June 12th, 2006, 09:27 PM
In response to what IKnowNot siad...
Yes, the MIRROR target is a VERY VERY VERY DANGEROUS target to be playing with, unless you know exactly what you're doing. It could get you into loads of trouble, as it could be used to make you box essentially a completely transparent bounce zombie. It could also be used to reverse proxy attacks into your own network.
As for running Snort on the firewall box, it dates back to the days when Snort relied on the network stack of the machine it was running on to reconstruct data streams. It is run on the firewall box to ensure that Snort was definitely seeing exactly what the firewall would, thereby making a layer 4 evasion attack impossible, insofar as manipulating the TCP data is concerned. I was also playing with the flex response tools a bit, it was far easier to do this when the Snort box was directly in the communication path, although I agree, it is no longer necessary to run Snort on the firewall to achieve this, and the flex response can also be run even from a Snort box with no valid address.
There is actually nothing externally facing from the firewall box. It logs to a mysql database on the server machine, and that machine is used to run the BASE software that allows me to analyze the Snort logs.
But yes, it would be better off to run Snort somewhere other than the firewall. But this way, I can be sure that it will reconstruct data in the same manner as the firewall.
Government is like fire - a handy servant, but a dangerous master - George Washington
Government is not reason, it is not eloquence - it is force. - George Washington.
Join the UnError