[Snort-users] Snort Behind IPtables, contradicting evidence...
jsage at ...2022...
Thu Sep 27 19:45:02 EDT 2001
As far as my recent involvement with this issue, let me restate that my
experience has been with ip*chains*...
ipchains and snort, same box, each sees what it's supposed to see,
depending on the rules each is given to work with..
FinchHaven, Vashon Island, WA, USA
mailto:jsage at ...2022...
And remember: it's spelled l-i-n-u-x, but it's pronounced "Linux"
JSeddon at ...2969... wrote:
> Honorable Oinkers,
> I fretted a long time before I sent this because I know it's been
> discussed many times and we are all very busy. However, I wanted to bring
> it up because either I am missing or misreading something or the evidence I
> have seen does not support the consensus reached on this list. I'm running
> snort on my firewall and have questions about whether snort will see
> traffic that iptables is configured to block.
> The question is, "If you run snort on a box with iptables
> blocking/filtering stuff, will snort see/process all the traffic?". I
> gleaned over the archives and it seems the consensus of the list was that
> "yes, snort will see the traffic". One reason given was that the packet
> capture library takes packets and passes them to snort before the normal
> tcp stack processing. So, iptables doesn't get a chance to see it. There
> were also several people who said they were running snort on iptables
> firewalls and it was working fine.
> However, I wasn't seeing the waves of Code Red traffic (or nimda for
> that matter). I thought that perhaps my ISP was filtering the Code Red
> Traffic. Just for kicks, I flushed my iptables chains. BAM! Snort
> starting alerting on all kinds of Code Red traffic. Ran rc.firewall again,
> no snort alerts. Hmmm..I said, maybe a coinky dink....Flushed again, waves
> of code red alerts....put the rules back in the chains....No alerts...I
> decided to let it go a day...sure enough, no rules in chains and snort sees
> the traffic, put the rules back in the chains and snort doesn't.
> This seems to contradict the conclusion I got from the list archives.
> It seems that iptables is processing traffic before snort gets a chance to
> see it. Snort is putting the NIC in promiscuous mode. But it doesn't see
> traffic iptables is configured to block unless I flush the IPtables rules.
> Is something misconfigured with snort for me? Did I draw the wrong
> conclusion from the list?
> Architecture: x86
> OS: RedHat 7.1
> Rules: Snort.org standard rules
> Command Line: snort -c /etc/snort/snort.conf -d -D -h myfirewall.ext.ip/32
> -i eth0
> Other: It is a ClarkConnect box (www.clarkconnect.org, pretty neat toy
> Oinker (still a Piglet) James
More information about the Snort-users