[Snort-users] FAQ Suggestion: snort & iptables

Matt Kettler mkettler at ...4108...
Thu Dec 19 15:56:02 EST 2002


I agree with Michael. This is also becoming a good candidate for the Snort 
FAQ. I think I've seen this question at least a dozen times on the 
snort-users list.

Snort is NOT directly affected by ipchains/iptables/ipf/etc. I've 
repeatedly used snort with "deny all" rules on linux 2.2.x, linux 2.4.x, 
OpenBSD. My main snort box is a OpenBSD box set up this way. It sees 
whatever comes out of or goes into the network adapter. Period.

In fact, I'd actually recommend that everyone use snort listening on an 
stealth interface (ie: no IP) _and_ "deny all" rules applied to the packet 
filter for that interface whenever possible.


FAQ Maintainer suggested FAQ addition (comments/improvements/modifications 
welcome):

Q:  Does snort see packets filtered by IPTables/IPChains/IPF?

A: Snort operates using libpcap. In general it sees everything the network 
adapter driver sees. Linux IPTables, Linux IPChains, BSD IPF and other 
packet filters do not prevent snort from seeing a packet that is present on 
the network wire. Even if an inbound packet is denied by the packet filter 
Snort will still see and analyze the packet if it is listening to that 
interface.
         Note however that Snort is affected to the extent that the stream 
of data on the network wire is affected. Thus Snort will not see outbound 
packets which were denied while being sent since they will never reach the 
network adapter.


At 05:45 AM 12/20/2002 +0800, Michael Boman wrote:
>I beg to differ:





More information about the Snort-users mailing list