nort behind ipchains 'blind'?

["Martijn Heemels" <martijn () yggdrasil yi org>]

Hi,

About two months ago there was a discussion about whether Snort could see
packets when installed on the same machine as the firewall. Has anything
come out of that discussion? I've searched my archives but haven't found a
solution.

My Snort sees hardly anything and has been completely quiet for many weeks
now. I love the snort concept and would really like to implement it on my
box, but at the moment it's useless and I don't have the cash (nor the
desire) to buy a dedicated box just for snort :(

Someone wrote that having a default ipchains policy of deny might be the
cause, but has this been confirmed? The idea of changing the deafult
policy is not really appealing. Any idea what needs to be changed?

Any and all help will be greatly appreciated.

My box:
Redhat 6.2 with kernel 2.2.16-3
ipchains-1.3.9-5
snort-1.7-1
snort ruleset and Vision ruleset (May 2nd)
ipchains default policies: deny
snort running on eth1 (3com NIC to cablemodem to internet)

ifconfig eth1 says:
eth1      Link encap:Ethernet  HWaddr **:**:**:**:**:**
          inet addr:***.***.***.***  Bcast:***.***.***.***
Mask:255.255.255.192
          UP BROADCAST NOTRAILERS RUNNING  MTU:1500  Metric:1
          RX packets:41025693 errors:36 dropped:0 overruns:1 frame:36
          TX packets:32951314 errors:0 dropped:0 overruns:0 carrier:12864
          collisions:17057 txqueuelen:100
          Interrupt:11 Base address:0x300


Thanks in advance,
Martijn Heemels

--
M. Heemels
Eindhoven, NL
martijn () heemels com

Attachment: smime.p7s
Description: