Snort mailing list archives
Re: Snort with IPTables
From: Erek Adams <erek () theadamsfamily net>
Date: Sat, 12 Jan 2002 16:51:57 -0800 (PST)
On Sat, 12 Jan 2002, Matt Kettler wrote:
There's been a bit of tossing around about this on this list and I have some related experience. I admit I've never done this with Linux 2.4 and IPTables, so I can't be certain that this will work, but I do have some direct experience with running snort on a Linux 2.2 box with ipchains and an OpenBSD box with ipf.
[...excellent writeup snipped...]
I believe the snort FAQ section you are talking about is the case where snort is running on a separate machine that is inside a ipchains/iptables/ipf/cisco/whatever firewalled network. It would also apply if the sensor was watching the inside interface of the machine (since packets from the outside would need to pass through the outside interface's filters before being forwarded to the inside interface.).
Yes. 4.3 does refer to a snort sensor "behind" a firewall. Please see more info below....
The inbound filters of the interface snort is monitoring should not matter, but I only have evidence to claim that this is true for Linux 2.2/ipchains and OpenBSD/ipf. I do strongly suspect that it is true for other systems as well, including Linux 2.4/iptables.
At this point I don't have enough free boxes in the test lab to actually "test" this, so like you, I can't say.
At 02:21 PM 1/12/2002 -0800, Erek Adams wrote:If you'll have a look at the FAQ: http://www.snort.org/docs/faq.html#4.3 You'll want to consider if running snort on the same box as a firewall, then the only packets that it (snort) will see will be the ones that _aren't_ blocked by your firewall rules.I politely disagree with your interpretation Erek, but I can see how you came to that conclusion.
Wow, polite disagreement! Woo-Hoo! Looks like the start of some good discussion! :) I'm in no way perfect and actually like to know when I'm wrong, esp. with something as critical as this! Thanks for your excellent writeup and correction! Have a look at the email thread that John Sage <jsage () finchhaven com> and I had on this same subject a while back on the list. IIRC, some of his findings seem to contradict some things that I had thought. Now, I could be smoking crack, but I don't know who's right any more. :) Anyone want to jump in and save my sanity? If not, I'm going out and have a rather good single malt scotch. Research shall have to wait 'till Monday! G'nite for now... ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort with IPTables jaalexan (Jan 10)
- Re: Snort with IPTables Mark Rowlands (Jan 12)
- Re: Snort with IPTables Erek Adams (Jan 12)
- Message not available
- Re: Snort with IPTables Matt Kettler (Jan 12)
- Re: Snort with IPTables Erek Adams (Jan 12)
- RE: Snort with IPTables Martijn Heemels (Jan 13)
- Re: Snort with IPTables Hasnain Atique (Jan 13)
- RE: Snort with IPTables neal (Jan 14)
- Re: Snort with IPTables David Lambert (Jan 13)
- Re: Snort with IPTables Fyodor (Jan 13)
- Re: Snort with IPTables John Sage (Jan 13)
- Re: Snort with IPTables Mark Rowlands (Jan 12)