[Snort-users] Snort with IPTables
jsage at ...2022...
Sun Jan 13 10:04:02 EST 2002
*my* firewall just detected my name being taken in vain...
..can *your* firewall do that ;-)
Executive summary, IMHO:
When run *on* a firewall box:
1) Whether snort "sees everything" has a lot to do with which rules
2) snort *will* see everything you let it, *but* you have to understand
what "everything" means, given the rulesets you're using.
Anyway, yeah, my experience is that snort (1.8.2 build 86 (I know: I'm
behind..)) running on an ipchains-based firewall box will see all those
packets that ipchains sees
(and this may an important factor in why this issue still causes some
**if** you clearly understand which rules snort is using, and thus which
packets snort can be expected to see.
This was an important fundamental point about snort that it took me a
while to grok: snort *only* sees those packets that your rulesets are
(You'd think that would be a "well, duh!" but it seems to be at the core
of a lot of confusion...)
On my low-volume system (home dialup/intrusion detection testbed) I have
custom snort rules on my firewall that do something to *every single
packet* -- every packet - inbound and outbound - is either alerting or
And I -b binary capture everything, and run the distro-supplied
detection/analysis rules against the captures, later.
Thus I can say correctly that snort is seeing *every* packet, period,
and thus every packet that ipchains is seeing, because I've set up
custom rules to do exactly that.
But (there had to be a "but..."):
But: you need to understand how TCP/IP works, and understand what your
firewall is doing.
This means, for one example, that if you're DENY'ing SYN's to port 80
via ipchains/iptables, you will not ever see any of the cool stuff that
a lot of the snort rules would detect because you'll not ever get
anything past the prober's first SYN.
Thus, to continue the example, I see a *lot* of probable CodeRed/Nimda
probes, but I never get to analyze the details of the potential exploit
because I'll never see anything beyond the initial connection attempt.
Computers: they're really nothing but l's and O's
Martijn Heemels wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>>Have a look at the email thread that John Sage
>><jsage at ...2022...> and I
>>had on this same subject a while back on the list. IIRC, some of
>>seem to contradict some things that I had thought. Now, I could
>>crack, but I don't know who's right any more. :) Anyone want to
>>jump in and
>>save my sanity? If not, I'm going out and have a rather good
>>single malt scotch. Research shall have to wait 'till Monday!
> Hi all,
> I've also had an e-mail exchange with John Sage on this, following my
> similar question to the list.
> Since a lot is still unclear about snort's behaviour on(!) a firewall
> box and I don't have the ability to test anything (I'm just a student
> with one hobby server) I can only offer my personal experiences.
> On my humble little server running linux-2.2.16-3 with
> ipchains-1.3.9-5 and libpcap-0.6.2-7 Snort does NOT see all traffic
> reaching the outside interface. The ipchains ruleset is as paranoid
> as possible since a bunch of ports are open (the box has about a
> dozen servers running), but only traffic targetted at open ports is
> seen by snort. I get a lot of CodeRed/Nimda related activity and some
> Squid proxy scans, but not much else.
> The box is connected directly to a cable modem device, so there's no
> switches involved. Neither is the ISP filtering any traffic (that I
> know of).
> I don't know enough about the layers of networking to know why my box
> doesn't do what Matt's boxes do, so I'll leave that to the experts
> (i.e. you).
> Hope this helps build a general consensus. :-) (and ease Erek's
>>G'nite for now...
> and a good morning too, Erek!
More information about the Snort-users