[Snort-users] combination of snort & ipchains

Jason Haar Jason.Haar at ...294...
Tue Jan 16 16:25:46 EST 2001


On Tue, Jan 16, 2001 at 04:08:26PM -0000, Avleen Vig wrote:
> > > the packet filter, or is it possible to have Snort controlling all (1 -
> > > 65535) ports BEFORE packets hit the deny rules of ipchains?
> Fyodor:
> Same things happens on FreeBSD with IPF.
> If IPF blocks / drops a packet, SNORT cannot pick it up :(
> Read my last mail about VLANs which I'm going to try next

This is a FEATURE - not  a bug. 

Anyway I am working on a general fix to this: - logsnorter This will scan
syslog messages looking for ACL deny messages generated by Ciscos or Linux
ipfwm/ipchains and convert them into Snort MySQL statements - so that these
packets denied by router/host ACLs still get "recorded" by snort.

Majorly useful for merging your perimeter router/firewall packet blocking
messages back into your NIDS - so that you can say that a baddie did a
complete port 1-60000 portscan instead of just port 25 and 80 (all that
Snort would see if your perm router blocked all other packets).

Should be available this week.

-- 
Cheers

Jason Haar

Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417




More information about the Snort-users mailing list