[Snort-users] Snort with IPTables
erek at ...577...
Sat Jan 12 16:52:02 EST 2002
On Sat, 12 Jan 2002, Matt Kettler wrote:
> There's been a bit of tossing around about this on this list and I have
> some related experience. I admit I've never done this with Linux 2.4 and
> IPTables, so I can't be certain that this will work, but I do have some
> direct experience with running snort on a Linux 2.2 box with ipchains and
> an OpenBSD box with ipf.
[...excellent writeup snipped...]
> I believe the snort FAQ section you are talking about is the case where
> snort is running on a separate machine that is inside a
> ipchains/iptables/ipf/cisco/whatever firewalled network. It would also
> apply if the sensor was watching the inside interface of the machine (since
> packets from the outside would need to pass through the outside interface's
> filters before being forwarded to the inside interface.).
Yes. 4.3 does refer to a snort sensor "behind" a firewall. Please see more
> The inbound filters of the interface snort is monitoring should not matter,
> but I only have evidence to claim that this is true for Linux 2.2/ipchains
> and OpenBSD/ipf. I do strongly suspect that it is true for other systems as
> well, including Linux 2.4/iptables.
At this point I don't have enough free boxes in the test lab to actually
"test" this, so like you, I can't say.
> At 02:21 PM 1/12/2002 -0800, Erek Adams wrote:
> >If you'll have a look at the FAQ: http://www.snort.org/docs/faq.html#4.3
> >You'll want to consider if running snort on the same box as a firewall, then
> >the only packets that it (snort) will see will be the ones that _aren't_
> >blocked by your firewall rules.
> I politely disagree with your interpretation Erek, but I can see how you
> came to that conclusion.
Wow, polite disagreement! Woo-Hoo! Looks like the start of some good
discussion! :) I'm in no way perfect and actually like to know when I'm
wrong, esp. with something as critical as this! Thanks for your excellent
writeup and correction!
Have a look at the email thread that John Sage <jsage at ...2022...> and I
had on this same subject a while back on the list. IIRC, some of his findings
seem to contradict some things that I had thought. Now, I could be smoking
crack, but I don't know who's right any more. :) Anyone want to jump in and
save my sanity? If not, I'm going out and have a rather good single malt
scotch. Research shall have to wait 'till Monday!
G'nite for now...
More information about the Snort-users