[Snort-users] Question regarding SNORT & IPChains

Thorin Oakenshield ThorinOakenshield at ...422...
Thu Jan 4 13:33:53 EST 2001


I just started testing Snort running in a chrooted environment a few days
ago and I have a few questions regarding my config and also how Snort and
IPchans work together.  I'm assuming that Snort is not catching a lot of
activity because my firewall (using a tweaked Trinity OS ruleset)has
rejected the traffic (I see the FW log entries in syslog).

If this is what's happening, then would it make sense that the only traffic
I'm seeing (through Snort) is ICMP-Echo and DNS?  I'm also running Guard and
that picks up all sorts of SMTP probing (EXPN,VRVY attempts, etc.) - which
snort soes not seem to see.

here's the snippets from my config files:

My snortd file:
        cd /home/snort
        daemon /home/snort/sbin/snort -u snort -g snort -t /home/snort \
                -l ./log -d -e -s -D \ -i $INTERFACE -c etc/snort/rules.base
        touch /var/lock/subsys/snort

var INTERNAL n.n.n.n/32 (my external interface to the WAN - does it matter
that my ISP uses a /23 supernet?)
var EXTERNAL any
var DNSSERVERS n.n.n.n/32 (DNS is internal but unless I name the INTERNAL
interface the logs fill w/ garbage)

preprocessor http_decode: 80 443 8080
preprocessor minfrag: 128
preprocessor portscan: $EXTERNAL 3 5 portscan.log
preprocessor portscan-ignorehosts: $DNSSERVERS

# Include the latest copy of MV's ruleset
include etc/snort/vision.rules

# If you wish to monitor multiple INTERNAL networks, you can include
# another variable that defines the additional network, then include
# the snort ruleset again.  Uncomment the two following lines.
var INTERNAL x.x.x.x/24 (my internal interface to the LAN [private address
include etc/snort/vision.rules

I would also like to configure Snort to monitor traffic to my DMZ once I
open it up, would this be configured by adding another INTERNAL interface as
I did above??



More information about the Snort-users mailing list