[Snort-users] snort + IPFilter?

Gonzalez, Albert albert.gonzalez at ...7950...
Fri Jan 31 11:14:10 EST 2003

If you're scanning yourself from the same machine, you won't see the scans
with snort. 
I have a default deny with my firewall(on the same machine) and snort can
still see the 
packets and alert on them. I'm going to start saying you're on a switch
rather than a HUB.


	Alberto Gonzalez.

If you want to actively block, go ahead and check out snortsam.

-----Original Message-----
From: Everist, Benjamin S. (NASWI) [mailto:EveristB at ...8190...]
Sent: Friday, January 31, 2003 11:31 AM
To: Snort-users at lists.sourceforge.net
Subject: [Snort-users] snort + IPFilter?

Pardon the cross posting; some of this may be more appropriate on
freebsd-questions, but I am having serious problems posting questions to
that list.
I'm running snort-1.9.0 logging to mysql displaying on ACID b22, on a
freebsd box.  I have IPFilter running on the same machine with the kernel
options and ruleset shown below.  It's not a firewall, just a host on the
On snort, I am seeing only broadcast udp traffic, no tcp whatsoever, even
when I nmap the machine.  I made an assumption, which I am now starting to
doubt, that while adopting a default-block stance and only allowing specific
connections via the ethernet interface, snort would still log (all) alerts.
It has been brought to my attention I may be on a switch rather than a hub,
but I should still see nmap alerts when I am directing the scan on myself,
shouldn't I?
Any help would be appreciated.... 
Benjamin Everist 
Other/ more information: 
This is what I start snort with: 
#snort -D -i xl0 -c /usr/local/snort-1.9.0/etc/snort.conf 
My snort.conf is essentially default except I have defined var HOME_NET and
defined my output options. 
Firewall options - IPFilter 
options IPFILTER 
IPFilter ruleset: 
#block all garbage we never want to accept: 
block in log quick from any to any with ipopts 
block in log quick proto tcp from any to any with short 
pass in quick on lo0 all 
pass out quick on lo0 all 
#outbound xl0 
pass out on xl0 all keep state head 100 
block out from to any group 100 
block out from any to group 100 
block out from any to group 100 
#inbound xl0 
block in on xl0 all head 200 
block in from to any group 200 
block in from to any group 200 
pass in quick proto tcp from any to any port = www keep state group 200 
pass in quick proto tcp from any to any port = 22 keep state group 200 
block return-rst in log proto tcp from any to any flags S/SA group 200 
block return-icmp(net-unr) in proto udp all group 200 

More information about the Snort-users mailing list