[Snort-users] Configuration issue, Part II

John Sage jsage at ...2022...
Mon Sep 24 06:55:04 EDT 2001

I've just posted in this thread to this issue (firewall affecting 
snort..) and just as I clicked "send" I realized the answer to my 
earlier post (maybe..) and realized that the FAQ may not be entirely 
clear on this issue.

Q: Snort is behind a firewall (ipf/pf/ipchains/ipfilter) and awfully 

A: Your firewall rules will also block traffic to the snort processes.

Just as I clicked "send" it dawned on me that this is refering to a 
configuration where snort is on a *separate* box behind the firewall.

I'm running both snort 1.8.1-RELEASE in -b binary mode, logging 
everything, and ipchains on the *same* box, and I can tell you that 
snort sees everything ipchains does.

Maybe this needs to be re-written:

Q: Snort is behind a firewall (ipf/pf/ipchains/ipfilter) on a separate 
box and is awfully quiet...

- John

John Sage
FinchHaven, Vashon Island, WA, USA
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."

Greg Sarsons wrote:

> Erek Adams wrote:
> ?> 
>>Basically, snort sits 'behind' the ipchains and ipf programs.  They see the
>>packets before snort does.  If you've got things setup to drop/deny packets
>>that you are expecting to see with snort, then you won't.
>>>who, but all traffic passes across this machine.  All the interfaces
>>>have been put into PROMISC mode (as I believed snort needed this).
>>>It's placement on this machine would make me think it can see everything
>>>that goes in and out of the network.
> ?
> Okay I've got snort running collecting a big binary dump file and not
> doing anything else but it is on a machine running iptables (the dump
> file will be looked at latter on another machine).  So is it the case
> that much of the traffic will be killed by iptables even if snort is
> running in promiscuous mode?  Does that mean that I have to take down my
> iptables firewall to collect everything?
> Greg

More information about the Snort-users mailing list