Snort and IPChains

["John Berkers" <berjo () ozemail com au>]

Hi all,

I've been reading posts over the last few weeks and am wondering if I can
get some clarification of the behaviour of Snort with IPChains.

What I gather from the last few weeks is that Snort sees network traffic
before it is processed by IPChains, but that this holds true only for real
network cards (eth, tok, fddi, etc), and not for ppp.  I'm seeing a bit of
inconsistent behaviour on my ppp0.

I have a default IPChains rule that drops all traffic that is not allowed
through (and logs it).  For the most part I see no alerts on my Snort IDS on
ppp0, except for most (if not all) of port 137 (UDP:nbname) and the odd
portscan and DNS alert.  I am seeing lots of dropped packets to ports 53,
111, 515 etc.

I am using vision.rules April 6 with Snort 1.8b3(build 12) with libpcap
0.6.2 (both compiled specifically for my box) on Linux Mandrake 7.2 (kernel
2.2.17).  Snort and IPChains are both restarted whenever the ppp connection
comes up.

Anyone got any ideas? Any help would be appreciated.

Regards,

John Berkers
berjo () ozemail com au


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users