Re: Snort + ipchains

[John Sage <jsage () finchhaven com>]

Martijn:

Seems this was a recurring topic, maybe last spring, with inconclusive 
answers, depending on how well the network layout was described.

I posted my experiences back then, but what I posted was only based upon 
my setup.

As you state, snort FAQ 1.8 sez:


> 4.3 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
> Q: Snort is behind a firewall (ipf/pf/ipchains/ipfilter) and awfully quiet...

> A: Your firewall rules will also block traffic to the snort processes.



Certainly snort wouldn't see packets if it was off on *another* box 
behind the firewall, which I think is what the FAQ is really describing: 
"...snort is *behind* a firewall..."


My snort is running *on* my firewall box in conjuction with ipchains.

Maybe that's the difference...


Later..

- John


Martijn Heemels wrote:

>  
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> > As a side note: snort sees packets that ipchains DENY's or
> > REJECT's, so  I don't see why you don't just run ipchains *and*
> > snort and be 
> > done with it.
>
> It doesn't for everyone. In fact, according to the snort faq for most
> people ipchains does block traffic to snort (including me). So he may
> not be able to do this.
>
> Greets, Martijn
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBPAkb+hLMC0rbivl4EQKR+wCeOIQnDCq3F1GCofi0n1HM3UUXR5IAn1s8
> ztA+2VO+CEqe0tmq7Mje/hat
> =DjAb
> -----END PGP SIGNATURE-----





_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users