Snort mailing list archives
Re: Snort + ipchains
From: Ed Wiget <security () rhpstudios com>
Date: Sun, 2 Dec 2001 00:24:54 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I was also in this discussion last spring and even tried various ipchains/iptables configurations and snort on the same box without much luck..(all ethernet connections and not ppp)....I tried various configurations of deny all except explicity allowed, allow all but blocking specific ports/services, and allow all sending to /dev/null. With baselined systems running various configurations of iptables/ipchains for several days undisturbed, snort obviously picked up the allow all configurations better but was just too insecure to let run without becoming extremely paranoid. My normal production configuration is a hub sharing the internet connection with snort on one box using a listen only ethernet to catch all pre-routed packets and a firewalled router also running snort to catch the packets to the lan/dmz. I came to the conclusion that snort only sees the packets allowed through the firewall based on these tests. I believe I posted my results to the list or at least some of the persons in the discussion. - -- Ed Wiget Senior Network Security Consultant RHP Studios "Keeping Your Data Safe!" http://www.rhpstudios.com email: security () rhpstudios com On Saturday 01 December 2001 09:20 pm, you wrote:
On Sat, 1 Dec 2001, Martijn Heemels wrote:Erik Adams would say that I need more coffee and it would all become clear ;-DOf course! All things can be solved with massive amounts of coffee. ;-) I think John Berkers had his! I like his suggestion of:A: While Snort also sees the packets that the firewall does, if the exploit that the signature catches requires a connection to be established, the exploit will never be sent. The firewall blocks the three-way-handshake process and you never get a connection, therefore you never get the exploit packet.----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8Cbs2+EoLKxIs7PwRAovQAJ9SKTAIR9kVdb0WY16Sb96SBsOmJACgo/2S FJyJB35Rx1fwWSowHnT8WkA= =XlOs -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort + ipchains Guillaume (Nov 30)
- Re: Snort + ipchains John Sage (Nov 30)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Erek Adams (Dec 01)
- Re: Snort + ipchains Ed Wiget (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Nov 30)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains John Berkers (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 02)
- Re: Snort + ipchains John Sage (Dec 02)