Re: snort behind firewall ??

["Security" <security () rhpstudios com>]

Someone can correct me If I'm wrong on this 'theory' (sorry for long post):

One of the things I haven't seen anyone mention in all of the 'snort through
firewall' posts, is how the firewall input chain treats packets and the
default policy for the firewall.  It would seem to me that this would be the
deciding factor in whether snort would work properly through a firewall,
possibly kernel version & configurations would also affect this....or at
least thats my theory.

For example, a firewall policy set up as DENY all packets except those
specifically allowed would likely not allow snort to see anything except
packets allowed through the firewall.  A firewall policy that DROPS all
incoming SYN packets on external interface wouldn't make it to snort.  A
firewall policy with an input rule set to ACCEPT by default and then
processing the packet based on other rules would make it to
snort......although a default policy of ACCEPT on the input chain would seem
like a huge security risk.

Just out of curiosity, I've set up a test box to test the above conditions.
Its running Redhat Linux v7.1, default custom install kernel 2.4.2, a custom
firewall built on ipchains v1.3.10 (Sept 1, 2000), snort version 1.8-beta3
(build 12), libpcap from the snort download page, and
vision.conf/vision.rules dated on April 26.

What I have found thus far is that snort didn't log much of anything with a
default DENY except explicity allowed policy--running for a few weeks under
both Redhat v7 and 7.1 (it did detect both incoming and outgoing virus
(I-Worm.Hybris.B--snow white) I received via email, and then decided to use
for testing and purposely sent to myself via external pop).  When I dropped
and logged all incoming SYN packets to external interface, only thing snort
logged was ICMP packets from internal interface to a random host that didn't
exist on external interface, plus the same virus I sent above to myself--I
let this configuration run for three days, and ipchains logged a lot of
dropped traffic to /var/log/messages not picked up by snort.  I'm just
getting ready to reconfigure for incoming default ACCEPT on input, and will
be watching this one closely.

Ed Wiget
RHP Studios


----- Original Message -----
From: "Andre Goeree" <abgoeree () uwnet nl>
To: "snort-users" <snort-users () lists sourceforge net>
Sent: Tuesday, May 01, 2001 7:10 AM
Subject: Re: [Snort-users] snort behind firewall ??


> On Mon, Apr 30, 2001 at 11:12:43AM -0700, Josh Oshiro wrote:
> > It is up in the air right now wether or not snort can see packets before
> > the firewall drop them. It seems  it is system dependant. I would like
> > to take a poll of who can snort through there firewall and who can't.
> > We'll need to know what kernal you are using, how it's configured, what
> > firewall your using, how it's configures, and what os your using.
>
> Hello,
>
> I'm snorting through my packet filter on:
>
> OS: FreeBSD 4.3-STABLE #0: Thu Apr 26 22:51:58 CEST 2001
>     kernel options:
>    IPFILTER
>    IPFILTER_LOG
>
> FW: IP Filter: v3.4.16
>     FW config:
>        only connections to outside are permitted (stateful)
>        anything coming in is blocked
>
> Snort is listening on the outside device: tun0 (user ppp)
>
> So far i have successfully picked up portscans while testing the
> firewall.
>
> --Andre.
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users