Snort mailing list archives
RE: ipchains problem(s)
From: "Tommy Eriksson" <tommy.eriksson () ctakt com>
Date: Fri, 22 Feb 2002 16:25:14 +0100
I'm no expert in this area but I think this is a matter of kernel implemntation. I read about a patch (for Linux) that allows you to block packets with ipchains before the Ethernet bridging code gets them, but I dont know what the default behavior for the kernel is or if it can be alterd. /Tommy
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of ipfw sponix Sent: den 22 februari 2002 15:38 To: snort-users () lists sourceforge net Subject: RE: [Snort-users] ipchains problem(s) tommy.eriksson () ctakt com I'm looking to do a setup like this: Net | Router | Snort Box (Doing Ethernet Bridging) | Switch /\ / \ / \ smb billing etc <-Private || Public Net-> www ftp mail dns My question is, could the snort box doing ethernet bridging actually block tcp/udp/icmp/etc/etc type packets coming over the network with this approach (freebsd or linux) even though it is transparent to the network (I might assign an IP for remote access). Thank you very much for your time, sponixFrom: "Tommy Eriksson" <tommy.eriksson () ctakt com> To: <snort-users () lists sourceforge net> Subject: RE: [Snort-users] ipchains problem Date: Fri, 22 Feb 2002 15:14:03 +0100 Ok, if I understood you correct your setup looks something like this (You stated that your snort box only had one interface): ********* * Snort * ********* | | *********** ************ [Internet]----* HUB *---* Firewall *---[Intranet] *********** ************ If this is the case there is no way for the snort box to blockIP trafficto your Intranet. /Tommy -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of drazen.pranic () agrokor hr Sent: den 22 februari 2002 14:22 To: Snort Subject: [Snort-users] ipchains problem Hello, Dear Snort users, I urgently need help. One problem takes me a lot of time. In our company we want to improve our security. We havecomercial firewall.We choose snort as IDS solution. Snort runs on Linux machine infront of whole network. Whole IP traffic passes through it. Now, we want to configureipchains withsnort. I found guardian script that automatically do that. It works ok, but we have problem with ipcahins. When attack came on IP address of Linux machine IPchains blocked it correctly. (Linux machine has only one interface.) Problem is when attack came on IP addresses of comercialfirewall (which isbehind snort), nothing happend. It seems that ipchains blocks only traffic for linux server. I failed manually to block other ip addresses. How can we block whole range of ip addresses? Thanks for any help, Drazen _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: ipchains problem(s) ipfw sponix (Feb 22)
- RE: ipchains problem(s) Tommy Eriksson (Feb 22)