[Snort-users] Newbie question (FAQ 4.3 update requested)

Matt Kettler mkettler at ...4108...
Mon Apr 21 12:47:01 EDT 2003

Despite the misleading statements in the FAQ entry 4.3, IPTables, IPChains, 
IPF, etc does NOT block snort from seeing the packets. Snort will see 
whatever is on the ethernet wire of the interface it listens on.

I run 2 snort boxes, both with "deny all" on their snort interfaces (one 
running Linux 2.2.x ipchains, the other is OpenBSD's PF). Neither 
interferes. Athough none of my boxes use IPTables, in general IPTables 
rules don't interfere either for the same reasons IPChains doesn't.. they 
see the packet later in the processing path than Snort does. (Scheduling 
might actually make it occur later in time, but snort will get a copy of 
the packet that's not in any way been touched by firewall rules. Snort gets 
raw ethernet frames, not IP stack processed data)

Now, if there's a IPTables firewall running on another system as a gateway 
firewall that is upstream of your snort box, of course snort will only see 
what makes it through the firewall, because they're killed long before they 
reach the machine snort is running on.

However IPTables running on the same machine as snort (no matter if it's 
set up as a gateway firewall or not) will not stop snort from seeing the 
packets that come in on the wire.

FAQ Maintainer: FAQ 4.3 should be clarified that IPTables etc won't 
interfere with pcap, and that the firewall will only keep snort from seeing 
packets if it prevents them from reaching the wire of whatever ethernet 
interface snort listens to.

At 02:28 PM 4/21/2003 -0400, Chris wrote:

>I am now to IDS and Snort and have a question.  Does having iptable rules 
>setup on the machine affect it in any way?  Oh, it will be behind our firewall.

More information about the Snort-users mailing list