Re: Snort with IPtables

[Jeremy Hoel <jthoel () gmail com>]

well i can tell you it works for me.  I imagine that yes, iptables
would require an IP to be effective on that interface.  So yes, I
would say that iptables on works on L3 and not L2.

When i get to work i can paste a quick copy of the iptables we use so
you can see an example.

On Thu, Jun 6, 2013 at 10:13 PM, Steven McLaughlin <steve () lan com au> wrote:
> That sort of makes sense since it is only listening in promisc mode, but not
> actually allowing traffic in destined for its interface. I guess IPtables
> works at L3 and without an IP it doesn't really matter if IPtables is on or
> off then. Would this be a true statement? (I am only running as a sniffer
> and not switching inline)
>
> I'm interested to hear more feedback on this.
>
>
> On 7 June 2013 14:08, Jeremy Hoel <jthoel () gmail com> wrote:
> > we run iptables on all our sensors, but we don't give the sniffing
> > port an ip and have no iptables entries for it.
> >
> > It works like a champ.
> >
> > On Thu, Jun 6, 2013 at 10:03 PM, Steven McLaughlin <steve () lan com au>
> > wrote:
> > > Hi All,
> > >
> > > Whats the take on running a snort sensor with IPtables running. In first
> > > instance I would think this interferes with sensor detection capability.
> > >
> > > Is anyone running IPtables on the same host as their Snort sensor? If
> > > so,
> > > what is the best way to nail this? The reason I ask is that I have two
> > > interfaces. One is the management interface which will have an IP
> > > address.
> > > This interface will deny all incoming traffic except for tcp/22 and
> > > tcp/443
> > > inbound connections.
> > >
> > > The other interface is the snort sensor on eth1. The sensor is listening
> > > only. So is a rule allowing all incoming like so sufficient for Snort
> > > sniffing:
> > >
> > > -A INPUT -i eth1 -j ACCEPT
> > >
> > > Or should I also allow all outbound as follows:
> > >
> > > -A INPUT -i eth1 -j ACCEPT
> > > -A OUTPUT -i eth1 -j ACCEPT
> > >
> > > Alternatively, is there a best practice IPtables configuration for snort
> > > sensors?
> > >
> > > thanks,
> > >
> > > Steve
> > >
> > >
> > > ------------------------------------------------------------------------------
> > > How ServiceNow helps IT people transform IT departments:
> > > 1. A cloud service to automate IT design, transition and operations
> > > 2. Dashboards that offer high-level views of enterprise services
> > > 3. A single system of record for all IT processes
> > > http://p.sf.net/sfu/servicenow-d2d-j
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> > > Snort
> > > news!
>
>
>
>
> --
> Best Regards,
> Steven McLaughlin
> steve () Lan com au
> 0459 351 266

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!