Snort mailing list archives
Re: Is IPTables blocking Snort detection?
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 19 Jan 2004 11:45:20 -0500
At 10:33 AM 1/19/2004, Stephen W. Corey - 5535 wrote:
If I've got everything firewalled on my Linux-Snort box using IPTables except for SSH, will that limit what Snort (and the promiscuous mode NIC) is able to see & detect? Just curious... Thanks!
No.. it won't. I regularly configure my snort interfaces with "block all" rules (although I mostly do this on OpenBSD and Linux 2.2.x, I have tried it on 2.4.x w/iptables before)
In general IPChains, IPTables, ipfw, and other *nix kernel firewalls are implemented as a filter right before data enters or leaves the TCP/IP stack.
Snort uses libpcap, and gets packets directly from the ethernet layer and thus sees more-or-less everything that actually appears on the wire, regardless of what IPTables is doing.
Of course, if IPTables prevents the local system from sending a packet out, snort will never see it, because it never got queued to be sent to the ethernet device.
If you want to be sure, run tcpdump and watch. ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Is IPTables blocking Snort detection? Stephen W. Corey - 5535 (Jan 19)
- Re: Is IPTables blocking Snort detection? Dirk Geschke (Jan 19)
- Message not available
- Re: Is IPTables blocking Snort detection? Matt Kettler (Jan 19)