[Snort-users] Snort with IPtables

Steven McLaughlin steve at ...16368...
Fri Jun 7 00:03:07 EDT 2013


Hi All,

Whats the take on running a snort sensor with IPtables running. In first
instance I would think this interferes with sensor detection capability.

Is anyone running IPtables on the same host as their Snort sensor? If so,
what is the best way to nail this? The reason I ask is that I have two
interfaces. One is the management interface which will have an IP address.
This interface will deny all incoming traffic except for tcp/22 and tcp/443
inbound connections.

The other interface is the snort sensor on eth1. The sensor is listening
only. So is a rule allowing all incoming like so sufficient for Snort
sniffing:

-A INPUT -i eth1 -j ACCEPT

Or should I also allow all outbound as follows:

-A INPUT -i eth1 -j ACCEPT
-A OUTPUT -i eth1 -j ACCEPT

Alternatively, is there a best practice IPtables configuration for snort
sensors?

thanks,

Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130607/52830f19/attachment.html>


More information about the Snort-users mailing list