Snort mailing list archives
RE: snort + IPFilter?
From: "Gonzalez, Albert" <albert.gonzalez () eds com>
Date: Fri, 31 Jan 2003 14:13:46 -0500
If you're scanning yourself from the same machine, you won't see the scans with snort. I have a default deny with my firewall(on the same machine) and snort can still see the packets and alert on them. I'm going to start saying you're on a switch rather than a HUB. Cheers! Alberto Gonzalez. If you want to actively block, go ahead and check out snortsam. http://www.snortsam.net/ -----Original Message----- From: Everist, Benjamin S. (NASWI) [mailto:EveristB () naswi navy mil] Sent: Friday, January 31, 2003 11:31 AM To: Snort-users () lists sourceforge net Subject: [Snort-users] snort + IPFilter? Pardon the cross posting; some of this may be more appropriate on freebsd-questions, but I am having serious problems posting questions to that list. I'm running snort-1.9.0 logging to mysql displaying on ACID b22, on a freebsd box. I have IPFilter running on the same machine with the kernel options and ruleset shown below. It's not a firewall, just a host on the network. On snort, I am seeing only broadcast udp traffic, no tcp whatsoever, even when I nmap the machine. I made an assumption, which I am now starting to doubt, that while adopting a default-block stance and only allowing specific connections via the ethernet interface, snort would still log (all) alerts. It has been brought to my attention I may be on a switch rather than a hub, but I should still see nmap alerts when I am directing the scan on myself, shouldn't I? Any help would be appreciated.... Benjamin Everist Other/ more information: This is what I start snort with: #snort -D -i xl0 -c /usr/local/snort-1.9.0/etc/snort.conf My snort.conf is essentially default except I have defined var HOME_NET and defined my output options. Firewall options - IPFilter options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK IPFilter ruleset: #block all garbage we never want to accept: block in log quick from any to any with ipopts block in log quick proto tcp from any to any with short #lo0 pass in quick on lo0 all pass out quick on lo0 all #outbound xl0 pass out on xl0 all keep state head 100 block out from 127.0.0.0/8 to any group 100 block out from any to 127.0.0.0/8 group 100 block out from any to 172.16.100.9/32 group 100 #inbound xl0 block in on xl0 all head 200 block in from 127.0.0.0/8 to any group 200 block in from 172.16.100.9/32 to any group 200 pass in quick proto tcp from any to any port = www keep state group 200 pass in quick proto tcp from any to any port = 22 keep state group 200 block return-rst in log proto tcp from any to any flags S/SA group 200 block return-icmp(net-unr) in proto udp all group 200 ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort + IPFilter? Everist, Benjamin S. (NASWI) (Jan 31)
- <Possible follow-ups>
- RE: snort + IPFilter? Gonzalez, Albert (Jan 31)
- RE: snort + IPFilter? Everist, Benjamin S. (NASWI) (Feb 04)
- RE: snort + IPFilter? Demetri Mouratis (Feb 04)
- RE: snort + IPFilter? Everist, Benjamin S. (NASWI) (Feb 04)
- RE: snort + IPFilter? Everist, Benjamin S. (NASWI) (Feb 04)