[Snort-users] Snort with IPTables

Hasnain Atique hatique at ...3588...
Sun Jan 13 06:49:06 EST 2002


I set up snort on my gateway running RH 7.2 and iptables, just to check
things out for myself. From what I can see so far, snort *is* seeing  things
even though iptables is blocking very many things. The gateway is connected
directly to the cable modem, and the ISP only filters inbound 80/tcp to
prevent CR/Nimda. I initiated a nessus attack from another station and snort
appeared to capture all.

Personally, I'm a little dumbfounded -- all this time I wasn't using snort
on the gateway because my understanding, and pretty much all the threads on
this list, told me snort wouldn't have visibility! Now that I think about
it, it seems reasonable that libpcap should see the traffic whether or not
iptables is blocking it.

-- Hasnain


----- Original Message -----
From: "Martijn Heemels" <martijn at ...1736...>
To: "Erek Adams" <erek at ...577...>; "Matt Kettler"
<mkettler at ...4108...>
Cc: "Got Snort?" <snort-users at lists.sourceforge.net>
Sent: Sunday, January 13, 2002 10:31 PM
Subject: RE: [Snort-users] Snort with IPTables


>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > Have a look at the email thread that John Sage
> > <jsage at ...2022...> and I
> > had on this same subject a while back on the list.  IIRC, some of
> > his findings
> > seem to contradict some things that I had thought.  Now, I could
> > be smoking
> > crack, but I don't know who's right any more.  :)  Anyone want to
> > jump in and
> > save my sanity?  If not, I'm going out and have a rather good
> > single malt scotch.  Research shall have to wait 'till Monday!
>
> Hi all,
> I've also had an e-mail exchange with John Sage on this, following my
> similar question to the list.
> Since a lot is still unclear about snort's behaviour on(!) a firewall
> box and I don't have the ability to test anything (I'm just a student
> with one hobby server) I can only offer my personal experiences.
>
> On my humble little server running linux-2.2.16-3 with
> ipchains-1.3.9-5 and libpcap-0.6.2-7 Snort does NOT see all traffic
> reaching the outside interface. The ipchains ruleset is as paranoid
> as possible since a bunch of ports are open (the box has about a
> dozen servers running), but only traffic targetted at open ports is
> seen by snort. I get a lot of CodeRed/Nimda related activity and some
> Squid proxy scans, but not much else.
>
> The box is connected directly to a cable modem device, so there's no
> switches involved. Neither is the ISP filtering any traffic (that I
> know of).
>
> I don't know enough about the layers of networking to know why my box
> doesn't do what Matt's boxes do, so I'll leave that to the experts
> (i.e. you).
> Hope this helps build a general consensus. :-) (and ease Erek's
> conscience)
> >
> > G'nite for now...
>
> and a good morning too, Erek!
> >
> > -----
> > Erek Adams
> > Nifty-Type-Guy
> > TheAdamsFamily.Net
> >
> >
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBPEGaKxLMC0rbivl4EQIY0gCbBjCfWyQBgNPGPAahcjZe2Z95tJQAoN3g
> OMmK7dpwJ60pESU995pVAe3m
> =A9wq
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list