[Snort-users] Snort with IPtables

Jeremy Hoel jthoel at ...11827...
Fri Jun 7 00:32:21 EDT 2013


well i can tell you it works for me.  I imagine that yes, iptables
would require an IP to be effective on that interface.  So yes, I
would say that iptables on works on L3 and not L2.

When i get to work i can paste a quick copy of the iptables we use so
you can see an example.

On Thu, Jun 6, 2013 at 10:13 PM, Steven McLaughlin <steve at ...16390...> wrote:
> That sort of makes sense since it is only listening in promisc mode, but not
> actually allowing traffic in destined for its interface. I guess IPtables
> works at L3 and without an IP it doesn't really matter if IPtables is on or
> off then. Would this be a true statement? (I am only running as a sniffer
> and not switching inline)
>
> I'm interested to hear more feedback on this.
>
>
> On 7 June 2013 14:08, Jeremy Hoel <jthoel at ...11827...> wrote:
>>
>> we run iptables on all our sensors, but we don't give the sniffing
>> port an ip and have no iptables entries for it.
>>
>> It works like a champ.
>>
>> On Thu, Jun 6, 2013 at 10:03 PM, Steven McLaughlin <steve at ...16390...>
>> wrote:
>> > Hi All,
>> >
>> > Whats the take on running a snort sensor with IPtables running. In first
>> > instance I would think this interferes with sensor detection capability.
>> >
>> > Is anyone running IPtables on the same host as their Snort sensor? If
>> > so,
>> > what is the best way to nail this? The reason I ask is that I have two
>> > interfaces. One is the management interface which will have an IP
>> > address.
>> > This interface will deny all incoming traffic except for tcp/22 and
>> > tcp/443
>> > inbound connections.
>> >
>> > The other interface is the snort sensor on eth1. The sensor is listening
>> > only. So is a rule allowing all incoming like so sufficient for Snort
>> > sniffing:
>> >
>> > -A INPUT -i eth1 -j ACCEPT
>> >
>> > Or should I also allow all outbound as follows:
>> >
>> > -A INPUT -i eth1 -j ACCEPT
>> > -A OUTPUT -i eth1 -j ACCEPT
>> >
>> > Alternatively, is there a best practice IPtables configuration for snort
>> > sensors?
>> >
>> > thanks,
>> >
>> > Steve
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > How ServiceNow helps IT people transform IT departments:
>> > 1. A cloud service to automate IT design, transition and operations
>> > 2. Dashboards that offer high-level views of enterprise services
>> > 3. A single system of record for all IT processes
>> > http://p.sf.net/sfu/servicenow-d2d-j
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> >
>> > Please visit http://blog.snort.org to stay current on all the latest
>> > Snort
>> > news!
>
>
>
>
> --
> Best Regards,
> Steven McLaughlin
> steve at ...16368...
> 0459 351 266




More information about the Snort-users mailing list