Yep, I configured IPCop for SSH from my local network, or my work network - any other IP addresses are denied.
I was able to resolve the problem - it appears to be partially caused by my ongoing arp issues. Trying the scp from the IPCop box to the server setup a weird situation where the server then could not access anything outside the network. Clearing the arp cache on the server didn't fix it, so I just did a restart on the IPCop box, and all was fine (was quicker than getting in to clear the arp cache on the firewall). So, the command I ended up with was: scp -P 222 [EMAIL PROTECTED]:/var/log/snort/alert /root/snort_logs/ And then I scripted this to grab the snort logs every night. (had to setup a dsa key to allow the script to run without prompting for a password). Thanks to all who helped. Shawn -----Original Message----- From: Kevin Anderson [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 8:29 AM To: [EMAIL PROTECTED] Subject: Re: (clug-talk) SnortSnarf for IPCop on a different computer? By Default, SSH isn't running on IPcop. Can you connect with Putty? Kev. ----- Original Message ----- From: "Shawn" <[EMAIL PROTECTED]> To: "CLUG (E-mail)" <[EMAIL PROTECTED]> Sent: Sunday, November 02, 2003 2:20 PM Subject: (clug-talk) SnortSnarf for IPCop on a different computer? > I've been playing with Snort on my server over the past week. The downside > is that I can't really tell how well it's working because my IPCop firewall > is blocking everything. This is a good thing! But, I'd like to try running > SnortSnarf to report the attacks on my system. I just tried to export the > intrusion detection logs from IPCop, but I don't think they export to a > format compatible with snort. > > So, I'm looking for ideas on how to get the snort log files on the IPCop box > moved to my server automatically (and peridically through cron), so I can > run SnortSnarf against them. The server doesn't have FTP configured, nor > does the IPCop firewall. Both have SSH configured, but I haven't been too > sucessful at doing an ssh session to the firewall from the server (just > tried, with port 22 and 222). > > Any thoughts or suggestions? Thanks. > > Shawn > > >
