[Snort-users] FAQ Suggestion: snort & iptables
mkettler at ...4108...
Thu Dec 19 15:56:02 EST 2002
I agree with Michael. This is also becoming a good candidate for the Snort
FAQ. I think I've seen this question at least a dozen times on the
Snort is NOT directly affected by ipchains/iptables/ipf/etc. I've
repeatedly used snort with "deny all" rules on linux 2.2.x, linux 2.4.x,
OpenBSD. My main snort box is a OpenBSD box set up this way. It sees
whatever comes out of or goes into the network adapter. Period.
In fact, I'd actually recommend that everyone use snort listening on an
stealth interface (ie: no IP) _and_ "deny all" rules applied to the packet
filter for that interface whenever possible.
FAQ Maintainer suggested FAQ addition (comments/improvements/modifications
Q: Does snort see packets filtered by IPTables/IPChains/IPF?
A: Snort operates using libpcap. In general it sees everything the network
adapter driver sees. Linux IPTables, Linux IPChains, BSD IPF and other
packet filters do not prevent snort from seeing a packet that is present on
the network wire. Even if an inbound packet is denied by the packet filter
Snort will still see and analyze the packet if it is listening to that
Note however that Snort is affected to the extent that the stream
of data on the network wire is affected. Thus Snort will not see outbound
packets which were denied while being sent since they will never reach the
At 05:45 AM 12/20/2002 +0800, Michael Boman wrote:
>I beg to differ:
More information about the Snort-users