[Snort-users] Too Quiet

shawn . moyer shawn at ...1184...
Wed Apr 11 00:23:32 EDT 2001


Phil wrote:

> #elxl0 is external interface
> var HOME_NET $elxl0_ADDRESS
> var EXTERNAL_NET !$HOME_NET

This looks to be correct.
 
> but it didnt' set off anything. It COULD be because I
> have a very tight firewall. Will snort see the stuff
> the firewall discards if it's listening on the
> external port (the machine is running IPF)?

Yes. Pcap grabs the data before IPF filters it, so when I get scanned I
often see an IPF drop in my logs followed by a Snort alert. If a rule is
based on actual session data, rather than just a port number, though, it
won't fire since of course the firewall drops the attempt.



--shawn 

-- 

s h a w n   m o y e r
shawn at ...1184...

"Nuclear war would really set back cable."
                             -- Ted Turner




More information about the Snort-users mailing list