Snort mailing list archives
Re: Snort with IPtables
From: Jeremy Hoel <jthoel () gmail com>
Date: Thu, 6 Jun 2013 22:32:21 -0600
well i can tell you it works for me. I imagine that yes, iptables would require an IP to be effective on that interface. So yes, I would say that iptables on works on L3 and not L2. When i get to work i can paste a quick copy of the iptables we use so you can see an example. On Thu, Jun 6, 2013 at 10:13 PM, Steven McLaughlin <steve () lan com au> wrote:
That sort of makes sense since it is only listening in promisc mode, but not actually allowing traffic in destined for its interface. I guess IPtables works at L3 and without an IP it doesn't really matter if IPtables is on or off then. Would this be a true statement? (I am only running as a sniffer and not switching inline) I'm interested to hear more feedback on this. On 7 June 2013 14:08, Jeremy Hoel <jthoel () gmail com> wrote:we run iptables on all our sensors, but we don't give the sniffing port an ip and have no iptables entries for it. It works like a champ. On Thu, Jun 6, 2013 at 10:03 PM, Steven McLaughlin <steve () lan com au> wrote:Hi All, Whats the take on running a snort sensor with IPtables running. In first instance I would think this interferes with sensor detection capability. Is anyone running IPtables on the same host as their Snort sensor? If so, what is the best way to nail this? The reason I ask is that I have two interfaces. One is the management interface which will have an IP address. This interface will deny all incoming traffic except for tcp/22 and tcp/443 inbound connections. The other interface is the snort sensor on eth1. The sensor is listening only. So is a rule allowing all incoming like so sufficient for Snort sniffing: -A INPUT -i eth1 -j ACCEPT Or should I also allow all outbound as follows: -A INPUT -i eth1 -j ACCEPT -A OUTPUT -i eth1 -j ACCEPT Alternatively, is there a best practice IPtables configuration for snort sensors? thanks, Steve ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- Best Regards, Steven McLaughlin steve () Lan com au 0459 351 266
------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort with IPtables Steven McLaughlin (Jun 06)
- Re: Snort with IPtables Jeremy Hoel (Jun 06)
- Re: Snort with IPtables Steven McLaughlin (Jun 06)
- Re: Snort with IPtables Jeremy Hoel (Jun 06)
- Re: Snort with IPtables waldo kitty (Jun 07)
- Re: Snort with IPtables Steven McLaughlin (Jun 07)
- Re: Snort with IPtables Steven McLaughlin (Jun 06)
- Re: Snort with IPtables Jeremy Hoel (Jun 06)