Snort mailing list archives
RE: snort behind ipchains 'blind'?
From: "Hawrylkiw, Dan G" <dan.g.hawrylkiw () intel com>
Date: Tue, 3 Jul 2001 13:42:02 -0700
IPchains does not affect what snort sees. I verified this by running snort on both a 3NIC firewall (trust me - plenty of rules involved in this case) and a dedicated box with a listener on the external hub. Both boxes triggered on the same alerts (the usual Internet script-kiddie noise and some additional scanning on my part) during a two month test. Granted, this did not cover all possible attacks, but I'd bet it is all inclusive. -- /Dan Hawrylkiw When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl. -----Original Message----- From: Martijn Heemels [mailto:martijn () yggdrasil yi org] Sent: Tuesday, July 03, 2001 8:44 AM To: snort-users () lists sourceforge net Subject: [Snort-users] nort behind ipchains 'blind'? Hi, About two months ago there was a discussion about whether Snort could see packets when installed on the same machine as the firewall. Has anything come out of that discussion? I've searched my archives but haven't found a solution. My Snort sees hardly anything and has been completely quiet for many weeks now. I love the snort concept and would really like to implement it on my box, but at the moment it's useless and I don't have the cash (nor the desire) to buy a dedicated box just for snort :( Someone wrote that having a default ipchains policy of deny might be the cause, but has this been confirmed? The idea of changing the deafult policy is not really appealing. Any idea what needs to be changed? Any and all help will be greatly appreciated. My box: Redhat 6.2 with kernel 2.2.16-3 ipchains-1.3.9-5 snort-1.7-1 snort ruleset and Vision ruleset (May 2nd) ipchains default policies: deny snort running on eth1 (3com NIC to cablemodem to internet) ifconfig eth1 says: eth1 Link encap:Ethernet HWaddr **:**:**:**:**:** inet addr:***.***.***.*** Bcast:***.***.***.*** Mask:255.255.255.192 UP BROADCAST NOTRAILERS RUNNING MTU:1500 Metric:1 RX packets:41025693 errors:36 dropped:0 overruns:1 frame:36 TX packets:32951314 errors:0 dropped:0 overruns:0 carrier:12864 collisions:17057 txqueuelen:100 Interrupt:11 Base address:0x300 Thanks in advance, Martijn Heemels -- M. Heemels Eindhoven, NL martijn () heemels com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: snort behind ipchains 'blind'? Hawrylkiw, Dan G (Jul 03)
- RE: snort behind ipchains 'blind'? Martijn Heemels (Jul 04)
- Re: snort behind ipchains 'blind'? John Sage (Jul 04)
- RE: snort behind ipchains 'blind'? Martijn Heemels (Jul 04)