[Snort-users] Snort and IPChains

John Berkers berjo at ...827...
Mon Apr 30 09:43:25 EDT 2001


Hi all,

I've been reading posts over the last few weeks and am wondering if I can
get some clarification of the behaviour of Snort with IPChains.

What I gather from the last few weeks is that Snort sees network traffic
before it is processed by IPChains, but that this holds true only for real
network cards (eth, tok, fddi, etc), and not for ppp.  I'm seeing a bit of
inconsistent behaviour on my ppp0.

I have a default IPChains rule that drops all traffic that is not allowed
through (and logs it).  For the most part I see no alerts on my Snort IDS on
ppp0, except for most (if not all) of port 137 (UDP:nbname) and the odd
portscan and DNS alert.  I am seeing lots of dropped packets to ports 53,
111, 515 etc.

I am using vision.rules April 6 with Snort 1.8b3(build 12) with libpcap
0.6.2 (both compiled specifically for my box) on Linux Mandrake 7.2 (kernel
2.2.17).  Snort and IPChains are both restarted whenever the ppp connection
comes up.

Anyone got any ideas? Any help would be appreciated.

Regards,

John Berkers
berjo at ...827...





More information about the Snort-users mailing list