[Snort-users] Snort stops logging

Paul Schmehl pauls at ...6838...
Fri Jul 2 08:14:07 EDT 2004


--On Friday, July 02, 2004 11:36:06 AM +0200 Ralf Eberle 
<iceman at ...12061...> wrote:
>
> I have include my ruleset below. I need to say that this is my first
> firewall setup and my first own rules.
>
Before you set up a firewall, you need to decide what your goal is.  Are 
you aware that your firewall has a default "allow all" policy?  In general, 
when setting up a host-based firewall, a "deny all" default policy is 
preferred.  This ensures that only the things you allow to pass in will do 
so.

> Thanks in advance for your help.
>
> Ralf Eberle
>
> Here my ruleset:
>
> 20000       0         0 check-state
>
> 20000   95554   9313534 allow ip from any to any via lo0

Immediately after this rule, you should have one that allows all traffic to 
pass to the NIC that snort is listening on.  Something like this:

20001 allow ip from any to any via xl0

Do you have two NICs in this machine?  One for snort to listen on, and one 
for "normal" traffic?

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/




More information about the Snort-users mailing list