Snort mailing list archives
RE: snort + IPFilter?
From: "Gonzalez, Albert" <albert.gonzalez () eds com>
Date: Fri, 31 Jan 2003 14:13:46 -0500
If you're scanning yourself from the same machine, you won't see the scans
with snort.
I have a default deny with my firewall(on the same machine) and snort can
still see the
packets and alert on them. I'm going to start saying you're on a switch
rather than a HUB.
Cheers!
Alberto Gonzalez.
If you want to actively block, go ahead and check out snortsam.
http://www.snortsam.net/
-----Original Message-----
From: Everist, Benjamin S. (NASWI) [mailto:EveristB () naswi navy mil]
Sent: Friday, January 31, 2003 11:31 AM
To: Snort-users () lists sourceforge net
Subject: [Snort-users] snort + IPFilter?
Pardon the cross posting; some of this may be more appropriate on
freebsd-questions, but I am having serious problems posting questions to
that list.
I'm running snort-1.9.0 logging to mysql displaying on ACID b22, on a
freebsd box. I have IPFilter running on the same machine with the kernel
options and ruleset shown below. It's not a firewall, just a host on the
network.
On snort, I am seeing only broadcast udp traffic, no tcp whatsoever, even
when I nmap the machine. I made an assumption, which I am now starting to
doubt, that while adopting a default-block stance and only allowing specific
connections via the ethernet interface, snort would still log (all) alerts.
It has been brought to my attention I may be on a switch rather than a hub,
but I should still see nmap alerts when I am directing the scan on myself,
shouldn't I?
Any help would be appreciated....
Benjamin Everist
Other/ more information:
This is what I start snort with:
#snort -D -i xl0 -c /usr/local/snort-1.9.0/etc/snort.conf
My snort.conf is essentially default except I have defined var HOME_NET and
defined my output options.
Firewall options - IPFilter
options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK
IPFilter ruleset:
#block all garbage we never want to accept:
block in log quick from any to any with ipopts
block in log quick proto tcp from any to any with short
#lo0
pass in quick on lo0 all
pass out quick on lo0 all
#outbound xl0
pass out on xl0 all keep state head 100
block out from 127.0.0.0/8 to any group 100
block out from any to 127.0.0.0/8 group 100
block out from any to 172.16.100.9/32 group 100
#inbound xl0
block in on xl0 all head 200
block in from 127.0.0.0/8 to any group 200
block in from 172.16.100.9/32 to any group 200
pass in quick proto tcp from any to any port = www keep state group 200
pass in quick proto tcp from any to any port = 22 keep state group 200
block return-rst in log proto tcp from any to any flags S/SA group 200
block return-icmp(net-unr) in proto udp all group 200
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort + IPFilter? Everist, Benjamin S. (NASWI) (Jan 31)
- <Possible follow-ups>
- RE: snort + IPFilter? Gonzalez, Albert (Jan 31)
- RE: snort + IPFilter? Everist, Benjamin S. (NASWI) (Feb 04)
- RE: snort + IPFilter? Demetri Mouratis (Feb 04)
- RE: snort + IPFilter? Everist, Benjamin S. (NASWI) (Feb 04)
- RE: snort + IPFilter? Everist, Benjamin S. (NASWI) (Feb 04)