[Snort-users] ipchains problem(s)

Tommy Eriksson tommy.eriksson at ...5050...
Fri Feb 22 07:26:07 EST 2002


I'm no expert in this area but I think this is a matter of kernel
implemntation. I read about a patch (for Linux) that allows you to block
packets with ipchains before the Ethernet bridging code gets them, but I
dont know what the default behavior for the kernel is or if it can be
alterd.

/Tommy

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of ipfw sponix
> Sent: den 22 februari 2002 15:38
> To: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] ipchains problem(s)
>
>
> tommy.eriksson at ...5050...
> I'm looking to do a setup like this:
>
>
>                           Net
>                            |
>                         Router
>                            |
>                        Snort Box (Doing Ethernet Bridging)
>                            |
>                         Switch
>                            /\
>                           /  \
>                          /    \
> smb billing etc <-Private  || Public Net-> www ftp mail dns
>
> My question is, could the snort box doing ethernet bridging
> actually block
> tcp/udp/icmp/etc/etc type packets coming over the network with
> this approach
> (freebsd or linux) even though it is transparent to the network (I might
> assign an IP for remote access).
>
> Thank you very much for your time,
> sponix
>
>
>
> >From: "Tommy Eriksson" <tommy.eriksson at ...5050...>
> >To: <snort-users at lists.sourceforge.net>
> >Subject: RE: [Snort-users] ipchains problem
> >Date: Fri, 22 Feb 2002 15:14:03 +0100
> >
> >
> >Ok, if I understood you correct your setup looks something like this (You
> >stated that your snort box only had one interface):
> >
> >                 *********
> >                 * Snort *
> >                 *********
> >                     |
> >                     |
> >                ***********   ************
> >  [Internet]----*   HUB   *---* Firewall *---[Intranet]
> >                ***********   ************
> >
> >If this is the case there is no way for the snort box to block
> IP traffic
> >to
> >your Intranet.
> >
> >/Tommy
> >
> >-----Original Message-----
> >From: snort-users-admin at lists.sourceforge.net
> >[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of
> >drazen.pranic at ...4967...
> >Sent: den 22 februari 2002 14:22
> >To: Snort
> >Subject: [Snort-users] ipchains problem
> >
> >
> >Hello,
> >Dear Snort users, I urgently need help.
> >One problem takes me a lot of time.
> >In our company we want to improve our security. We have
> comercial firewall.
> >We choose snort as IDS solution. Snort runs on Linux machine infront of
> >whole network.
> >Whole IP traffic passes through it. Now, we want to configure
> ipchains with
> >snort.
> >I found guardian script that automatically do that. It works ok, but we
> >have
> >problem with ipcahins.
> >When attack came on IP address of Linux machine IPchains blocked it
> >correctly.
> >(Linux machine has only one interface.)
> >Problem is when attack came on IP addresses of comercial
> firewall (which is
> >behind snort), nothing happend.
> >It seems that ipchains blocks only traffic for linux server.
> >I failed manually to block other ip addresses.
> >How can we block whole range of ip addresses?
> >Thanks for any help,
> >Drazen
> >
> >
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
> _________________________________________________________________
> MSN Photos is the easiest way to share and print your photos:
> http://photos.msn.com/support/worldwide.aspx
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list