Snort mailing list archives
nort behind ipchains 'blind'?
From: "Martijn Heemels" <martijn () yggdrasil yi org>
Date: Tue, 3 Jul 2001 17:44:05 +0200
Hi, About two months ago there was a discussion about whether Snort could see packets when installed on the same machine as the firewall. Has anything come out of that discussion? I've searched my archives but haven't found a solution. My Snort sees hardly anything and has been completely quiet for many weeks now. I love the snort concept and would really like to implement it on my box, but at the moment it's useless and I don't have the cash (nor the desire) to buy a dedicated box just for snort :( Someone wrote that having a default ipchains policy of deny might be the cause, but has this been confirmed? The idea of changing the deafult policy is not really appealing. Any idea what needs to be changed? Any and all help will be greatly appreciated. My box: Redhat 6.2 with kernel 2.2.16-3 ipchains-1.3.9-5 snort-1.7-1 snort ruleset and Vision ruleset (May 2nd) ipchains default policies: deny snort running on eth1 (3com NIC to cablemodem to internet) ifconfig eth1 says: eth1 Link encap:Ethernet HWaddr **:**:**:**:**:** inet addr:***.***.***.*** Bcast:***.***.***.*** Mask:255.255.255.192 UP BROADCAST NOTRAILERS RUNNING MTU:1500 Metric:1 RX packets:41025693 errors:36 dropped:0 overruns:1 frame:36 TX packets:32951314 errors:0 dropped:0 overruns:0 carrier:12864 collisions:17057 txqueuelen:100 Interrupt:11 Base address:0x300 Thanks in advance, Martijn Heemels -- M. Heemels Eindhoven, NL martijn () heemels com
Attachment:
smime.p7s
Description:
Current thread:
- nort behind ipchains 'blind'? Martijn Heemels (Jul 03)
- RE: nort behind ipchains 'blind'? Neal Timm (Jul 03)
- <Possible follow-ups>
- Re: nort behind ipchains 'blind'? Matthew Collins (Jul 04)
- Re: nort behind ipchains 'blind'? John Sage (Jul 04)