Snort mailing list archives
Re: Snort + ipchains
From: John Sage <jsage () finchhaven com>
Date: Sun, 02 Dec 2001 16:13:41 -0800
Martijn et al: Bring this up top: > Is there any way of testing whether this is what's actually happening > on my box? I'd like to verify that my snort actually sees the > packets, because until now, I assumed snort never saw them because > they were blocked by ipchains. > Any thougths?AFAIK you have to be accepting connections on a port/to a service in order to have the three-way handshake complete.
Right now I'm in the process of updating Apache on my firewall (which currently is only accessible inward to my LAN..) and then I intend to do open up my firewall on tcp:80 and do a virtual host deal based upon my dynamic IP so I can really listen to what I'm now assuming are CodeRed/Nimda probes...
I'm curious to capture the packet contents after a connection is established; if I can get *that* to work, then I'm going to see if I can get Tom Liston's LaBrea honeypot to listen on tcp:80 as well..
But again, you'll need to open up your ipchains rules to see the handshake complete, so there are risks..
- John Martijn Heemels wrote:
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1Perhaps it should be brought up-to-date by adding something likethis:4.19 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Snort is on my firewall (ipf/pf/ipchains/ipfilter) and awfullyquiet... A: While Snort also sees the packets that the firewall does, if the exploitthat the signature catches requires a connection to be established, the exploit will never be sent. The firewall blocks the three-way-handshake process and you never get a connection, therefore you never get the exploit packet.Definitely! Good suggestion... I remember this thread from a while ago and it certainly makes sense... Is there any way of testing whether this is what's actually happening on my box? I'd like to verify that my snort actually sees the packets, because until now, I assumed snort never saw them because they were blocked by ipchains. Any thougths? Greets, Martijn
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort + ipchains, (continued)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Erek Adams (Dec 01)
- Re: Snort + ipchains Ed Wiget (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains John Berkers (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 02)
- Re: Snort + ipchains John Sage (Dec 02)