Snort mailing list archives
Re: snort behind firewall ??
From: "Security" <security () rhpstudios com>
Date: Tue, 1 May 2001 15:03:27 -0000
Someone can correct me If I'm wrong on this 'theory' (sorry for long post): One of the things I haven't seen anyone mention in all of the 'snort through firewall' posts, is how the firewall input chain treats packets and the default policy for the firewall. It would seem to me that this would be the deciding factor in whether snort would work properly through a firewall, possibly kernel version & configurations would also affect this....or at least thats my theory. For example, a firewall policy set up as DENY all packets except those specifically allowed would likely not allow snort to see anything except packets allowed through the firewall. A firewall policy that DROPS all incoming SYN packets on external interface wouldn't make it to snort. A firewall policy with an input rule set to ACCEPT by default and then processing the packet based on other rules would make it to snort......although a default policy of ACCEPT on the input chain would seem like a huge security risk. Just out of curiosity, I've set up a test box to test the above conditions. Its running Redhat Linux v7.1, default custom install kernel 2.4.2, a custom firewall built on ipchains v1.3.10 (Sept 1, 2000), snort version 1.8-beta3 (build 12), libpcap from the snort download page, and vision.conf/vision.rules dated on April 26. What I have found thus far is that snort didn't log much of anything with a default DENY except explicity allowed policy--running for a few weeks under both Redhat v7 and 7.1 (it did detect both incoming and outgoing virus (I-Worm.Hybris.B--snow white) I received via email, and then decided to use for testing and purposely sent to myself via external pop). When I dropped and logged all incoming SYN packets to external interface, only thing snort logged was ICMP packets from internal interface to a random host that didn't exist on external interface, plus the same virus I sent above to myself--I let this configuration run for three days, and ipchains logged a lot of dropped traffic to /var/log/messages not picked up by snort. I'm just getting ready to reconfigure for incoming default ACCEPT on input, and will be watching this one closely. Ed Wiget RHP Studios ----- Original Message ----- From: "Andre Goeree" <abgoeree () uwnet nl> To: "snort-users" <snort-users () lists sourceforge net> Sent: Tuesday, May 01, 2001 7:10 AM Subject: Re: [Snort-users] snort behind firewall ??
On Mon, Apr 30, 2001 at 11:12:43AM -0700, Josh Oshiro wrote:It is up in the air right now wether or not snort can see packets before the firewall drop them. It seems it is system dependant. I would like to take a poll of who can snort through there firewall and who can't. We'll need to know what kernal you are using, how it's configured, what firewall your using, how it's configures, and what os your using.Hello, I'm snorting through my packet filter on: OS: FreeBSD 4.3-STABLE #0: Thu Apr 26 22:51:58 CEST 2001 kernel options: IPFILTER IPFILTER_LOG FW: IP Filter: v3.4.16 FW config: only connections to outside are permitted (stateful) anything coming in is blocked Snort is listening on the outside device: tun0 (user ppp) So far i have successfully picked up portscans while testing the firewall. --Andre. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: snort behind firewall ?? ./ (Apr 29)
- <Possible follow-ups>
- Re: snort behind firewall ?? ./ (Apr 29)
- Re: snort behind firewall ?? Dan Hollis (Apr 29)
- Re: snort behind firewall ?? Josh Oshiro (Apr 30)
- RE: snort behind firewall ?? Jason Lewis (Apr 30)
- Re: snort behind firewall ?? Andre Goeree (May 01)
- Re: snort behind firewall ?? Security (May 01)
- RE: snort behind firewall ?? Martijn Heemels (May 01)
- RE: snort behind firewall ?? Jason Opperisano (May 01)
- RE: snort behind firewall ?? Hawrylkiw, Dan G (May 02)
- Sound Alerting Preprocessor Andrea Barisani (May 02)