[Snort-users] Can snort add a rule to iptables?

Matt Kettler mkettler at ...4108...
Wed Apr 30 10:31:05 EDT 2003


At 09:30 AM 4/30/2003 -0400, Eduardo Faria wrote:
>Hi friends, I am a new one at SNORT world. I read the official
>manual and I have one doubt. Can SNORT match an attack and add
>some rule to iptables , for exemple to drop some ip range of
>address?

Snort itself doesn't do such things, however several add-on packages do 
this. Snortsam, inline-snort, and hogwash are good examples.

Note that the state of hogwash documentation isn't very good at this time, 
so unless you can get enough docs to fully understand how hogwash works 
(hint: if you enable forwarding at the kernel level you WILL compromise its 
firewall) don't use that one. It is very easy to screw up since it works as 
a "second router" and doesn't interact with iptables or the kernel's own 
routing (which will continue to run regardless of what hogwash does).

Snortsam seems pretty well documented, however the documentation might 
mislead you to believe that the use of encryption is done in a manner which 
provides authentication and integrity of command packets between the two 
machines it uses. It doesn't (They're using encryption with no MAC of any 
sort, not even a CRC). Other than that minor discrepancy, it seems to be a 
fine product, just make sure the wire between the two boxes is a secure 
network, or is through a separate form of secure tunnel.

I've not looked closely at inline-snort, so I can't comment on how well 
documented it is or isn't.






More information about the Snort-users mailing list