On Wed, Sep 10, 2003 at 10:50:24AM -0500, Chris Reining wrote: > Why don't you just run a chrooted snort on $ext_if? choose one:
a. machines running snort usually have much higher requirements (disk space, cpu, connection to a database?) b. complex processes/services on a firewall is a bad thing c. running snort chrooted does not remove risks associated with the open bpf interface in snort i.e. a potential exploit can still sniff all your interfaces, send arbitrary signals to arbitrary processes etc. > Chris And to answer the original question(s) > On Wed, Sep 10, 2003 at 09:25:37AM -0400, Aaron Wade wrote: > > Hi all, > > I have a 3.3 based firewall, and I am looking at deploying snort on a 3rd > > interface. It seems like dup-to is the best option for this, but I have a > > few questions as to how it works. > > > > How does dup-to work with scrub ? If scrub is reassembling packets, how > > could the IDS pick up a fragmented attack ? It can not. But your internal hosts will not be affected (due to scrub) so there is no problem. If you still want to know if someone _attempted_ a fragmentation attack, you can increase debug level of pf (read -x switch in pfctl(8) ) and check system (firewall) logs. > > > > I have explicit deny rules in place, so I am assuming the following would > > work ? > > > > block log on $ext_if dup-to $IDS all > > > > If that wouldn't do the trick, what would ? > > only the packets blocked by the above rule will be duplicated to $ids if you want other packets, you have to add explicit dup-to statement to the rules/connections you want to inspect. > > The 3rd interface will simply be "up" with no IP and the IDS is active with > > a unidirectional cable connecting the two. Are there any issues with that ? unidirectional? you may have autonegotiation problems with that I have not tried it but you may get away with manually specifying media type and speed on both sides of the cable. why not use a simple crossover cable? > > If anyone has suggestions or comments, I'd appreciate it. > > As to why I am resorting to this..I was denied a mirror port on our switch, a > > tap costs more than I want to spend, and an inline hub is rediculous IMO. > > Thanks, > > Aaron