Snort mailing list archives

Previous By Date Next
Previous By Thread Next

ADSL with Border IDS config problem

From: "Mysq " <mysq () mail com>
Date: Thu, 28 Feb 2002 06:13:16 -0500
Hi All,

After reading all the info I can get my hands,
posting questions to the
forum and talking on IRC I still have not been
able to solve this
configuration problem. I hope you (this list)
can help me.
I will try and give as much information as I can...

The network configuration is as follows:


               Internet
                   |
               ADSL_Modem
                   |
Snort_IDS---------Hub1-----------2Nic_Firewall
                                     |
                                    Hub2
                                     |
                                Internal Net

(if the schema did not come out properly, the
ADSL_Modem is connected to
Hub1, Hub2 is connected to the 2Nic_Firewall).

ADSL_Modem: 10.0.0.138/8
Snort_IDS: 10.200.1.5/8
2Nic_firewall: eth0: 10.200.1.1/8 (connected to
Hub1)
2Nic_firewall: eth1: 192.168.1.1/24 (connected
to Hub2)
Internal net: 192.168.1.0/24

The firewall initiates the connection to the
internet through the ADSL_Modem
and gets a public IP which is bound to ppp0.


From what I can tell, snort has been installed

successfully as it manages to
see all traffic between the firewall and the
ADSL_Modem. ( the traffic snort
picks up seems to be masq having only src and
dest addresses of eth0 of the
firewall and the IP of the ADSL_modem ).

The problem:
Snort doesn't log or alert to any attacks or
portscans coming in from the
internet. (nmap using different options and the
site Shields up which port
scans your IP and displays results).
I checked to see if the actual installation
works by connecting a machine to
Hub1 and running a portscan - snort picked it up
successfully. When a portscan is run from the
internet on the firewall
public IP (ppp0) - snort doesn't pick it up.


I have tried different combination HOME_NET and
EXTERNEL_NET settings but
any ideas are welcome - I might have overlooked
an option.

btw - I managed to get Snort to log ARP
requests between the ADSL_MODEM and eth0 on the
Firewall by using 10.200.1.1/32 as my HOME_NET
- I dont know if thats right but atleast its
logging something....

If any other information is needed to find a
solution to the problem, please
say so and I will post it ASAP.

Any Suggestions would be very much appreciated.
Thanks alot.

Regards,











-- 

_______________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: