RE: snort + IPFilter?

["Everist, Benjamin S. (NASWI)" <EveristB () naswi navy mil>]

I found the scans, they are getting logged to /var/log/snort/scan.log, but
not being seen by ACID.

In snort.conf, preprocessor portscan is disabled, and preprocessors
conversation and portscan2 are enabled.  In acid.conf, $portscan_file is
pointed to /var/log/snort/scan.log, which (currently) has its read bit set
for everyone.

I am NMAP connect scanning the machine snort is running on from a separate
machine.  Any idea why ACID isn't displaying info from scan.log?

Thanks,

Benjamin Everist

-----Original Message-----
From: Gonzalez, Albert [mailto:albert.gonzalez () eds com]
Sent: Friday, January 31, 2003 11:14 AM
To: Snort-users () lists sourceforge net
Subject: RE: [Snort-users] snort + IPFilter?


If you're scanning yourself from the same machine, you won't see the scans
with snort. 
I have a default deny with my firewall(on the same machine) and snort can
still see the 
packets and alert on them. I'm going to start saying you're on a switch
rather than a HUB.

Cheers!

        Alberto Gonzalez.

If you want to actively block, go ahead and check out snortsam.
http://www.snortsam.net/

-----Original Message-----
From: Everist, Benjamin S. (NASWI) [mailto:EveristB () naswi navy mil]
Sent: Friday, January 31, 2003 11:31 AM
To: Snort-users () lists sourceforge net
Subject: [Snort-users] snort + IPFilter?


Pardon the cross posting; some of this may be more appropriate on
freebsd-questions, but I am having serious problems posting questions to
that list.
I'm running snort-1.9.0 logging to mysql displaying on ACID b22, on a
freebsd box.  I have IPFilter running on the same machine with the kernel
options and ruleset shown below.  It's not a firewall, just a host on the
network.
On snort, I am seeing only broadcast udp traffic, no tcp whatsoever, even
when I nmap the machine.  I made an assumption, which I am now starting to
doubt, that while adopting a default-block stance and only allowing specific
connections via the ethernet interface, snort would still log (all) alerts.
It has been brought to my attention I may be on a switch rather than a hub,
but I should still see nmap alerts when I am directing the scan on myself,
shouldn't I?
Any help would be appreciated.... 
Benjamin Everist 
Other/ more information: 
This is what I start snort with: 
#snort -D -i xl0 -c /usr/local/snort-1.9.0/etc/snort.conf 
My snort.conf is essentially default except I have defined var HOME_NET and
defined my output options. 
Firewall options - IPFilter 
options IPFILTER 
options IPFILTER_LOG 
options IPFILTER_DEFAULT_BLOCK 
IPFilter ruleset: 
#block all garbage we never want to accept: 
block in log quick from any to any with ipopts 
block in log quick proto tcp from any to any with short 
#lo0 
pass in quick on lo0 all 
pass out quick on lo0 all 
#outbound xl0 
pass out on xl0 all keep state head 100 
block out from 127.0.0.0/8 to any group 100 
block out from any to 127.0.0.0/8 group 100 
block out from any to 172.16.100.9/32 group 100 
#inbound xl0 
block in on xl0 all head 200 
block in from 127.0.0.0/8 to any group 200 
block in from 172.16.100.9/32 to any group 200 
pass in quick proto tcp from any to any port = www keep state group 200 
pass in quick proto tcp from any to any port = 22 keep state group 200 
block return-rst in log proto tcp from any to any flags S/SA group 200 
block return-icmp(net-unr) in proto udp all group 200 


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users