Snort mailing list archives
Re: Snort + ipchains
From: John Sage <jsage () finchhaven com>
Date: Sat, 01 Dec 2001 13:15:45 -0800
Martijn: Martijn Heemels wrote:
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1
<snip>
I'm actually running snort *on* the same box as ipchains. So, it's at the border of my network. However, still only non-firewalled ports are visible. I have kind of given up on getting snort to see all traffic on this box, assuming there must be something unusual about it (hardware of software). Since I run snort only as a hobby project on my home LAN to learn about computer-security related stuff, I stopped trying to solve the problem. I'm pretty content actually getting alerts on the traffic that crosses the firewall, since the stuff that gets blocked doesn'thurt me anyway :-). Erik Adams would say that I need more coffee and it would all becomeclear ;-D
That's weird about only seeing non-firewalled packets. That's about exactly what I'm doing.
My firewall essentially blocks everything except the masq range, and a couple other services...
I've got RedHat 6.2 (2.2.14-5.0 kernel, ipchains 1.3.9), but I'm doing ppp through my modem at home, too... though I can't see what difference ppp would make.
snort command line: snort -b -i ppp0 -c /usr/local/snort-1.8.2/snort182.conf
so I'm running in binary log mode and specifying the interface on the command line..
Relevant stuff.../* god this is becoming *real* weird -- didn't you and I have exactly this *same* conversation last spring!? /*
...from snort.conf: var HOME_NET $ppp0_ADDRESS var EXTERNAL_NET any # output alert_full output alert_full: /var/log/snort/alert182.full # as from RELEASE And then essentially I'm running only my own rules that either: 1) alert on specific ports first, 2) alert on port ranges second, 3) or log everything: # # attempt in snort182.conf for snort 1.8.2 11/25/01 - works ;-) # attempt in snort18REL.conf for snort 1.8.1-RELEASE # wasn't shown originally: works as from 1.7 <snip> #========================================= include /usr/local/snort-1.8.2/tcp182-local.rules include /usr/local/snort-1.8.2/udp182-local.rules include /usr/local/snort-1.8.2/icmp182-local.rules # as from RELEASEthis is so that snort sees *every* packet realtime, and does something to every one...
Aa an example of some rules: # alert tcp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"TCP to 137 netBIOS ns";) alert tcp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"TCP to 138 netBIOS ds";) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"TCP to 139 netBIOS ss";)alert tcp $EXTERNAL_NET 137 -> $HOME_NET any (msg:"TCP from 137 netBIOS ns";) alert tcp $EXTERNAL_NET 138 -> $HOME_NET any (msg:"TCP from 138 netBIOS ds";) alert tcp $EXTERNAL_NET 139 -> $HOME_NET any (msg:"TCP from 139 netBIOS ss";)
# And I would see these alerts even though the ports are blocked by ipchains.Later on I analyze the binary logs with the other rulesets that actually come with snort, using a shell alias that says:
alias snort182check='snort182 -dv -i ppp0 -l . -P 2000 -c /usr/local/snort-1.8.2/snort182check.conf -r '
and *that* conf file points at the original snort rules... Anyway.. - John
Anyway, if you have any tips left, let me know. I'm running a completely updated redhat 6.2 on i386 with ipchains-1.3.9-5 and a 3com509 NIC Greets, Martijn P.S. Wish I was a *rich* student so i could build a cheap dedicated snort box. But then again, there are a lot of other cool networking things one can do with money... -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPAlBihLMC0rbivl4EQL6RACgjKUNW+7+a+6sz4r0C21hvr1Xq0kAoMOP bvn8sO4fBoN1uKgZj8pJzKG7 =oMeB -----END PGP SIGNATURE-----
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort + ipchains Guillaume (Nov 30)
- Re: Snort + ipchains John Sage (Nov 30)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Erek Adams (Dec 01)
- Re: Snort + ipchains Ed Wiget (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Nov 30)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains John Berkers (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 02)
- Re: Snort + ipchains John Sage (Dec 02)