Snort mailing list archives
Re: Snort+iptables in the same machine
From: Nick Hatch <nick () restek wwu edu>
Date: Thu, 11 Mar 2004 14:47:03 -0800
From the snort FAQ at http://www.snort.org/docs/FAQ.txt
4.4 Does snort see packets filtered by IPTables/IPChains/IPF/PF? Snort operates using libpcap. In general it sees everything the network adapter driver sees before the network stack munges it. Linux IPTables, Linux IPChains, BSD PF and IPF and other packet filters do not prevent snort from seeing a packet that is present on the network wire. Even if an inbound packet is denied by the packet filter Snort will still see and analyze the packet if it is listening to that interface. Snort/pcap sees whatever comes out of or goes into the network adapter. Note however that Snort is affected to the extent that the stream of data on the network wire is affected. Thus Snort will not see outbound packets which were denied while being sent since they will never reach the network adapter.
There might be some way to use preprocessing settings to do about the same thing, but I've never had a need to do it.
-Nick Luis Claudio R. da Silveira wrote:
Hi all, What are the implications about using iptables with snort in the same machine? Is it possible? Is there any problem with packets that arriving from promiscuous interface? I need to restrict input packets using iptables in snort box, permiting only output traffic to an ACID console. I'd appreciate some help on this. Thanks in advance, Luis Claudio
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort+iptables in the same machine Luis Claudio R. da Silveira (Mar 11)
- Re: Snort+iptables in the same machine Nick Hatch (Mar 11)
- <Possible follow-ups>
- RE: Snort+iptables in the same machine SN ORT (Mar 12)