Snort mailing list archives
Re: Snort + ipchains
From: John Sage <jsage () finchhaven com>
Date: Sat, 01 Dec 2001 21:01:15 -0800
John: John Berkers wrote:
As I recall from the discussion some time ago, it was decided that a box running both firewall and snort would only see traffic that is allowed through the firewall rules because the initial handshake is never completed. The SYN packet is always blocked, and therefore the exploit packet will never be seen.
Yes. This is quite true.So, one can make a general assumption about what a probe to a given port might be, but really all you'll see is the initial SYN packet(s).
In my situation (dialup, dynamic IP, firewall) I've written all my own custom rules to watch specific ports, because the snort rules for most exploits are irrelevant, given that the firewall keeps everything beyond the initial SYN on the outside.
I do run the default snort rules on my -b binary packet captures, later, but again, I don't get many alerts from them...
What this amounts to is only being able to see SYN based traffic and exploits on ports that are open (perhaps for a specific set of addresses). It was suggested at the time that the FAQ should be updated, but as far as I can tell it still only says: 4.3 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Snort is behind a firewall (ipf/pf/ipchains/ipfilter) and awfully quiet... A: Your firewall rules will also block traffic to the snort processes. Perhaps it should be brought up-to-date by adding something like this: 4.19 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Snort is on my firewall (ipf/pf/ipchains/ipfilter) and awfully quiet... A: While Snort also sees the packets that the firewall does, if the exploit that the signature catches requires a connection to be established, the exploit will never be sent. The firewall blocks the three-way-handshake process and you never get a connection, therefore you never get the exploit packet.
Exactly. Not a bad idea to re-phrase it this way... - John
Just my take on the situation. Hope that clears up some questions. Regards, John Berkers ICQ: 112912 Network Services Hansen Corporation john.berkers () hancorp com au berjo () ozemail com au
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort + ipchains, (continued)
- Re: Snort + ipchains John Sage (Nov 30)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Erek Adams (Dec 01)
- Re: Snort + ipchains Ed Wiget (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Nov 30)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains John Berkers (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 02)
- Re: Snort + ipchains John Sage (Dec 02)