[Snort-users] Some Snort beginner questions

Jim Garrison jhg at ...17014...
Wed Nov 5 11:55:07 EST 2014


On 10/31/2014 5:40 PM, James Lay wrote:
> On Sat, 2014-11-01 at 00:26 +0000, Joel Esler (jesler) wrote:
>> You can put all your deny statements in iptables before you put your queue statements. 
>>
>> --
>> Joel Esler
>> iPhone
>>
>> > On Oct 31, 2014, at 17:40, Jim Garrison <jhg at ...17014... <mailto:jhg at ...17014...>> wrote:
>> > 
>> > I have a Centos 6.5 web server configured with a very restrictive
[snip]
> 
> Also keep in mind that any iptables rules AFTER your snort QUEUE rule
> are NOT applied.  As soon as a packet hits the snort QUEUE rule the
> packet is either a) flagged by snort and dropped, or b) passed up the
> stack as allowed.

I guess I'm still too new to Snort to fully understand how to do this.

I am running Snort and iptables on a single machine, filtering incoming
traffic to that one machine, and eventually wanting to run Snort as
an IPS for that single machine.  The iptables configuration has been
stable for years and I'd rather not change it too much.

What I want to do is make Snort see and react to only the traffic not
already blocked by iptables.  I.e.

    Internet --> iptables --> snort --> httpd

Is there a document describing how to do this?

I've read elsewhere that Snort works best as an IPS when it runs on
its own dedicated machine with two NICs, and filters incoming traffic
for an internal network, and not so well for my situation.  Is this
true?

-- 
Jim Garrison (jhg at ...4514...)
PGP Keys at http://www.jhmg.net RSA 0x04B73B7F DH 0x70738D88




More information about the Snort-users mailing list