On Fri, May 16, 2003 at 09:49:32AM +0200, [EMAIL PROTECTED] wrote: > Hi all, > > I just installed Snort IDS on my firewall Debian box which is so configured: > > eth0 10.0.0.1 (serves internal LAN) > eth1 192.168.100.1 (directly connected to an ADSL modem auto-connecting to > the > provider with IP 192.168.100.2) > > I run snort on eth1 NOT in promiscuos mode and I send periodic email reports > to me. > > The problem is that I receive messages from the kernel (firewall) indicating > some > "action" blocked from the internet, but snort never shows up anything in its > reports. > > Could someone tell me if I misconfigured the system and, please, a possible > right > configuration ?
That would all depend on how you have Snort configured (ruleset) and what the actual kernel messages say. Just because you block an unwanted connection to a certain port doesn't mean the connection attempt matched a rule. Also, if it was blocked by the kernel, snort may have never seen it, since you are not in promisc. mode, IIRC. Tim -- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< >> Tim Sailer (at home) >< Coastal Internet, Inc. << >> Network and Systems Operations >< PO Box 726 << >> http://www.buoy.com >< Moriches, NY 11955 << >> [EMAIL PROTECTED]/[EMAIL PROTECTED] >< (631)399-2910 (888) 924-3728 >> << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
