[Snort-users] Snort with IPtables

Jeremy Hoel jthoel at ...11827...
Fri Jun 7 00:08:16 EDT 2013

we run iptables on all our sensors, but we don't give the sniffing
port an ip and have no iptables entries for it.

It works like a champ.

On Thu, Jun 6, 2013 at 10:03 PM, Steven McLaughlin <steve at ...16390...> wrote:
> Hi All,
> Whats the take on running a snort sensor with IPtables running. In first
> instance I would think this interferes with sensor detection capability.
> Is anyone running IPtables on the same host as their Snort sensor? If so,
> what is the best way to nail this? The reason I ask is that I have two
> interfaces. One is the management interface which will have an IP address.
> This interface will deny all incoming traffic except for tcp/22 and tcp/443
> inbound connections.
> The other interface is the snort sensor on eth1. The sensor is listening
> only. So is a rule allowing all incoming like so sufficient for Snort
> sniffing:
> -A INPUT -i eth1 -j ACCEPT
> Or should I also allow all outbound as follows:
> -A INPUT -i eth1 -j ACCEPT
> -A OUTPUT -i eth1 -j ACCEPT
> Alternatively, is there a best practice IPtables configuration for snort
> sensors?
> thanks,
> Steve
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. A cloud service to automate IT design, transition and operations
> 2. Dashboards that offer high-level views of enterprise services
> 3. A single system of record for all IT processes
> http://p.sf.net/sfu/servicenow-d2d-j
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!

More information about the Snort-users mailing list