The invisible work of system Snort!

[Guest]

[andriser]

Somehow, Snort does not fix the log-files attacks, port scanning and intrusion for at least RED-interface (external IP)!
Neither the log nor in the web-interface ... Log-file "/var/log/snort/alert" is completely empty! This is the GUI or the Console to configure? In the rare times the log recorded the attack, but only those that are inside ...

While all of this Snort detects and prevents at least a port scannig, when applied to your gateway to the following commands from the external network:

nmap xx.xx.xx.xx
nmap -A -T5 -PN xx.xx.xx.xx
sudo nmap -O xx.xx.xx.xx
nmap -sV -PN xx.xx.xx.xx
nmap -A xx.xx.xx.xx
sudo nmap -sS -p- -PS80,22 -n -T4 -vvv --reason xx.xx.xx.xx
nmap -sV -PN -p80 xx.xx.xx.xx

[andriser]

Got to work IPS and IDS-system Snort, adding the sensor to the external IP of Endian-gateway. That is, now two sensors are configured - one on the surveillance of the local, the other for external interfaces.

The contents of the file "/etc/snort/vars.tmpl":

"var HOME_NET [$HOME_NET,xx.xx.xx.xx]
var DNS_SERVERS [$DNS_SERVERS]"

, where xx.xx.xx.xx - external IP of my Endian Firewall