Snort mailing list archives

RE: Snort + ipchains

From: "Martijn Heemels" <martijn () heemels com>
Date: Sat, 1 Dec 2001 21:46:02 +0100

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martijn:

Seems this was a recurring topic, maybe last spring, with
inconclusive  answers, depending on how well the network layout was
described.

I posted my experiences back then, but what I posted was only based
upon  my setup.


I took part in that discussion too, hoping it would provide an
answer...


As you state, snort FAQ 1.8 sez:

4.3 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Snort is behind a firewall (ipf/pf/ipchains/ipfilter) and

awfully quiet...

A: Your firewall rules will also block traffic to the snort
processes.

Certainly snort wouldn't see packets if it was off on *another* box
 behind the firewall, which I think is what the FAQ is really
describing:  "...snort is *behind* a firewall..."


of course... you may be right about the faq on this. hadn't read it
that way...


My snort is running *on* my firewall box in conjuction with
ipchains.  

Maybe that's the difference...


I'm actually running snort *on* the same box as ipchains. So, it's at
the border of my network.
However, still only non-firewalled ports are visible. I have kind of
given up on getting snort to see all traffic on this box, assuming
there must be something unusual about it (hardware of software).
Since I run snort only as a hobby project on my home LAN to learn
about computer-security related stuff, I stopped trying to solve the
problem. I'm pretty content actually getting alerts on the traffic
that crosses the firewall, since the stuff that gets blocked doesn't
hurt me anyway :-). 
Erik Adams would say that I need more coffee and it would all become
clear ;-D

Anyway, if you have any tips left, let me know. I'm running a
completely updated redhat 6.2 on i386 with ipchains-1.3.9-5 and a
3com509 NIC

Greets, Martijn

P.S. Wish I was a *rich* student so i could build a cheap dedicated
snort box. But then again, there are a lot of other cool networking
things one can do with money...

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPAlBihLMC0rbivl4EQL6RACgjKUNW+7+a+6sz4r0C21hvr1Xq0kAoMOP
bvn8sO4fBoN1uKgZj8pJzKG7
=oMeB
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description:

Current thread:

Snort + ipchains Guillaume (Nov 30)
- Re: Snort + ipchains John Sage (Nov 30)
  - RE: Snort + ipchains Martijn Heemels (Dec 01)
    - Re: Snort + ipchains John Sage (Dec 01)
    - RE: Snort + ipchains Martijn Heemels (Dec 01)
    - Re: Snort + ipchains John Sage (Dec 01)
    - RE: Snort + ipchains Erek Adams (Dec 01)
    - Re: Snort + ipchains Ed Wiget (Dec 01)
  - Re: Snort + ipchains Guillaume (Dec 01)
    - Re: Snort + ipchains John Sage (Dec 01)
    - RE: Snort + ipchains John Berkers (Dec 01)
    - Re: Snort + ipchains John Sage (Dec 01)
    - RE: Snort + ipchains Martijn Heemels (Dec 02)
    - Re: Snort + ipchains John Sage (Dec 02)
    - Re: Snort + ipchains Guillaume (Dec 03)