Snort mailing list archives

Re: nort behind ipchains 'blind'?

From: John Sage <jsage () finchhaven com>
Date: Wed, 04 Jul 2001 11:26:00 -0700

Matthew Collins wrote:

Snort on a PPP interface behind ipchains (ie a dial up or ISDN connection)

will not see packets filtered by the firewall.



This is simply not true.

I have a dialup connection via ppp0, an ipchains-based firewall, snort1.7, and snort sees everything ipchains sees, and sees everything thesnort rules are set up to see very effectively.


A not-so-recent example, but an example, none-the-less:


******************************
syslog:
Jun 16 14:12:42 sparky snort: TCP to 1024-60999: 12.25.244.15:11753 ->
12.82.128.165:11753

snort:
06/16-14:12:42.767992 12.25.244.15:11753 -> 12.82.128.165:11753
TCP TTL:117 TOS:0x0 ID:55601 IpLen:20 DgmLen:40
******S* Seq: 0x3670AF08  Ack: 0x8E702  Win: 0xA9B4  TcpLen: 20

ipchains:
Jun 16 14:12:42 sparky kernel: Packet log: input DENY ppp0 PROTO=6
 12.25.244.15:11753 12.82.128.165:11753
 L=40 S=0x00 I=55601 F=0x0000 T=117 SYN (#49)



My snort command line:

snort -b -i ppp0 -c /usr/local/snort-1.7/snort.conf &

Relevant parts of snort.conf:

<snip>

# set this at dialup
var HOME_NET 12.82.129.23/32

<snip>

#
# Use one or more syslog facilities as arguments
# DAEMON = facility; ALERT = priority at man syslog.conf(5)
#
output alert_syslog: LOG_DAEMON LOG_ALERT

<snip>

# -------------------------------------------------
# output alert_full
output alert_full: /var/log/snort/alert.full

<snip>

#
include /usr/local/snort-1.7/tcp-local-lib
include /usr/local/snort-1.7/udp-local-lib
include /usr/local/snort-1.7/icmp-local-lib

These are my local rules, which, because of the low overall volume, log*every* packet and alert for a specific set of ports I want to watchreal-time.

I run other more detailed rules on a batch basis, but it's theipchains-based firewall that's stopping everything...


- John

--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage () finchhaven com
"The web is so, like, five minutes ago..."


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

nort behind ipchains 'blind'? Martijn Heemels (Jul 03)
- RE: nort behind ipchains 'blind'? Neal Timm (Jul 03)
- <Possible follow-ups>
- Re: nort behind ipchains 'blind'? Matthew Collins (Jul 04)
  - Re: nort behind ipchains 'blind'? John Sage (Jul 04)