Re: snort behind ipchains 'blind'?

[John Sage <jsage () finchhaven com>]

Martijn:

Martijn Heemels wrote:

> > IPchains does not affect what snort sees.  I verified this by
>
> Interesting... So what else could be blocking Snort's vision in my case?
> if more info is needed let me know...
>
> And how can I test snort's functionality myself? Any tools I can run from
> the windows machines on my LAN?
>
> Thanks, Martijn


Seems this thread got broken out into two; part of my response to the 
other part...


> I have a dialup connection via ppp0, an ipchains-based firewall, snort 1.7,

> and snort sees everything ipchains sees, and sees everything the snort rules

> are set up to see very effectively.
>
> A not-so-recent example, but an example, none-the-less:
>
>
> ******************************
> syslog:
> Jun 16 14:12:42 sparky snort: TCP to 1024-60999: 12.25.244.15:11753 ->
> 12.82.128.165:11753
>
> snort:
> 06/16-14:12:42.767992 12.25.244.15:11753 -> 12.82.128.165:11753
> TCP TTL:117 TOS:0x0 ID:55601 IpLen:20 DgmLen:40
> ******S* Seq: 0x3670AF08  Ack: 0x8E702  Win: 0xA9B4  TcpLen: 20
>
> ipchains:
> Jun 16 14:12:42 sparky kernel: Packet log: input DENY ppp0 PROTO=6
>  12.25.244.15:11753 12.82.128.165:11753
>  L=40 S=0x00 I=55601 F=0x0000 T=117 SYN (#49)
>
>
>
> My snort command line:
>
> snort -b -i ppp0 -c /usr/local/snort-1.7/snort.conf &
>
> Relevant parts of snort.conf:
>
> <snip>
>
> # set this at dialup
> var HOME_NET 12.82.129.23/32
>
> <snip>
>
> #
> # Use one or more syslog facilities as arguments
> # DAEMON = facility; ALERT = priority at man syslog.conf(5)
> #
> output alert_syslog: LOG_DAEMON LOG_ALERT
>
> <snip>
>
> # -------------------------------------------------
> # output alert_full
> output alert_full: /var/log/snort/alert.full
>
> <snip>
>
> #
> include /usr/local/snort-1.7/tcp-local-lib
> include /usr/local/snort-1.7/udp-local-lib
> include /usr/local/snort-1.7/icmp-local-lib
>
>
> These are my local rules, which, because of the low overall volume,

> log *every* packet and alert for a specific set of ports I want to watch real-time.
>
> I run other more detailed rules on a batch basis, but it's the

> ipchains-based firewall that's stopping everything...


- John


--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage () finchhaven com
"The web is so, like, five minutes ago..."


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users