Snort mailing list archives

RE: snort behind ipchains 'blind'?

From: "Hawrylkiw, Dan G" <dan.g.hawrylkiw () intel com>
Date: Tue, 3 Jul 2001 13:42:02 -0700


IPchains does not affect what snort sees.  I verified this by running snort
on both a 3NIC firewall (trust me - plenty of rules involved in this case)
and a dedicated box with a listener on the external hub.  Both boxes
triggered on the same alerts (the usual Internet script-kiddie noise and
some additional scanning on my part) during a two month test.  Granted, this
did not cover all possible attacks, but I'd bet it is all inclusive.

--
/Dan Hawrylkiw
When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl.


-----Original Message-----
From: Martijn Heemels [mailto:martijn () yggdrasil yi org]
Sent: Tuesday, July 03, 2001 8:44 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] nort behind ipchains 'blind'?


Hi,

About two months ago there was a discussion about whether Snort could see
packets when installed on the same machine as the firewall. Has anything
come out of that discussion? I've searched my archives but haven't found a
solution.

My Snort sees hardly anything and has been completely quiet for many weeks
now. I love the snort concept and would really like to implement it on my
box, but at the moment it's useless and I don't have the cash (nor the
desire) to buy a dedicated box just for snort :(

Someone wrote that having a default ipchains policy of deny might be the
cause, but has this been confirmed? The idea of changing the deafult
policy is not really appealing. Any idea what needs to be changed?

Any and all help will be greatly appreciated.

My box:
Redhat 6.2 with kernel 2.2.16-3
ipchains-1.3.9-5
snort-1.7-1
snort ruleset and Vision ruleset (May 2nd)
ipchains default policies: deny
snort running on eth1 (3com NIC to cablemodem to internet)

ifconfig eth1 says:
eth1      Link encap:Ethernet  HWaddr **:**:**:**:**:**
          inet addr:***.***.***.***  Bcast:***.***.***.***
Mask:255.255.255.192
          UP BROADCAST NOTRAILERS RUNNING  MTU:1500  Metric:1
          RX packets:41025693 errors:36 dropped:0 overruns:1 frame:36
          TX packets:32951314 errors:0 dropped:0 overruns:0 carrier:12864
          collisions:17057 txqueuelen:100
          Interrupt:11 Base address:0x300


Thanks in advance,
Martijn Heemels

--
M. Heemels
Eindhoven, NL
martijn () heemels com


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: snort behind ipchains 'blind'? Hawrylkiw, Dan G (Jul 03)
- RE: snort behind ipchains 'blind'? Martijn Heemels (Jul 04)
  - Re: snort behind ipchains 'blind'? John Sage (Jul 04)