[Snort-users] Snort with IPTables

John Sage jsage at ...2022...
Sun Jan 13 10:04:02 EST 2002

*my* firewall just detected my name being taken in vain...

..can *your* firewall do that ;-)

Executive summary, IMHO:

When run *on* a firewall box:

1) Whether snort "sees everything" has a lot to do with which rules 
you're using.

2) snort *will* see everything you let it, *but* you have to understand 
what "everything" means, given the rulesets you're using.

Anyway, yeah, my experience is that snort (1.8.2 build 86 (I know: I'm 
behind..)) running on an ipchains-based firewall box will see all those 
packets that ipchains sees


(and this may an important factor in why this issue still causes some 

**if** you clearly understand which rules snort is using, and thus which 
packets snort can be expected to see.

This was an important fundamental point about snort that it took me a 
while to grok: snort *only* sees those packets that your rulesets are 
looking at.

(You'd think that would be a "well, duh!" but it seems to be at the core 
of a lot of confusion...)

On my low-volume system (home dialup/intrusion detection testbed) I have 
custom snort rules on my firewall that do something to *every single 
packet* -- every packet - inbound and outbound - is either alerting or 

And I -b binary capture everything, and run the distro-supplied 
detection/analysis rules against the captures, later.

Thus I can say correctly that snort is seeing *every* packet, period, 
and thus every packet that ipchains is seeing, because I've set up 
custom rules to do exactly that.

But (there had to be a "but..."):

But: you need to understand how TCP/IP works, and understand what your 
firewall is doing.

This means, for one example, that if you're DENY'ing SYN's to port 80 
via ipchains/iptables, you will not ever see any of the cool stuff that 
a lot of the snort rules would detect because you'll not ever get 
anything past the prober's first SYN.

Thus, to continue the example, I see a *lot* of probable CodeRed/Nimda 
probes, but I never get to analyze the details of the potential exploit 
because I'll never see anything beyond the initial connection attempt.


- John

Computers: they're really nothing but l's and O's

Martijn Heemels wrote:

> Hash: SHA1
>>Have a look at the email thread that John Sage 
>><jsage at ...2022...> and I
>>had on this same subject a while back on the list.  IIRC, some of 
>>his findings
>>seem to contradict some things that I had thought.  Now, I could 
>>be smoking
>>crack, but I don't know who's right any more.  :)  Anyone want to 
>>jump in and
>>save my sanity?  If not, I'm going out and have a rather good
>>single malt scotch.  Research shall have to wait 'till Monday!
> Hi all,
> I've also had an e-mail exchange with John Sage on this, following my
> similar question to the list.
> Since a lot is still unclear about snort's behaviour on(!) a firewall
> box and I don't have the ability to test anything (I'm just a student
> with one hobby server) I can only offer my personal experiences.
> On my humble little server running linux-2.2.16-3 with
> ipchains-1.3.9-5 and libpcap-0.6.2-7 Snort does NOT see all traffic
> reaching the outside interface. The ipchains ruleset is as paranoid
> as possible since a bunch of ports are open (the box has about a
> dozen servers running), but only traffic targetted at open ports is
> seen by snort. I get a lot of CodeRed/Nimda related activity and some
> Squid proxy scans, but not much else.
> The box is connected directly to a cable modem device, so there's no
> switches involved. Neither is the ISP filtering any traffic (that I
> know of).
> I don't know enough about the layers of networking to know why my box
> doesn't do what Matt's boxes do, so I'll leave that to the experts
> (i.e. you).
> Hope this helps build a general consensus. :-) (and ease Erek's
> conscience)
>>G'nite for now...
> and a good morning too, Erek!
>>Erek Adams

More information about the Snort-users mailing list