[Snort-users] Configuration issue, Part II
jsage at ...2022...
Mon Sep 24 06:55:04 EDT 2001
I've just posted in this thread to this issue (firewall affecting
snort..) and just as I clicked "send" I realized the answer to my
earlier post (maybe..) and realized that the FAQ may not be entirely
clear on this issue.
Q: Snort is behind a firewall (ipf/pf/ipchains/ipfilter) and awfully
A: Your firewall rules will also block traffic to the snort processes.
Just as I clicked "send" it dawned on me that this is refering to a
configuration where snort is on a *separate* box behind the firewall.
I'm running both snort 1.8.1-RELEASE in -b binary mode, logging
everything, and ipchains on the *same* box, and I can tell you that
snort sees everything ipchains does.
Maybe this needs to be re-written:
Q: Snort is behind a firewall (ipf/pf/ipchains/ipfilter) on a separate
box and is awfully quiet...
FinchHaven, Vashon Island, WA, USA
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."
Greg Sarsons wrote:
> Erek Adams wrote:
>>Basically, snort sits 'behind' the ipchains and ipf programs. They see the
>>packets before snort does. If you've got things setup to drop/deny packets
>>that you are expecting to see with snort, then you won't.
>>>who, but all traffic passes across this machine. All the interfaces
>>>have been put into PROMISC mode (as I believed snort needed this).
>>>It's placement on this machine would make me think it can see everything
>>>that goes in and out of the network.
> Okay I've got snort running collecting a big binary dump file and not
> doing anything else but it is on a machine running iptables (the dump
> file will be looked at latter on another machine). So is it the case
> that much of the traffic will be killed by iptables even if snort is
> running in promiscuous mode? Does that mean that I have to take down my
> iptables firewall to collect everything?
More information about the Snort-users