Why don't you just run a chrooted snort on $ext_if? Chris
On Wed, Sep 10, 2003 at 09:25:37AM -0400, Aaron Wade wrote: > Hi all, > I have a 3.3 based firewall, and I am looking at deploying snort on a 3rd > interface. It seems like dup-to is the best option for this, but I have a > few questions as to how it works. > > How does dup-to work with scrub ? If scrub is reassembling packets, how > could the IDS pick up a fragmented attack ? > > I have explicit deny rules in place, so I am assuming the following would > work ? > > block log on $ext_if dup-to $IDS all > > If that wouldn't do the trick, what would ? > > The 3rd interface will simply be "up" with no IP and the IDS is active with > a unidirectional cable connecting the two. Are there any issues with that ? > > If anyone has suggestions or comments, I'd appreciate it. > As to why I am resorting to this..I was denied a mirror port on our switch, a > tap costs more than I want to spend, and an inline hub is rediculous IMO. > Thanks, > Aaron > > >
pgp00000.pgp
Description: PGP signature
