[Snort-users] Newbie question (FAQ 4.3 update requested)
mkettler at ...4108...
Mon Apr 21 12:47:01 EDT 2003
Despite the misleading statements in the FAQ entry 4.3, IPTables, IPChains,
IPF, etc does NOT block snort from seeing the packets. Snort will see
whatever is on the ethernet wire of the interface it listens on.
I run 2 snort boxes, both with "deny all" on their snort interfaces (one
running Linux 2.2.x ipchains, the other is OpenBSD's PF). Neither
interferes. Athough none of my boxes use IPTables, in general IPTables
rules don't interfere either for the same reasons IPChains doesn't.. they
see the packet later in the processing path than Snort does. (Scheduling
might actually make it occur later in time, but snort will get a copy of
the packet that's not in any way been touched by firewall rules. Snort gets
raw ethernet frames, not IP stack processed data)
Now, if there's a IPTables firewall running on another system as a gateway
firewall that is upstream of your snort box, of course snort will only see
what makes it through the firewall, because they're killed long before they
reach the machine snort is running on.
However IPTables running on the same machine as snort (no matter if it's
set up as a gateway firewall or not) will not stop snort from seeing the
packets that come in on the wire.
FAQ Maintainer: FAQ 4.3 should be clarified that IPTables etc won't
interfere with pcap, and that the firewall will only keep snort from seeing
packets if it prevents them from reaching the wire of whatever ethernet
interface snort listens to.
At 02:28 PM 4/21/2003 -0400, Chris wrote:
>I am now to IDS and Snort and have a question. Does having iptable rules
>setup on the machine affect it in any way? Oh, it will be behind our firewall.
More information about the Snort-users