[Snort-users] ipchains problem

Tommy Eriksson tommy.eriksson at ...5050...
Fri Feb 22 06:15:03 EST 2002


Ok, if I understood you correct your setup looks something like this (You
stated that your snort box only had one interface):

                *********
                * Snort *
                *********
                    |
                    |
               ***********   ************
 [Internet]----*   HUB   *---* Firewall *---[Intranet]
               ***********   ************

If this is the case there is no way for the snort box to block IP traffic to
your Intranet.

/Tommy

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of
drazen.pranic at ...4967...
Sent: den 22 februari 2002 14:22
To: Snort
Subject: [Snort-users] ipchains problem


Hello,
Dear Snort users, I urgently need help.
One problem takes me a lot of time.
In our company we want to improve our security. We have comercial firewall.
We choose snort as IDS solution. Snort runs on Linux machine infront of
whole network.
Whole IP traffic passes through it. Now, we want to configure ipchains with
snort.
I found guardian script that automatically do that. It works ok, but we have
problem with ipcahins.
When attack came on IP address of Linux machine IPchains blocked it
correctly.
(Linux machine has only one interface.)
Problem is when attack came on IP addresses of comercial firewall (which is
behind snort), nothing happend.
It seems that ipchains blocks only traffic for linux server.
I failed manually to block other ip addresses.
How can we block whole range of ip addresses?
Thanks for any help,
Drazen





More information about the Snort-users mailing list