[Snort-users] Snort with IPTables

Matt Kettler mkettler at ...4108...
Sat Jan 12 16:05:03 EST 2002

There's been a bit of tossing around about this on this list and I have 
some related experience. I admit I've never done this with Linux 2.4 and 
IPTables, so I can't be certain that this will work, but I do have some 
direct experience with running snort on a Linux 2.2 box with ipchains and 
an OpenBSD box with ipf.

Based on my experience:

Snort *Does* see *everything* that comes in on the ethernet interface, no 
matter what ipchains is set to block on Linux 2.2.19.

Snort *Does* see *everything* that comes in on the ethernet interface, no 
matter what ipf is set to block on OpenBSD.

The OpenBSD setup I have is the most extreme example where snort is 
sniffing on rl1 and /etc/ipf.rules contains:

block out quick on rl1 from any to any
block in quick on rl1 from any to any

And trust me, I get as much as 10megs of snort logs per day from that 
OpenBSD box. It sees plenty.

The Linux 2.2 box is set to pass only a few ports below 1024 and block/log 
the rest, and it too sees plenty of things going to blocked ports.

And this behavior makes perfect sense.. Snort does NOT use the IP stack, it 
uses libpcap to grab ethernet frames and parses them directly. It really 
should not matter what your IP filtering tools do to packets that try to 
pass up the IP stack. If it appears on that ethernet wire, snort should see 
it (see my next statement for a caveat).

Now I know IPTables is a much more powerful tool than IPChains, and I 
suspect it may be possible to configure IPTables to filter things prior to 
them being available to pcap, but I strongly suspect this is not the 
default behavior (this would break the expected behavior for tcpdump among 
other things).

I believe the snort FAQ section you are talking about is the case where 
snort is running on a separate machine that is inside a 
ipchains/iptables/ipf/cisco/whatever firewalled network. It would also 
apply if the sensor was watching the inside interface of the machine (since 
packets from the outside would need to pass through the outside interface's 
filters before being forwarded to the inside interface.).

The inbound filters of the interface snort is monitoring should not matter, 
but I only have evidence to claim that this is true for Linux 2.2/ipchains 
and OpenBSD/ipf. I do strongly suspect that it is true for other systems as 
well, including Linux 2.4/iptables.

At 02:21 PM 1/12/2002 -0800, Erek Adams wrote:
>If you'll have a look at the FAQ:  http://www.snort.org/docs/faq.html#4.3
>You'll want to consider if running snort on the same box as a firewall, then
>the only packets that it (snort) will see will be the ones that _aren't_
>blocked by your firewall rules.

I politely disagree with your interpretation Erek, but I can see how you 
came to that conclusion.

More information about the Snort-users mailing list