Snort mailing list archives

RE: Snort with IPTables

From: "Martijn Heemels" <martijn () heemels com>
Date: Sun, 13 Jan 2002 15:31:08 +0100

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Have a look at the email thread that John Sage 
<jsage () finchhaven com> and I
had on this same subject a while back on the list.  IIRC, some of 
his findings
seem to contradict some things that I had thought.  Now, I could 
be smoking
crack, but I don't know who's right any more.  :)  Anyone want to 
jump in and
save my sanity?  If not, I'm going out and have a rather good
single malt scotch.  Research shall have to wait 'till Monday!


Hi all,
I've also had an e-mail exchange with John Sage on this, following my
similar question to the list.
Since a lot is still unclear about snort's behaviour on(!) a firewall
box and I don't have the ability to test anything (I'm just a student
with one hobby server) I can only offer my personal experiences.

On my humble little server running linux-2.2.16-3 with
ipchains-1.3.9-5 and libpcap-0.6.2-7 Snort does NOT see all traffic
reaching the outside interface. The ipchains ruleset is as paranoid
as possible since a bunch of ports are open (the box has about a
dozen servers running), but only traffic targetted at open ports is
seen by snort. I get a lot of CodeRed/Nimda related activity and some
Squid proxy scans, but not much else.

The box is connected directly to a cable modem device, so there's no
switches involved. Neither is the ISP filtering any traffic (that I
know of).

I don't know enough about the layers of networking to know why my box
doesn't do what Matt's boxes do, so I'll leave that to the experts
(i.e. you).
Hope this helps build a general consensus. :-) (and ease Erek's
conscience)


G'nite for now...


and a good morning too, Erek!


-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPEGaKxLMC0rbivl4EQIY0gCbBjCfWyQBgNPGPAahcjZe2Z95tJQAoN3g
OMmK7dpwJ60pESU995pVAe3m
=A9wq
-----END PGP SIGNATURE-----


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort with IPTables jaalexan (Jan 10)
- Re: Snort with IPTables Mark Rowlands (Jan 12)
  - Re: Snort with IPTables Erek Adams (Jan 12)
  - Message not available
    - Re: Snort with IPTables Matt Kettler (Jan 12)
    - Re: Snort with IPTables Erek Adams (Jan 12)
    - RE: Snort with IPTables Martijn Heemels (Jan 13)
    - Re: Snort with IPTables Hasnain Atique (Jan 13)
    - RE: Snort with IPTables neal (Jan 14)
    - Re: Snort with IPTables David Lambert (Jan 13)
    - Re: Snort with IPTables Fyodor (Jan 13)
    - Re: Snort with IPTables John Sage (Jan 13)