[Snort-users] Configuration issue, Part II

John Sage jsage at ...2022...
Mon Sep 24 06:55:04 EDT 2001


I've just posted in this thread to this issue (firewall affecting 
snort..) and just as I clicked "send" I realized the answer to my 
earlier post (maybe..) and realized that the FAQ may not be entirely 
clear on this issue.

<snip>
Q: Snort is behind a firewall (ipf/pf/ipchains/ipfilter) and awfully 
quiet...

A: Your firewall rules will also block traffic to the snort processes.
<snip>

Just as I clicked "send" it dawned on me that this is refering to a 
configuration where snort is on a *separate* box behind the firewall.

I'm running both snort 1.8.1-RELEASE in -b binary mode, logging 
everything, and ipchains on the *same* box, and I can tell you that 
snort sees everything ipchains does.

Maybe this needs to be re-written:

Q: Snort is behind a firewall (ipf/pf/ipchains/ipfilter) on a separate 
box and is awfully quiet...


- John

-- 
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."


Greg Sarsons wrote:

> Erek Adams wrote:
> ?> 
> 
>>http://snort.sourcefire.com/docs/faq.html#4.3
>>
>>Basically, snort sits 'behind' the ipchains and ipf programs.  They see the
>>packets before snort does.  If you've got things setup to drop/deny packets
>>that you are expecting to see with snort, then you won't.
>>
>>
>>>who, but all traffic passes across this machine.  All the interfaces
>>>have been put into PROMISC mode (as I believed snort needed this).
>>>It's placement on this machine would make me think it can see everything
>>>that goes in and out of the network.
>>>
> ?
> Okay I've got snort running collecting a big binary dump file and not
> doing anything else but it is on a machine running iptables (the dump
> file will be looked at latter on another machine).  So is it the case
> that much of the traffic will be killed by iptables even if snort is
> running in promiscuous mode?  Does that mean that I have to take down my
> iptables firewall to collect everything?
> 
> Greg






More information about the Snort-users mailing list