[Snort-users] combination of snort & ipchains

Avleen Vig avleen at ...396...
Wed Jan 17 09:29:01 EST 2001


> On Tue, Jan 16, 2001 at 04:08:26PM -0000, Avleen Vig wrote:
> > > > the packet filter, or is it possible to have Snort controlling all
(1 -
> > > > 65535) ports BEFORE packets hit the deny rules of ipchains?
> > Fyodor:
> > Same things happens on FreeBSD with IPF.
> > If IPF blocks / drops a packet, SNORT cannot pick it up :(
> > Read my last mail about VLANs which I'm going to try next
>
> This is a FEATURE - not  a bug.
>
> Anyway I am working on a general fix to this: - logsnorter This will scan
> syslog messages looking for ACL deny messages generated by Ciscos or Linux
> ipfwm/ipchains and convert them into Snort MySQL statements - so that
these
> packets denied by router/host ACLs still get "recorded" by snort.
>
> Majorly useful for merging your perimeter router/firewall packet blocking
> messages back into your NIDS - so that you can say that a baddie did a
> complete port 1-60000 portscan instead of just port 25 and 80 (all that
> Snort would see if your perm router blocked all other packets).

If I can ever get around to learning how to code properly ( :P ), I'll write
up smoething that monitors all logged packets in ipmon (for ipf) and do
something similar, unless you feel brave enough to incorporate this into
your work? :)





More information about the Snort-users mailing list