[Snort-users] Snort with IPTables
dlambert at ...4245...
Sun Jan 13 07:07:02 EST 2002
I have very Little knowledge in this arena, so please excuse my ignorance,
but doesn't the -p (promiscuous) flag have something to do with whether or
not snort sees network traffic before an internal firewall? If this is just
bunk, then could someone please point me to an explanation (better than that
in the snort man page) of what the -p flag does?
On Sunday 13 January 2002 08:31 am, Martijn Heemels wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> > Have a look at the email thread that John Sage
> > <jsage at ...2022...> and I
> > had on this same subject a while back on the list. IIRC, some of
> > his findings
> > seem to contradict some things that I had thought. Now, I could
> > be smoking
> > crack, but I don't know who's right any more. :) Anyone want to
> > jump in and
> > save my sanity? If not, I'm going out and have a rather good
> > single malt scotch. Research shall have to wait 'till Monday!
> Hi all,
> I've also had an e-mail exchange with John Sage on this, following my
> similar question to the list.
> Since a lot is still unclear about snort's behaviour on(!) a firewall
> box and I don't have the ability to test anything (I'm just a student
> with one hobby server) I can only offer my personal experiences.
> On my humble little server running linux-2.2.16-3 with
> ipchains-1.3.9-5 and libpcap-0.6.2-7 Snort does NOT see all traffic
> reaching the outside interface. The ipchains ruleset is as paranoid
> as possible since a bunch of ports are open (the box has about a
> dozen servers running), but only traffic targetted at open ports is
> seen by snort. I get a lot of CodeRed/Nimda related activity and some
> Squid proxy scans, but not much else.
> The box is connected directly to a cable modem device, so there's no
> switches involved. Neither is the ISP filtering any traffic (that I
> know of).
> I don't know enough about the layers of networking to know why my box
> doesn't do what Matt's boxes do, so I'll leave that to the experts
> (i.e. you).
> Hope this helps build a general consensus. :-) (and ease Erek's
> > G'nite for now...
> and a good morning too, Erek!
> > -----
> > Erek Adams
> > Nifty-Type-Guy
> > TheAdamsFamily.Net
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
> -----END PGP SIGNATURE-----
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users