[Snort-users] snort + IPFilter?
albert.gonzalez at ...7950...
Fri Jan 31 11:14:10 EST 2003
If you're scanning yourself from the same machine, you won't see the scans
I have a default deny with my firewall(on the same machine) and snort can
still see the
packets and alert on them. I'm going to start saying you're on a switch
rather than a HUB.
If you want to actively block, go ahead and check out snortsam.
From: Everist, Benjamin S. (NASWI) [mailto:EveristB at ...8190...]
Sent: Friday, January 31, 2003 11:31 AM
To: Snort-users at lists.sourceforge.net
Subject: [Snort-users] snort + IPFilter?
Pardon the cross posting; some of this may be more appropriate on
freebsd-questions, but I am having serious problems posting questions to
I'm running snort-1.9.0 logging to mysql displaying on ACID b22, on a
freebsd box. I have IPFilter running on the same machine with the kernel
options and ruleset shown below. It's not a firewall, just a host on the
On snort, I am seeing only broadcast udp traffic, no tcp whatsoever, even
when I nmap the machine. I made an assumption, which I am now starting to
doubt, that while adopting a default-block stance and only allowing specific
connections via the ethernet interface, snort would still log (all) alerts.
It has been brought to my attention I may be on a switch rather than a hub,
but I should still see nmap alerts when I am directing the scan on myself,
Any help would be appreciated....
Other/ more information:
This is what I start snort with:
#snort -D -i xl0 -c /usr/local/snort-1.9.0/etc/snort.conf
My snort.conf is essentially default except I have defined var HOME_NET and
defined my output options.
Firewall options - IPFilter
#block all garbage we never want to accept:
block in log quick from any to any with ipopts
block in log quick proto tcp from any to any with short
pass in quick on lo0 all
pass out quick on lo0 all
pass out on xl0 all keep state head 100
block out from 127.0.0.0/8 to any group 100
block out from any to 127.0.0.0/8 group 100
block out from any to 172.16.100.9/32 group 100
block in on xl0 all head 200
block in from 127.0.0.0/8 to any group 200
block in from 172.16.100.9/32 to any group 200
pass in quick proto tcp from any to any port = www keep state group 200
pass in quick proto tcp from any to any port = 22 keep state group 200
block return-rst in log proto tcp from any to any flags S/SA group 200
block return-icmp(net-unr) in proto udp all group 200
More information about the Snort-users