Snort mailing list archives
Re: nort behind ipchains 'blind'?
From: "Matthew Collins" <Matthew.Collins () northernregistrars co uk>
Date: Wed, 04 Jul 2001 09:16:20 +0100
Snort on a PPP interface behind ipchains (ie a dial up or ISDN connection) will not see packets filtered by the firewall. The setup described below, using ethernet to connect to a router, should alert on stuff that the firewall blocks. This is my understanding from the discussions that went on. Why don't you test it. Add this rule to your rules file. alert tcp any 80 -> any any (msg:"Web browsing alert test"); Then browse to a web site. If you get a bunch of alerts, then snort is working. If not, then you have other problems. Try removing the allow rules for incoming web traffic, and try it again. If you don't get an alert then you know that something is wrong.
"Martijn Heemels" <martijn () yggdrasil yi org> 03/07/01 16:44:05 >>>
Hi, About two months ago there was a discussion about whether Snort could see packets when installed on the same machine as the firewall. Has anything come out of that discussion? I've searched my archives but haven't found a solution. My Snort sees hardly anything and has been completely quiet for many weeks now. I love the snort concept and would really like to implement it on my box, but at the moment it's useless and I don't have the cash (nor the desire) to buy a dedicated box just for snort :( **************************************************************************************** This message and any attachments are confidential to the ordinary user of the e-mail address to which it was addressed and may also be privileged. If you are not the addressee you may not copy, forward, disclose or use any part of the message or its attachments and if you have received this message in error, please notify the sender immediately by return e-mail and delete it from your system. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. The sender therefore does not accept liability for any errors or omissions in the context of this message which arise as a result of Internet transmission. Northern Registrars Limited, Northern House, Woodsome Park, Fenay Bridge, Huddersfield. HD8 0LA. Tel: +44 (0) 1484 600900 Fax: +44 (0) 1484 600911 For more information visit our web site: http://www.northernregistrars.co.uk **************************************************************************************** _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- nort behind ipchains 'blind'? Martijn Heemels (Jul 03)
- RE: nort behind ipchains 'blind'? Neal Timm (Jul 03)
- <Possible follow-ups>
- Re: nort behind ipchains 'blind'? Matthew Collins (Jul 04)
- Re: nort behind ipchains 'blind'? John Sage (Jul 04)