Snort mailing list archives
Re: Firewall stopping detection?
From: John Sage <jsage () finchhaven com>
Date: Mon, 20 Aug 2001 11:41:05 -0700
David: My experience is that snort and ipchains see problematic packets equally. From just yesterday: ipchains:Aug 19 20:07:52 greatwall kernel: Packet log: input DENY ppp0 PROTO=6 12.82.129.116:1038 12.82.129.38:80 L=48 S=0x00 I=45720 F=0x4000 T=127 SYN (#58)
snort: [**] [1:0:0] TCP to 80 http [**] 08/19-20:07:52.007712 12.82.129.116:1038 -> 12.82.129.38:80 TCP TTL:127 TOS:0x0 ID:45720 IpLen:20 DgmLen:48 DF ******S* Seq: 0xA47C86A4 Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOKThis is from snort 1.8.1-beta4; I have had the same result with snort 1.7.something
You might also try having yourself probed by www.hackerwhacker.com; you can get a one-time probe by them that's quite comprehensive for free. It'll take a while, depending on the speed of your connection, and whether you're DENY'ing or REJECT'ing
See: http://whacker2.hackerwhacker.com:4000/startdemo.dyn?answer=firewallIf you're not seeing results in snort but you *are* in ipchains, I'd say you have an issue with your snort rules.
HTH.. - John -- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ mailto:jsage () finchhaven com "The web is so, like, five minutes ago..." David Findlay wrote:
I have just install snort from Debian Unstable, and customised the config file to suit my system. I then went to grc.com and used the probe my ports thing, to see if snort would detect it, but I get nothing in the logs. I have a firewall using ipchains, which blocks all connections except for stuff iniated from inside. How do i get snort to still detect attack attempts coming in? Thanks,David P.S. Please CC me your reply as I am not a subscriber to the list. Thanks :-)
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Firewall stopping detection? David Findlay (Aug 20)
- Re: Firewall stopping detection? John Sage (Aug 20)
- <Possible follow-ups>
- Re: Firewall stopping detection? Matthew Collins (Aug 20)
- Re: Firewall stopping detection? J. C. Woods (Aug 20)