[Snort-users] Snort Behind IPtables, contradicting evidence...

JSeddon at ...2969... JSeddon at ...2969...
Thu Sep 27 08:54:05 EDT 2001

Honorable Oinkers,

     I fretted a long time before I sent this because I know it's been
discussed many times and we are all very busy.  However, I wanted to bring
it up because either I am missing or misreading something or the evidence I
have seen does not support the consensus reached on this list.  I'm running
snort on my firewall and have questions about whether snort will see
traffic that iptables is configured to block.

     The question is, "If you run snort on a box with iptables
blocking/filtering stuff, will snort see/process all the traffic?".  I
gleaned over the archives and it seems the consensus of the list was that
"yes, snort will see the traffic".  One reason given was that the packet
capture library takes packets and passes them to snort before the normal
tcp stack processing.  So, iptables doesn't get a chance to see it.  There
were also several people who said they were running snort on iptables
firewalls and it was working fine.

     However, I wasn't seeing the waves of Code Red traffic (or nimda for
that matter).  I thought that perhaps my ISP was filtering the Code Red
Traffic.  Just for kicks, I flushed my iptables chains.  BAM!  Snort
starting alerting on all kinds of Code Red traffic.  Ran rc.firewall again,
no snort alerts.  Hmmm..I said, maybe a coinky dink....Flushed again, waves
of code red alerts....put the rules back in the chains....No alerts...I
decided to let it go a day...sure enough, no rules in chains and snort sees
the traffic, put the rules back in the chains and snort doesn't.

     This seems to contradict the conclusion I got from the list archives.
It seems that iptables is processing traffic before snort gets a chance to
see it.  Snort is putting the NIC in promiscuous mode.  But it doesn't see
traffic iptables is configured to block unless I flush the IPtables rules.
Is something misconfigured with snort for me?  Did I draw the wrong
conclusion from the list?

Architecture: x86
OS: RedHat 7.1
Rules: Snort.org standard rules
Command Line: snort -c /etc/snort/snort.conf -d -D -h myfirewall.ext.ip/32
-i eth0
Other: It is a ClarkConnect box (www.clarkconnect.org, pretty neat toy

Oinker (still a Piglet) James

More information about the Snort-users mailing list