Snort mailing list archives
Re: FAQ Suggestion: snort & iptables
From: Phil Wood <cpw () lanl gov>
Date: Fri, 20 Dec 2002 08:31:24 -0700
It has been my experience on linux that promiscuous mode sees all the junk on the wire. Iptables can be set to block all input, but libpcap will see all packets on the wire. Snort uses libpcap. On Thu, Dec 19, 2002 at 06:58:40PM -0500, Matt Kettler wrote:
I agree with Michael. This is also becoming a good candidate for the Snort FAQ. I think I've seen this question at least a dozen times on the snort-users list. Snort is NOT directly affected by ipchains/iptables/ipf/etc. I've repeatedly used snort with "deny all" rules on linux 2.2.x, linux 2.4.x, OpenBSD. My main snort box is a OpenBSD box set up this way. It sees whatever comes out of or goes into the network adapter. Period. In fact, I'd actually recommend that everyone use snort listening on an stealth interface (ie: no IP) _and_ "deny all" rules applied to the packet filter for that interface whenever possible. FAQ Maintainer suggested FAQ addition (comments/improvements/modifications welcome): Q: Does snort see packets filtered by IPTables/IPChains/IPF? A: Snort operates using libpcap. In general it sees everything the network adapter driver sees. Linux IPTables, Linux IPChains, BSD IPF and other packet filters do not prevent snort from seeing a packet that is present on the network wire. Even if an inbound packet is denied by the packet filter Snort will still see and analyze the packet if it is listening to that interface. Note however that Snort is affected to the extent that the stream of data on the network wire is affected. Thus Snort will not see outbound packets which were denied while being sent since they will never reach the network adapter. At 05:45 AM 12/20/2002 +0800, Michael Boman wrote:I beg to differ:------------------------------------------------------- This SF.NET email is sponsored by: Geek Gift Procrastinating? Get the perfect geek gift now! Before the Holidays pass you by. T H I N K G E E K . C O M http://www.thinkgeek.com/sf/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov ------------------------------------------------------- This SF.NET email is sponsored by: The Best Geek Holiday Gifts! Time is running out! Thinkgeek.com has the coolest gifts for your favorite geek. Let your fingers do the typing. Visit Now. T H I N K G E E K . C O M http://www.thinkgeek.com/sf/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort & iptables Eduard San Anselmo Mateu (Dec 18)
- Re: snort & iptables twig les (Dec 18)
- Re: snort & iptables Jacob Redding (Dec 19)
- Re: snort & iptables Michael Boman (Dec 19)
- Re: FAQ Suggestion: snort & iptables Matt Kettler (Dec 19)
- Re: FAQ Suggestion: snort & iptables Phil Wood (Dec 20)
- Re: snort & iptables Jacob Redding (Dec 19)
- Re: snort & iptables twig les (Dec 18)