[Snort-users] combination of snort & ipchains

Gregor Binder gbinder at ...462...
Tue Jan 16 18:13:07 EST 2001


> > If IPF blocks / drops a packet, SNORT cannot pick it up :(
> > Read my last mail about VLANs which I'm going to try next

maybe try this:

  - set up some virtual interface
  - make sure you don't have services bound to that address
  - block outgoing traffic from this adress in your ipf config for
    better security
  - use "dup-to" (with the virtual address) instead of "block" to copy
    things you want to block to that interface
  - have snort sniff on this interface as well

This will impact security, since traffic will get to the machine (even
though the response can be prevented), and could eventually cause
trouble. I haven't tried this myself. Also, if using this method, I
would rather "dup-to" another system, say, a snort box behind the fire-
wall which physically prevents response :)

A big disadvantage (besides someone being able to take out/subvert your
firewall blindly) would be the changed destination address, you would
not be able to figure out which machine the attack was directed to.

An advantage with regards to the script that Jason is going to provide,
is that you would be able to do a full capture of blocked attacks, scan
the traffic for actual signatures, basically use all the snort features
on it.


Gregor Binder  <gregor.binder at ...462...>  http://sysfive.com/~gbinder/
sysfive.com GmbH               UNIX. Networking. Security. Applications.
Gaertnerstrasse 125b, 20253 Hamburg, Germany         TEL +49-40-63647482
PGP id: 0x20C6DA55 fp: 18AB 2DD0 F8FA D710 1EDC A97A B128 01C0 20C6 DA55

More information about the Snort-users mailing list