[Snort-users] combination of snort & ipchains

Langa Kentane LangaK at ...1059...
Wed Jan 17 02:00:28 EST 2001


If, to remedy this problem, I install another network adaptor and not give
it an IP and have snort listening on this adapter and have it connected to
the segment where I want to do the packet capture, will this work?

Thanks

-----Original Message-----
From: Jason Haar [mailto:Jason.Haar at ...294...]
Sent: 16 January 2001 23:26
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] combination of snort & ipchains


On Tue, Jan 16, 2001 at 04:08:26PM -0000, Avleen Vig wrote:
> > > the packet filter, or is it possible to have Snort controlling all (1
-
> > > 65535) ports BEFORE packets hit the deny rules of ipchains?
> Fyodor:
> Same things happens on FreeBSD with IPF.
> If IPF blocks / drops a packet, SNORT cannot pick it up :(
> Read my last mail about VLANs which I'm going to try next

This is a FEATURE - not  a bug. 

Anyway I am working on a general fix to this: - logsnorter This will scan
syslog messages looking for ACL deny messages generated by Ciscos or Linux
ipfwm/ipchains and convert them into Snort MySQL statements - so that these
packets denied by router/host ACLs still get "recorded" by snort.

Majorly useful for merging your perimeter router/firewall packet blocking
messages back into your NIDS - so that you can say that a baddie did a
complete port 1-60000 portscan instead of just port 25 and 80 (all that
Snort would see if your perm router blocked all other packets).

Should be available this week.

-- 
Cheers

Jason Haar

Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users




More information about the Snort-users mailing list