Snort mailing list archives
RE: Snort + ipchains
From: "Martijn Heemels" <martijn () heemels com>
Date: Sat, 1 Dec 2001 21:46:02 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Martijn: Seems this was a recurring topic, maybe last spring, with inconclusive answers, depending on how well the network layout was described. I posted my experiences back then, but what I posted was only based upon my setup.
I took part in that discussion too, hoping it would provide an answer...
As you state, snort FAQ 1.8 sez:4.3 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Snort is behind a firewall (ipf/pf/ipchains/ipfilter) andawfully quiet...A: Your firewall rules will also block traffic to the snort processes.
Certainly snort wouldn't see packets if it was off on *another* box behind the firewall, which I think is what the FAQ is really describing: "...snort is *behind* a firewall..."
of course... you may be right about the faq on this. hadn't read it that way...
My snort is running *on* my firewall box in conjuction with ipchains. Maybe that's the difference...
I'm actually running snort *on* the same box as ipchains. So, it's at the border of my network. However, still only non-firewalled ports are visible. I have kind of given up on getting snort to see all traffic on this box, assuming there must be something unusual about it (hardware of software). Since I run snort only as a hobby project on my home LAN to learn about computer-security related stuff, I stopped trying to solve the problem. I'm pretty content actually getting alerts on the traffic that crosses the firewall, since the stuff that gets blocked doesn't hurt me anyway :-). Erik Adams would say that I need more coffee and it would all become clear ;-D Anyway, if you have any tips left, let me know. I'm running a completely updated redhat 6.2 on i386 with ipchains-1.3.9-5 and a 3com509 NIC Greets, Martijn P.S. Wish I was a *rich* student so i could build a cheap dedicated snort box. But then again, there are a lot of other cool networking things one can do with money... -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPAlBihLMC0rbivl4EQL6RACgjKUNW+7+a+6sz4r0C21hvr1Xq0kAoMOP bvn8sO4fBoN1uKgZj8pJzKG7 =oMeB -----END PGP SIGNATURE-----
Attachment:
smime.p7s
Description:
Current thread:
- Snort + ipchains Guillaume (Nov 30)
- Re: Snort + ipchains John Sage (Nov 30)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Erek Adams (Dec 01)
- Re: Snort + ipchains Ed Wiget (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Nov 30)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains John Berkers (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 02)
- Re: Snort + ipchains John Sage (Dec 02)