[Snort-users] Snort with IPtables

Steven McLaughlin steve at ...16368...
Fri Jun 7 00:13:58 EDT 2013


That sort of makes sense since it is only listening in promisc mode, but
not actually allowing traffic in destined for its interface. I guess
IPtables works at L3 and without an IP it doesn't really matter if IPtables
is on or off then. Would this be a true statement? (I am only running as a
sniffer and not switching inline)

I'm interested to hear more feedback on this.


On 7 June 2013 14:08, Jeremy Hoel <jthoel at ...11827...> wrote:

> we run iptables on all our sensors, but we don't give the sniffing
> port an ip and have no iptables entries for it.
>
> It works like a champ.
>
> On Thu, Jun 6, 2013 at 10:03 PM, Steven McLaughlin <steve at ...16390...>
> wrote:
> > Hi All,
> >
> > Whats the take on running a snort sensor with IPtables running. In first
> > instance I would think this interferes with sensor detection capability.
> >
> > Is anyone running IPtables on the same host as their Snort sensor? If so,
> > what is the best way to nail this? The reason I ask is that I have two
> > interfaces. One is the management interface which will have an IP
> address.
> > This interface will deny all incoming traffic except for tcp/22 and
> tcp/443
> > inbound connections.
> >
> > The other interface is the snort sensor on eth1. The sensor is listening
> > only. So is a rule allowing all incoming like so sufficient for Snort
> > sniffing:
> >
> > -A INPUT -i eth1 -j ACCEPT
> >
> > Or should I also allow all outbound as follows:
> >
> > -A INPUT -i eth1 -j ACCEPT
> > -A OUTPUT -i eth1 -j ACCEPT
> >
> > Alternatively, is there a best practice IPtables configuration for snort
> > sensors?
> >
> > thanks,
> >
> > Steve
> >
> >
> ------------------------------------------------------------------------------
> > How ServiceNow helps IT people transform IT departments:
> > 1. A cloud service to automate IT design, transition and operations
> > 2. Dashboards that offer high-level views of enterprise services
> > 3. A single system of record for all IT processes
> > http://p.sf.net/sfu/servicenow-d2d-j
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort
> > news!
>



-- 
Best Regards,
Steven McLaughlin
steve at ...16368...
0459 351 266
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130607/97442815/attachment.html>


More information about the Snort-users mailing list