[Snort-users] snort & iptables
michael.boman at ...4162...
Thu Dec 19 13:46:07 EST 2002
I beg to differ:
root # iptables-save
[ ... ]
-A INPUT -i bond0 -j DROP
[ ... ]
root # tcpdump -i bond0 -n | head -n 10
tcpdump: WARNING: bond0: no IPv4 address assigned
tcpdump: listening on bond0
21:35:14.166486 a.a.a.a.32771 > b.b.b.b.80: P 4075192145:4075192269(124) ack 228300336 win 63712 <nop,nop,timestamp 3111266 2982409305> (DF) [tos 0x2,ECT(0)]
21:35:14.169396 c.c.c.c.47427 > d.d.d.d.25: . ack 3577127110 win 32829 (DF)
21:35:14.170558 e.e.e.e.4662 > f.f.f.f.65180: P 3132372856:3132372880(24) ack 1676293902 win 17240 (DF)
21:35:14.171502 g.g.g.g.2609 > h.h.h.h.1525: . 1563131911:1563133371(1460) ack 4254965276 win 17112 (DF)
21:35:14.171751 i.i.i.i > j.j.j.j: icmp: 192.168.1.6 udp port 4156 unreachable [tos 0xc0]
21:35:14.172030 k.k.k.k.4662 > f.f.f.f.64685: . 2140710545:2140712005(1460) ack 1274000279 win 16511 (DF)
21:35:14.176884 l.l.l.l.80 > f.f.f.f.65238: S 1471187206:1471187206(0) ack 1682762100 win 17520 <mss 1460,nop,nop,sackOK> (DF)
21:35:14.177382 c.c.c.c.47427 > d.d.d.d.25: P 0:6(6) ack 1 win 32850 (DF)
21:35:14.180303 m.m.m.m.161 > n.n.n.n.1055: C=public GetResponse(33) .188.8.131.52.184.108.40.206.0=361957300 [|snmp]
21:35:14.185509 o.o.o.o.6346 > p.p.p.p.55064: . ack 3979290537 win 33580 (DF)
As both Snort and TCPDump uses libpcap, they should see the same thing.
( This is on a Linux 2.4.19 maching using IPTables 1.2.7a and Snort 1.9-cvs )
On Wed, Dec 18, 2002 at 12:55:40PM -0800, Jacob Redding wrote:
> I think the question is asking what application gets the packets first
> Snort or IPTables.
> Since iptables works with the kernel, and they are dropped by the
> kernel, iptables is first. All packets that make it past iptables are then
> passed to applications(I'm not talking layers, just an analogy), in this
> case snort.
> At least I'm 99.99% sure that iptables comes first, but I've been wrong
> in the past.
> So in short. Iptables --> Snort
> On Wed, 18 Dec 2002, twig les wrote:
> > Packet analyzing can be done if you let zero packets
> > thru your host firewall, whichever one you want to
> > use. Unless you have connected the two features thru
> > Guardian or something they don't have any direct
> > relationship that pops into my head.
> > --- Eduard San Anselmo Mateu
> > <esananselmo at ...6002...> wrote:
> > >
> > > Hello everyone,
> > > I'm using snort+iptables on the same box, and I have
> > > one question for you: what
> > > comes first, packet analyzing (snort) or packet
> > > filtering (iptables)?
> > > Thanks in advance
Security Architect, SecureCiRT (A SBU of Z-Vance Pte Ltd)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 232 bytes
Desc: not available
More information about the Snort-users