Have you tested by attempting to run scans/exploits against your own box
from an external source? If so, did Snort record the activity?

--Tim

"w1re p4ir" <w1rep4irdisinfo.net>
05/26/2001 23:47

 
        To: focus-idssecurityfocus.com
        cc:
        Subject: Snort and IPChains

I'll keep this short and sweet folks. I've noticed my machine at work
running snort without ipchains gets well lots of attacks, which i expect.
But what i don't understand is why my machine at home. Oh yeah both RedHat
7.0 (secured). Well anyways my machine at home is running IPCHAINS and
snort. The snort rules are exactly the same. Yet I get no attacks on a
cable modem. Something is wrong here, very very wrong. I'm on cable i
should be seeing 40x more attacks. So my question: Does the kernel
intercept the packets first and discard them. Or is snort broken and being
a pain? I got into a conversation with a co-worker and they said the
ethernet cards in promisc mode and should intercept *. But yet, it is not?
Any ideas???
-wire

____________________________________________________
FREE Disinformation E-book - http://www.disinfo.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]