I -c ./snort-nr.conf
> > (from /usr/local/share/examples/snort/)
> > was seeing *all* the traffic coming from
> > the ADSL line via tun0 or *only* the traffic
> > allowed by the PF firewall?
> 
> snort is using pcap to tap into the interfaces, and bpf sees 
> all packets
> before they are filtered by pf. So, snort (and tcpdump, and 
> any similar
> tool) will see the traffic before it's filtered.
> 
> If you want the IDS to only see traffic that made it past the 
> firewall,
> run it on the internal interface or on an internal machine. Running it
> on the external interface means it sees all traffic, which might be
> desired to detect port scans and other blocked traffic. Your choice.
> 
> Daniel

Prev by Date: Psion tools
Next by Date: Re: updates to a whole load of my ports
Prev by thread: Re: Snort with PPoE and PF
Next by thread: KDE on sparc64
Index(es):
- Date
- Thread