Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FAQ Suggestion: snort & iptables

From: Phil Wood <cpw () lanl gov>
Date: Fri, 20 Dec 2002 08:31:24 -0700
It has been my experience on linux that promiscuous mode sees all the junk
on the wire.  Iptables can be set to block all input, but libpcap will see
all packets on the wire.  Snort uses libpcap.

On Thu, Dec 19, 2002 at 06:58:40PM -0500, Matt Kettler wrote:

I agree with Michael. This is also becoming a good candidate for the Snort 
FAQ. I think I've seen this question at least a dozen times on the 
snort-users list.

Snort is NOT directly affected by ipchains/iptables/ipf/etc. I've 
repeatedly used snort with "deny all" rules on linux 2.2.x, linux 2.4.x, 
OpenBSD. My main snort box is a OpenBSD box set up this way. It sees 
whatever comes out of or goes into the network adapter. Period.

In fact, I'd actually recommend that everyone use snort listening on an 
stealth interface (ie: no IP) _and_ "deny all" rules applied to the packet 
filter for that interface whenever possible.


FAQ Maintainer suggested FAQ addition (comments/improvements/modifications 
welcome):

Q:  Does snort see packets filtered by IPTables/IPChains/IPF?

A: Snort operates using libpcap. In general it sees everything the network 
adapter driver sees. Linux IPTables, Linux IPChains, BSD IPF and other 
packet filters do not prevent snort from seeing a packet that is present on 
the network wire. Even if an inbound packet is denied by the packet filter 
Snort will still see and analyze the packet if it is listening to that 
interface.
        Note however that Snort is affected to the extent that the stream 
of data on the network wire is affected. Thus Snort will not see outbound 
packets which were denied while being sent since they will never reach the 
network adapter.


At 05:45 AM 12/20/2002 +0800, Michael Boman wrote:

I beg to differ:




-------------------------------------------------------
This SF.NET email is sponsored by: Geek Gift Procrastinating?
Get the perfect geek gift now!  Before the Holidays pass you by.
T H I N K G E E K . C O M      http://www.thinkgeek.com/sf/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Phil Wood, cpw () lanl gov



-------------------------------------------------------
This SF.NET email is sponsored by:  The Best Geek Holiday Gifts!
Time is running out!  Thinkgeek.com has the coolest gifts for
your favorite geek.   Let your fingers do the typing.   Visit Now.
T H I N K G E E K . C O M        http://www.thinkgeek.com/sf/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: