Snort mailing list archives
ADSL with Border IDS config problem
From: "Mysq " <mysq () mail com>
Date: Thu, 28 Feb 2002 06:13:16 -0500
Hi All, After reading all the info I can get my hands, posting questions to the forum and talking on IRC I still have not been able to solve this configuration problem. I hope you (this list) can help me. I will try and give as much information as I can... The network configuration is as follows: Internet | ADSL_Modem | Snort_IDS---------Hub1-----------2Nic_Firewall | Hub2 | Internal Net (if the schema did not come out properly, the ADSL_Modem is connected to Hub1, Hub2 is connected to the 2Nic_Firewall). ADSL_Modem: 10.0.0.138/8 Snort_IDS: 10.200.1.5/8 2Nic_firewall: eth0: 10.200.1.1/8 (connected to Hub1) 2Nic_firewall: eth1: 192.168.1.1/24 (connected to Hub2) Internal net: 192.168.1.0/24 The firewall initiates the connection to the internet through the ADSL_Modem and gets a public IP which is bound to ppp0.
From what I can tell, snort has been installed
successfully as it manages to see all traffic between the firewall and the ADSL_Modem. ( the traffic snort picks up seems to be masq having only src and dest addresses of eth0 of the firewall and the IP of the ADSL_modem ). The problem: Snort doesn't log or alert to any attacks or portscans coming in from the internet. (nmap using different options and the site Shields up which port scans your IP and displays results). I checked to see if the actual installation works by connecting a machine to Hub1 and running a portscan - snort picked it up successfully. When a portscan is run from the internet on the firewall public IP (ppp0) - snort doesn't pick it up. I have tried different combination HOME_NET and EXTERNEL_NET settings but any ideas are welcome - I might have overlooked an option. btw - I managed to get Snort to log ARP requests between the ADSL_MODEM and eth0 on the Firewall by using 10.200.1.1/32 as my HOME_NET - I dont know if thats right but atleast its logging something.... If any other information is needed to find a solution to the problem, please say so and I will post it ASAP. Any Suggestions would be very much appreciated. Thanks alot. Regards, -- _______________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ADSL with Border IDS config problem Mysq (Feb 28)
- Re: ADSL with Border IDS config problem Erek Adams (Feb 28)