Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort + ipchains

From: John Sage <jsage () finchhaven com>
Date: Sat, 01 Dec 2001 21:01:15 -0800
John:

John Berkers wrote:


As I recall from the discussion some time ago, it was decided that a box
running both firewall and snort would only see traffic that is allowed
through the firewall rules because the initial handshake is never completed.
The SYN packet is always blocked, and therefore the exploit packet will
never be seen.



Yes. This is quite true.
So, one can make a general assumption about what a probe to a given port might be, but really all you'll see is the initial SYN packet(s).
In my situation (dialup, dynamic IP, firewall) I've written all my own custom rules to watch specific ports, because the snort rules for most exploits are irrelevant, given that the firewall keeps everything beyond the initial SYN on the outside.
I do run the default snort rules on my -b binary packet captures, later, but again, I don't get many alerts from them... 




What this amounts to is only being able to see SYN based traffic and
exploits on ports that are open (perhaps for a specific set of addresses).

It was suggested at the time that the FAQ should be updated, but as far as I
can tell it still only says:

4.3 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Snort is behind a firewall (ipf/pf/ipchains/ipfilter) and awfully
quiet...

A: Your firewall rules will also block traffic to the snort processes.


Perhaps it should be brought up-to-date by adding something like this:

4.19 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Snort is on my firewall (ipf/pf/ipchains/ipfilter) and awfully quiet...

A: While Snort also sees the packets that the firewall does, if the exploit
that the signature catches requires a connection to be established, the
exploit will never be sent.

The firewall blocks the three-way-handshake process and you never get a
connection, therefore you never get the exploit packet.




Exactly. Not a bad idea to re-phrase it this way...


- John





Just my take on the situation.  Hope that clears up some questions.

Regards,

John Berkers                                       ICQ: 112912
Network Services                            Hansen Corporation
john.berkers () hancorp com au               berjo () ozemail com au






_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: