[Snort-users] Iptables Prerouting chain

neal ntimm at ...1964...
Thu Nov 15 12:23:05 EST 2001

Short will pick up stuff if you have it in the prerouting chain as I use
iptables and had vnc running behind firewall and snort would log all my
vnc connections.

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Erek Adams
Sent: Thursday, November 15, 2001 1:13 AM
To: Madhav Diwan
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Iptables Prerouting chain

On Wed, 14 Nov 2001, Madhav Diwan wrote:

> Does Snort work on packets before or after the prerouting chain in 
> IPtables?
> in other words what address should i use : the SNAT the DNAt or the 
> Masq .  for the HOME ip scheme so that i dont cause myself miscief in 
> the form of huge alert logs?

Snort works at the same level as libpcap.  Since I've not worked with
IPTables, I don't know where that actually 'sits' in respect.  (Anyone?)

Check the Snort FAQ out.  Especially #4.3


> what about postrouting : will it have any affect on the IDS at all if 
> i sniff on the local lan interface as well as on the outside interface

> at the same time?

Well...  RTFF (Read The Friendly FAQ)  ;-)


Consider what you want to watch.  That will let you know where you want
to place the sensor, or want to monitor.  If you place it "inside" your
net (behind the firewall), then you are only concerned with what "gets
through" the firewall, IMHO.  Your firewall should log/alert you on what


Erek Adams

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list