[Snort-users] No External Hits/Proxy Server Required?
This is a discussion on [Snort-users] No External Hits/Proxy Server Required? within the Snort forums, part of the System Security and Security Related category; --============_-1145551349==_ma============ Content-Type: text/plain; charset="us-ascii" ; format="flowed" Good Morning Folks, I ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
10-19-2003
|
|||
|
|||
[Snort-users] No External Hits/Proxy Server Required?
--============_-1145551349==_ma============
Content-Type: text/plain; charset="us-ascii" ; format="flowed" Good Morning Folks, I have a group of questions that likely stems from a misunderstanding of a simple requirement on my part. I am running SNORT with ACID on a small home network. I am interested in intrusion detection as I run a mail server and am giving consideration to installation of my own web server. I am also interesting in monitoring internal traffic and will try to set up blocking of certain types of sites (for the kids). Most everything seems to work except that I do not get hits from external sites unless they specifically connect to my mail server. I have a cable modem and a Linksys router/firewall but I do not have a dedicated machine running as a firewall [wife would kill me if I got *another* computer : ) ]. Because I did not see any hits when I went to a porn site, I created a generic rule [alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Just a test"; class-type:misc-activity;)] to alert on any traffic as a test. The only traffic that seems to trigger this is traffic bound for the mail server. Am I missing the obvious about how SNORT should work? Do I have to set up a proxy server in order for SNORT to monitor traffic there? (I am sort of think "yes" since established web connections would not be broadcast, would they?). I welcome your thoughts or comments. Thanks. Tim -- Tim Rohrer tgrohrer@metbymail.com http://www.metbymail.com --============_-1145551349==_ma============ Content-Type: text/html; charset="us-ascii" <!doctype html public "-//W3C//DTD W3 HTML//EN"> <html><head><style type="text/css"><!-- blockquote, dl, ul, ol, li { padding-top: 0 ; padding-bottom: 0 } --></style><title>No External Hits/Proxy Server Required?</title></head><body> <div>Good Morning Folks,</div> <div><br></div> <div>I have a group of questions that likely stems from a misunderstanding of a simple requirement on my part. I am running SNORT with ACID on a small home network. I am interested in intrusion detection as I run a mail server and am giving consideration to installation of my own web server. I am also interesting in monitoring internal traffic and will try to set up blocking of certain types of sites (for the kids). Most everything seems to work except that I do not get hits from external sites unless they specifically connect to my mail server. I have a cable modem and a Linksys router/firewall but I do not have a dedicated machine running as a firewall [wife would kill me if I got *another* computer : ) ]. Because I did not see any hits when I went to a porn site, I created a generic rule [<font face="Courier New" size="-3" color="#000000">alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Just a test"; class-type:misc-activity;)</font>] to alert on any traffic as a test. The only traffic that seems to trigger this is traffic bound for the mail server. Am I missing the obvious about how SNORT should work? Do I have to set up a proxy server in order for SNORT to monitor traffic there? (I am sort of think "yes" since established web connections would not be broadcast, would they?).</div> <div><br></div> <div>I welcome your thoughts or comments. Thanks.</div> <div><br></div> <div>Tim</div> <x-sigsep><pre>-- </pre></x-sigsep> <div>Tim Rohrer<br> tgrohrer@metbymail.com<br> http://www.metbymail.com</div> </body> </html> --============_-1145551349==_ma============-- ------------------------------------------------------- This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo The Event For Linux Datacenter Solutions & Strategies in The Enterprise Linux in the Boardroom; in the Front Office; & in the Server Room http://www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
