Snort mailing list archives
Re: nort behind ipchains 'blind'?
From: John Sage <jsage () finchhaven com>
Date: Wed, 04 Jul 2001 11:26:00 -0700
Matthew Collins wrote:
Snort on a PPP interface behind ipchains (ie a dial up or ISDN connection)
will not see packets filtered by the firewall.
This is simply not true.I have a dialup connection via ppp0, an ipchains-based firewall, snort 1.7, and snort sees everything ipchains sees, and sees everything the snort rules are set up to see very effectively.
A not-so-recent example, but an example, none-the-less: ****************************** syslog: Jun 16 14:12:42 sparky snort: TCP to 1024-60999: 12.25.244.15:11753 -> 12.82.128.165:11753 snort: 06/16-14:12:42.767992 12.25.244.15:11753 -> 12.82.128.165:11753 TCP TTL:117 TOS:0x0 ID:55601 IpLen:20 DgmLen:40 ******S* Seq: 0x3670AF08 Ack: 0x8E702 Win: 0xA9B4 TcpLen: 20 ipchains: Jun 16 14:12:42 sparky kernel: Packet log: input DENY ppp0 PROTO=6 12.25.244.15:11753 12.82.128.165:11753 L=40 S=0x00 I=55601 F=0x0000 T=117 SYN (#49) My snort command line: snort -b -i ppp0 -c /usr/local/snort-1.7/snort.conf & Relevant parts of snort.conf: <snip> # set this at dialup var HOME_NET 12.82.129.23/32 <snip> # # Use one or more syslog facilities as arguments # DAEMON = facility; ALERT = priority at man syslog.conf(5) # output alert_syslog: LOG_DAEMON LOG_ALERT <snip> # ------------------------------------------------- # output alert_full output alert_full: /var/log/snort/alert.full <snip> # include /usr/local/snort-1.7/tcp-local-lib include /usr/local/snort-1.7/udp-local-lib include /usr/local/snort-1.7/icmp-local-libThese are my local rules, which, because of the low overall volume, log *every* packet and alert for a specific set of ports I want to watch real-time.
I run other more detailed rules on a batch basis, but it's the ipchains-based firewall that's stopping everything...
- John -- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ mailto:jsage () finchhaven com "The web is so, like, five minutes ago..." _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- nort behind ipchains 'blind'? Martijn Heemels (Jul 03)
- RE: nort behind ipchains 'blind'? Neal Timm (Jul 03)
- <Possible follow-ups>
- Re: nort behind ipchains 'blind'? Matthew Collins (Jul 04)
- Re: nort behind ipchains 'blind'? John Sage (Jul 04)