[Snort-users] Snort with IPTables
ntimm at ...1964...
Mon Jan 14 12:22:06 EST 2002
I also have snort with Iptables and snort captures all my traffic even
with iptables dropping and resetting certain connections.
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Hasnain
Sent: Sunday, January 13, 2002 8:50 AM
To: Martijn Heemels; Erek Adams; Matt Kettler
Cc: Got Snort?
Subject: Re: [Snort-users] Snort with IPTables
I set up snort on my gateway running RH 7.2 and iptables, just to check
things out for myself. From what I can see so far, snort *is* seeing
even though iptables is blocking very many things. The gateway is
directly to the cable modem, and the ISP only filters inbound 80/tcp to
prevent CR/Nimda. I initiated a nessus attack from another station and
appeared to capture all.
Personally, I'm a little dumbfounded -- all this time I wasn't using
on the gateway because my understanding, and pretty much all the threads
this list, told me snort wouldn't have visibility! Now that I think
it, it seems reasonable that libpcap should see the traffic whether or
iptables is blocking it.
----- Original Message -----
From: "Martijn Heemels" <martijn at ...1736...>
To: "Erek Adams" <erek at ...577...>; "Matt Kettler"
<mkettler at ...4108...>
Cc: "Got Snort?" <snort-users at lists.sourceforge.net>
Sent: Sunday, January 13, 2002 10:31 PM
Subject: RE: [Snort-users] Snort with IPTables
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> > Have a look at the email thread that John Sage
> > <jsage at ...2022...> and I
> > had on this same subject a while back on the list. IIRC, some of
> > his findings
> > seem to contradict some things that I had thought. Now, I could
> > be smoking
> > crack, but I don't know who's right any more. :) Anyone want to
> > jump in and
> > save my sanity? If not, I'm going out and have a rather good
> > single malt scotch. Research shall have to wait 'till Monday!
> Hi all,
> I've also had an e-mail exchange with John Sage on this, following my
> similar question to the list.
> Since a lot is still unclear about snort's behaviour on(!) a firewall
> box and I don't have the ability to test anything (I'm just a student
> with one hobby server) I can only offer my personal experiences.
> On my humble little server running linux-2.2.16-3 with
> ipchains-1.3.9-5 and libpcap-0.6.2-7 Snort does NOT see all traffic
> reaching the outside interface. The ipchains ruleset is as paranoid
> as possible since a bunch of ports are open (the box has about a
> dozen servers running), but only traffic targetted at open ports is
> seen by snort. I get a lot of CodeRed/Nimda related activity and some
> Squid proxy scans, but not much else.
> The box is connected directly to a cable modem device, so there's no
> switches involved. Neither is the ISP filtering any traffic (that I
> know of).
> I don't know enough about the layers of networking to know why my box
> doesn't do what Matt's boxes do, so I'll leave that to the experts
> (i.e. you).
> Hope this helps build a general consensus. :-) (and ease Erek's
> > G'nite for now...
> and a good morning too, Erek!
> > -----
> > Erek Adams
> > Nifty-Type-Guy
> > TheAdamsFamily.Net
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
> -----END PGP SIGNATURE-----
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users