[Snort-users] Snort with IPTables
martijn at ...1736...
Sun Jan 13 06:32:04 EST 2002
-----BEGIN PGP SIGNED MESSAGE-----
> Have a look at the email thread that John Sage
> <jsage at ...2022...> and I
> had on this same subject a while back on the list. IIRC, some of
> his findings
> seem to contradict some things that I had thought. Now, I could
> be smoking
> crack, but I don't know who's right any more. :) Anyone want to
> jump in and
> save my sanity? If not, I'm going out and have a rather good
> single malt scotch. Research shall have to wait 'till Monday!
I've also had an e-mail exchange with John Sage on this, following my
similar question to the list.
Since a lot is still unclear about snort's behaviour on(!) a firewall
box and I don't have the ability to test anything (I'm just a student
with one hobby server) I can only offer my personal experiences.
On my humble little server running linux-2.2.16-3 with
ipchains-1.3.9-5 and libpcap-0.6.2-7 Snort does NOT see all traffic
reaching the outside interface. The ipchains ruleset is as paranoid
as possible since a bunch of ports are open (the box has about a
dozen servers running), but only traffic targetted at open ports is
seen by snort. I get a lot of CodeRed/Nimda related activity and some
Squid proxy scans, but not much else.
The box is connected directly to a cable modem device, so there's no
switches involved. Neither is the ISP filtering any traffic (that I
I don't know enough about the layers of networking to know why my box
doesn't do what Matt's boxes do, so I'll leave that to the experts
Hope this helps build a general consensus. :-) (and ease Erek's
> G'nite for now...
and a good morning too, Erek!
> Erek Adams
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
-----END PGP SIGNATURE-----
More information about the Snort-users