Snort mailing list archives
Re: Configuration issue, Part II
From: John Sage <jsage () finchhaven com>
Date: Mon, 24 Sep 2001 06:43:10 -0700
Although I think Erek has something going with the real issue, here, questioning how *two* external interfaces are to work...
Erek Adams wrote:
On Sun, 23 Sep 2001, DJDave Sobel wrote:First off, thanks to everyone who's lended a hand -- I do appreciate it. Let me know where to send the coffee and/or beer...:)Now, to save bandwidth, I compiled my answers to everyone's questions into this one email. :) Thus, those not interested only need ignore one message. First off, to answer Erik Adams (erek () theadamsfamily net): Tell me where to send your beer... Snort is located on my Linux router, so it's on a machine with 6 network interfaces. Two are connected to the Internet, and four are to the internal networks. I use ipchains to block various unfriendly traffic, and control who can seeAhhhh.... I think I see a possible problem! Have a look at this: http://snort.sourcefire.com/docs/faq.html#4.3 Basically, snort sits 'behind' the ipchains and ipf programs. They see the packets before snort does. If you've got things setup to drop/deny packets that you are expecting to see with snort, then you won't.
<snip> ...let me say that this is *not* what I see.With snort 1.8.1-RELEASE build 74, and ipchains 1.3.9 (I know, I know..) on RHL 6.2, ipchains quite busily DENY's or ACCEPT's as appropriate, and snort happily logs everything, DENY'ed or not.
Maybe if Marty or someone is lurking, they can comment on what the FAQ says: <snip>Q: Snort is behind a firewall (ipf/pf/ipchains/ipfilter) and awfully quiet...
A: Your firewall rules will also block traffic to the snort processes. <snip> and how that reconciles with what I'm seeing. I'm running snort thus: snortREL -b -i ppp0 -c /usr/local/snort-1.8.1-RELEASE/snortREL.conf &and my snortREL.conf points at my rules files that essentially log everything.
- John -- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ mailto:jsage () finchhaven com "The web is so, like, five minutes ago..." _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Configuration issue, Part II, (continued)
- Re: Configuration issue, Part II Chris Keladis (Sep 24)
- Re: Configuration issue, Part II Erek Adams (Sep 24)
- RE: Configuration issue, Part II DJDave Sobel (Sep 24)
- RE: Configuration issue, Part II DJDave Sobel (Sep 24)
- RE: Configuration issue, Part II Erek Adams (Sep 24)
- RE: Configuration issue, Part II Erek Adams (Sep 24)
- Re: Configuration issue, Part II Greg Sarsons (Sep 24)
- Re: Configuration issue, Part II Erek Adams (Sep 24)
- RE: Configuration issue, Part II John Berkers (Sep 25)
- Re: Configuration issue, Part II John Sage (Sep 24)
- Re: Configuration issue, Part II John Sage (Sep 24)
- Re: Configuration issue, Part II Erek Adams (Sep 24)
- Re: Configuration issue, Part II John Sage (Sep 24)
- Re: Configuration issue, Part II Erek Adams (Sep 24)