Snort mailing list archives
Re: Configuration issue, Part II
From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 24 Sep 2001 06:54:37 -0700 (PDT)
On Mon, 24 Sep 2001, John Sage wrote:
Although I think Erek has something going with the real issue, here, questioning how *two* external interfaces are to work...
Well, you've really got two options running under Linux. -i any and running two instances of snort, one for each interface. [...snip...]
...let me say that this is *not* what I see.
Hrm....
With snort 1.8.1-RELEASE build 74, and ipchains 1.3.9 (I know, I know..) on RHL 6.2, ipchains quite busily DENY's or ACCEPT's as appropriate, and snort happily logs everything, DENY'ed or not. Maybe if Marty or someone is lurking, they can comment on what the FAQ says: <snip> Q: Snort is behind a firewall (ipf/pf/ipchains/ipfilter) and awfully quiet... A: Your firewall rules will also block traffic to the snort processes. <snip> and how that reconciles with what I'm seeing. I'm running snort thus: snortREL -b -i ppp0 -c /usr/local/snort-1.8.1-RELEASE/snortREL.conf & and my snortREL.conf points at my rules files that essentially log everything.
Do you actually see packets with snort that should have been denied by the firewall? IOW, if you setup a firewall rule to deny all traffic from an external site, say route-server.cerf.net, and then tried to send traffic from the blocked site back into your net, does your snort box see it? According to everything we've seen so far, it shouldn't. If you can, we'd love more info on it! Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Configuration issue, Part II, (continued)
- Re: Configuration issue, Part II Erek Adams (Sep 24)
- RE: Configuration issue, Part II DJDave Sobel (Sep 24)
- RE: Configuration issue, Part II DJDave Sobel (Sep 24)
- RE: Configuration issue, Part II Erek Adams (Sep 24)
- RE: Configuration issue, Part II Erek Adams (Sep 24)
- Re: Configuration issue, Part II Greg Sarsons (Sep 24)
- Re: Configuration issue, Part II Erek Adams (Sep 24)
- RE: Configuration issue, Part II John Berkers (Sep 25)
- Re: Configuration issue, Part II John Sage (Sep 24)
- Re: Configuration issue, Part II John Sage (Sep 24)
- Re: Configuration issue, Part II Erek Adams (Sep 24)
- Re: Configuration issue, Part II John Sage (Sep 24)
- Re: Configuration issue, Part II Erek Adams (Sep 24)