Re: nort behind ipchains 'blind'?

["Matthew Collins" <Matthew.Collins () northernregistrars co uk>]

Snort on a PPP interface behind ipchains (ie a dial up or ISDN connection) will not see packets filtered by the 
firewall. The setup described below, using ethernet to connect to a router, should alert on stuff that the firewall 
blocks.

This is my understanding from the discussions that went on.

Why don't you test it. Add this rule to your rules file.

alert tcp any 80 -> any any (msg:"Web browsing alert test");

Then browse to a web site. If you get a bunch of alerts, then snort is working. If not, then you have other problems.
Try removing the allow rules for incoming web traffic, and try it again. If you don't get an alert then you know that 
something is wrong.


> > > "Martijn Heemels" <martijn () yggdrasil yi org> 03/07/01 16:44:05 >>>
Hi,

About two months ago there was a discussion about whether Snort could see
packets when installed on the same machine as the firewall. Has anything
come out of that discussion? I've searched my archives but haven't found a
solution.

My Snort sees hardly anything and has been completely quiet for many weeks
now. I love the snort concept and would really like to implement it on my
box, but at the moment it's useless and I don't have the cash (nor the
desire) to buy a dedicated box just for snort :(




****************************************************************************************
This message and any attachments are confidential to the ordinary user of
the e-mail address to which it was addressed and may also be privileged.
If you are not the addressee you may not copy, forward, disclose or use 
any part of the message or its attachments and if you have received this
message in error, please notify the sender immediately by return e-mail and
delete it from your system.
Internet communications cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, arrive late or contain 
viruses. The sender therefore does not accept liability for any errors or
omissions in the context of this message which arise as a result of Internet
transmission.
Northern Registrars Limited, Northern House, Woodsome Park, Fenay 
Bridge, Huddersfield. HD8 0LA.
Tel: +44 (0) 1484 600900  Fax: +44 (0) 1484 600911
For more information visit our web site: http://www.northernregistrars.co.uk
****************************************************************************************

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users