[Snort-users] Iptables Prerouting chain

Erek Adams erek at ...577...
Wed Nov 14 23:13:02 EST 2001


On Wed, 14 Nov 2001, Madhav Diwan wrote:

> Does Snort work on packets before or after the prerouting chain in
> IPtables?
>
> in other words what address should i use : the SNAT the DNAt or the Masq
> .
>  for the HOME ip scheme so that i dont cause myself miscief in the form
> of huge alert logs?

Snort works at the same level as libpcap.  Since I've not worked with
IPTables, I don't know where that actually 'sits' in respect.  (Anyone?)

Check the Snort FAQ out.  Especially #4.3

http://www.snort.org/docs/faq.html#4.3

> what about postrouting : will it have any affect on the IDS at all if i
> sniff on the local lan interface as well as on the outside interface at
> the same time?

Well...  RTFF (Read The Friendly FAQ)  ;-)

http://www.snort.org/docs/faq.html#2.3

Consider what you want to watch.  That will let you know where you want to
place the sensor, or want to monitor.  If you place it "inside" your net
(behind the firewall), then you are only concerned with what "gets through"
the firewall, IMHO.  Your firewall should log/alert you on what doesn't...

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list