[Snort-users] snort + IPFilter?
Everist, Benjamin S. (NASWI)
EveristB at ...8190...
Fri Jan 31 10:42:06 EST 2003
Pardon the cross posting; some of this may be more appropriate on
freebsd-questions, but I am having serious problems posting questions to
I'm running snort-1.9.0 logging to mysql displaying on ACID b22, on a
freebsd box. I have IPFilter running on the same machine with the kernel
options and ruleset shown below. It's not a firewall, just a host on the
On snort, I am seeing only broadcast udp traffic, no tcp whatsoever, even
when I nmap the machine. I made an assumption, which I am now starting to
doubt, that while adopting a default-block stance and only allowing specific
connections via the ethernet interface, snort would still log (all) alerts.
It has been brought to my attention I may be on a switch rather than a hub,
but I should still see nmap alerts when I am directing the scan on myself,
Any help would be appreciated....
Other/ more information:
This is what I start snort with:
#snort -D -i xl0 -c /usr/local/snort-1.9.0/etc/snort.conf
My snort.conf is essentially default except I have defined var HOME_NET and
defined my output options.
Firewall options - IPFilter
#block all garbage we never want to accept:
block in log quick from any to any with ipopts
block in log quick proto tcp from any to any with short
pass in quick on lo0 all
pass out quick on lo0 all
pass out on xl0 all keep state head 100
block out from 127.0.0.0/8 to any group 100
block out from any to 127.0.0.0/8 group 100
block out from any to 172.16.100.9/32 group 100
block in on xl0 all head 200
block in from 127.0.0.0/8 to any group 200
block in from 172.16.100.9/32 to any group 200
pass in quick proto tcp from any to any port = www keep state group 200
pass in quick proto tcp from any to any port = 22 keep state group 200
block return-rst in log proto tcp from any to any flags S/SA group 200
block return-icmp(net-unr) in proto udp all group 200
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users