Re: Snort with IPTables

[Erek Adams <erek () theadamsfamily net>]

On Sat, 12 Jan 2002, Matt Kettler wrote:

> There's been a bit of tossing around about this on this list and I have
> some related experience. I admit I've never done this with Linux 2.4 and
> IPTables, so I can't be certain that this will work, but I do have some
> direct experience with running snort on a Linux 2.2 box with ipchains and
> an OpenBSD box with ipf.

[...excellent writeup snipped...]

> I believe the snort FAQ section you are talking about is the case where
> snort is running on a separate machine that is inside a
> ipchains/iptables/ipf/cisco/whatever firewalled network. It would also
> apply if the sensor was watching the inside interface of the machine (since
> packets from the outside would need to pass through the outside interface's
> filters before being forwarded to the inside interface.).

Yes.  4.3 does refer to a snort sensor "behind" a firewall.  Please see more
info below....

> The inbound filters of the interface snort is monitoring should not matter,
> but I only have evidence to claim that this is true for Linux 2.2/ipchains
> and OpenBSD/ipf. I do strongly suspect that it is true for other systems as
> well, including Linux 2.4/iptables.

At this point I don't have enough free boxes in the test lab to actually
"test" this, so like you, I can't say.

> At 02:21 PM 1/12/2002 -0800, Erek Adams wrote:
> > If you'll have a look at the FAQ:  http://www.snort.org/docs/faq.html#4.3
> >
> > You'll want to consider if running snort on the same box as a firewall, then
> > the only packets that it (snort) will see will be the ones that _aren't_
> > blocked by your firewall rules.
>
> I politely disagree with your interpretation Erek, but I can see how you
> came to that conclusion.

Wow, polite disagreement!  Woo-Hoo!  Looks like the start of some good
discussion!  :)  I'm in no way perfect and actually like to know when I'm
wrong, esp. with something as critical as this!  Thanks for your excellent
writeup and correction!

Have a look at the email thread that John Sage <jsage () finchhaven com> and I
had on this same subject a while back on the list.  IIRC, some of his findings
seem to contradict some things that I had thought.  Now, I could be smoking
crack, but I don't know who's right any more.  :)  Anyone want to jump in and
save my sanity?  If not, I'm going out and have a rather good single malt
scotch.  Research shall have to wait 'till Monday!

G'nite for now...

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users