[Snort-users] snort + IPFilter?

Gonzalez, Albert albert.gonzalez at ...7950...
Fri Jan 31 11:14:10 EST 2003


If you're scanning yourself from the same machine, you won't see the scans
with snort. 
I have a default deny with my firewall(on the same machine) and snort can
still see the 
packets and alert on them. I'm going to start saying you're on a switch
rather than a HUB.

Cheers!

	Alberto Gonzalez.

If you want to actively block, go ahead and check out snortsam.
http://www.snortsam.net/

-----Original Message-----
From: Everist, Benjamin S. (NASWI) [mailto:EveristB at ...8190...]
Sent: Friday, January 31, 2003 11:31 AM
To: Snort-users at lists.sourceforge.net
Subject: [Snort-users] snort + IPFilter?


Pardon the cross posting; some of this may be more appropriate on
freebsd-questions, but I am having serious problems posting questions to
that list.
I'm running snort-1.9.0 logging to mysql displaying on ACID b22, on a
freebsd box.  I have IPFilter running on the same machine with the kernel
options and ruleset shown below.  It's not a firewall, just a host on the
network.
On snort, I am seeing only broadcast udp traffic, no tcp whatsoever, even
when I nmap the machine.  I made an assumption, which I am now starting to
doubt, that while adopting a default-block stance and only allowing specific
connections via the ethernet interface, snort would still log (all) alerts.
It has been brought to my attention I may be on a switch rather than a hub,
but I should still see nmap alerts when I am directing the scan on myself,
shouldn't I?
Any help would be appreciated.... 
Benjamin Everist 
Other/ more information: 
This is what I start snort with: 
#snort -D -i xl0 -c /usr/local/snort-1.9.0/etc/snort.conf 
My snort.conf is essentially default except I have defined var HOME_NET and
defined my output options. 
Firewall options - IPFilter 
options IPFILTER 
options IPFILTER_LOG 
options IPFILTER_DEFAULT_BLOCK 
IPFilter ruleset: 
#block all garbage we never want to accept: 
block in log quick from any to any with ipopts 
block in log quick proto tcp from any to any with short 
#lo0 
pass in quick on lo0 all 
pass out quick on lo0 all 
#outbound xl0 
pass out on xl0 all keep state head 100 
block out from 127.0.0.0/8 to any group 100 
block out from any to 127.0.0.0/8 group 100 
block out from any to 172.16.100.9/32 group 100 
#inbound xl0 
block in on xl0 all head 200 
block in from 127.0.0.0/8 to any group 200 
block in from 172.16.100.9/32 to any group 200 
pass in quick proto tcp from any to any port = www keep state group 200 
pass in quick proto tcp from any to any port = 22 keep state group 200 
block return-rst in log proto tcp from any to any flags S/SA group 200 
block return-icmp(net-unr) in proto udp all group 200 




More information about the Snort-users mailing list