Snort mailing list archives

Re: Firewall stopping detection?

From: John Sage <jsage () finchhaven com>
Date: Mon, 20 Aug 2001 11:41:05 -0700

David:

My experience is that snort and ipchains see problematic packets equally.

From just yesterday:

ipchains:

Aug 19 20:07:52 greatwall kernel: Packet log: input DENY ppp0 PROTO=612.82.129.116:1038 12.82.129.38:80 L=48 S=0x00 I=45720 F=0x4000 T=127SYN (#58)


snort:

[**] [1:0:0] TCP to 80 http [**]
08/19-20:07:52.007712 12.82.129.116:1038 -> 12.82.129.38:80
TCP TTL:127 TOS:0x0 ID:45720 IpLen:20 DgmLen:48 DF
******S* Seq: 0xA47C86A4  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

This is from snort 1.8.1-beta4; I have had the same result with snort1.7.something

You might also try having yourself probed by www.hackerwhacker.com; youcan get a one-time probe by them that's quite comprehensive for free.It'll take a while, depending on the speed of your connection, andwhether you're DENY'ing or REJECT'ing


See:

http://whacker2.hackerwhacker.com:4000/startdemo.dyn?answer=firewall

If you're not seeing results in snort but you *are* in ipchains, I'd sayyou have an issue with your snort rules.



HTH..

- John

--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage () finchhaven com
"The web is so, like, five minutes ago..."


David Findlay wrote:

I have just install snort from Debian Unstable, and customised the configfile to suit my system. I then went to grc.com and used the probe my portsthing, to see if snort would detect it, but I get nothing in the logs. I havea firewall using ipchains, which blocks all connections except for stuffiniated from inside. How do i get snort to still detect attack attemptscoming in? Thanks,
David

P.S. Please CC me your reply as I am not a subscriber to the list. Thanks :-)




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Firewall stopping detection? David Findlay (Aug 20)
- Re: Firewall stopping detection? John Sage (Aug 20)
- <Possible follow-ups>
- Re: Firewall stopping detection? Matthew Collins (Aug 20)
  - Re: Firewall stopping detection? J. C. Woods (Aug 20)