Re: Is IPTables blocking Snort detection?

[Matt Kettler <mkettler () evi-inc com>]

At 10:33 AM 1/19/2004, Stephen W. Corey - 5535 wrote:
> If I've got everything firewalled on my Linux-Snort box using IPTables 
> except for SSH, will that limit what Snort (and the promiscuous mode NIC) 
> is able to see & detect? Just curious... Thanks!

No.. it won't. I regularly configure my snort interfaces with "block all" 
rules (although I mostly do this on OpenBSD and Linux 2.2.x, I have tried 
it on 2.4.x w/iptables before)

In general IPChains, IPTables, ipfw, and other *nix kernel firewalls are 
implemented as a filter right before data enters or leaves the TCP/IP stack.

Snort uses libpcap, and gets packets directly from the ethernet layer and 
thus sees more-or-less everything that actually appears on the wire, 
regardless of what IPTables is doing.

Of course, if IPTables prevents the local system from sending a packet out, 
snort will never see it, because it never got queued to be sent to the 
ethernet device.

If you want to be sure, run tcpdump and watch.





-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users