Re: Snort stops logging

[Paul Schmehl <pauls () utdallas edu>]

--On Friday, July 02, 2004 11:36:06 AM +0200 Ralf Eberle 
<iceman () iceserver ath cx> wrote:
> I have include my ruleset below. I need to say that this is my first
> firewall setup and my first own rules.
Before you set up a firewall, you need to decide what your goal is.  Are 
you aware that your firewall has a default "allow all" policy?  In general, 
when setting up a host-based firewall, a "deny all" default policy is 
preferred.  This ensures that only the things you allow to pass in will do 
so.

> Thanks in advance for your help.
>
> Ralf Eberle
>
> Here my ruleset:
>
> 20000       0         0 check-state
>
> 20000   95554   9313534 allow ip from any to any via lo0

Immediately after this rule, you should have one that allows all traffic to 
pass to the NIC that snort is listening on.  Something like this:

20001 allow ip from any to any via xl0

Do you have two NICs in this machine?  One for snort to listen on, and one 
for "normal" traffic?

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users