Re: snort, where to listen?
On Fri, May 16, 2003 at 09:49:32AM +0200, debian@raycone.net wrote:
> Hi all,
>
> I just installed Snort IDS on my firewall Debian box which is so configured:
>
> eth0 10.0.0.1 (serves internal LAN)
> eth1 192.168.100.1 (directly connected to an ADSL modem auto-connecting to the
> provider with IP 192.168.100.2)
>
> I run snort on eth1 NOT in promiscuos mode and I send periodic email reports to me.
>
> The problem is that I receive messages from the kernel (firewall) indicating some
> "action" blocked from the internet, but snort never shows up anything in its reports.
>
> Could someone tell me if I misconfigured the system and, please, a possible right
> configuration ?
That would all depend on how you have Snort configured (ruleset) and
what the actual kernel messages say. Just because you block an unwanted
connection to a certain port doesn't mean the connection attempt matched
a rule. Also, if it was blocked by the kernel, snort may have never
seen it, since you are not in promisc. mode, IIRC.
Tim
--
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
>> Tim Sailer (at home) >< Coastal Internet, Inc. <<
>> Network and Systems Operations >< PO Box 726 <<
>> http://www.buoy.com >< Moriches, NY 11955 <<
>> tps@unslept.com/tps@buoy.com >< (631)399-2910 (888) 924-3728 <<
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Reply to: