Snort mailing list archives
RE: Snort with IPTables
From: "neal" <ntimm () austin rr com>
Date: Mon, 14 Jan 2002 14:15:29 -0600
I also have snort with Iptables and snort captures all my traffic even with iptables dropping and resetting certain connections. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Hasnain Atique Sent: Sunday, January 13, 2002 8:50 AM To: Martijn Heemels; Erek Adams; Matt Kettler Cc: Got Snort? Subject: Re: [Snort-users] Snort with IPTables I set up snort on my gateway running RH 7.2 and iptables, just to check things out for myself. From what I can see so far, snort *is* seeing things even though iptables is blocking very many things. The gateway is connected directly to the cable modem, and the ISP only filters inbound 80/tcp to prevent CR/Nimda. I initiated a nessus attack from another station and snort appeared to capture all. Personally, I'm a little dumbfounded -- all this time I wasn't using snort on the gateway because my understanding, and pretty much all the threads on this list, told me snort wouldn't have visibility! Now that I think about it, it seems reasonable that libpcap should see the traffic whether or not iptables is blocking it. -- Hasnain ----- Original Message ----- From: "Martijn Heemels" <martijn () heemels com> To: "Erek Adams" <erek () theadamsfamily net>; "Matt Kettler" <mkettler () evi-inc com> Cc: "Got Snort?" <snort-users () lists sourceforge net> Sent: Sunday, January 13, 2002 10:31 PM Subject: RE: [Snort-users] Snort with IPTables
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1Have a look at the email thread that John Sage <jsage () finchhaven com> and I had on this same subject a while back on the list. IIRC, some of his findings seem to contradict some things that I had thought. Now, I could be smoking crack, but I don't know who's right any more. :) Anyone want to jump in and save my sanity? If not, I'm going out and have a rather good single malt scotch. Research shall have to wait 'till Monday!Hi all, I've also had an e-mail exchange with John Sage on this, following my similar question to the list. Since a lot is still unclear about snort's behaviour on(!) a firewall box and I don't have the ability to test anything (I'm just a student with one hobby server) I can only offer my personal experiences. On my humble little server running linux-2.2.16-3 with ipchains-1.3.9-5 and libpcap-0.6.2-7 Snort does NOT see all traffic reaching the outside interface. The ipchains ruleset is as paranoid as possible since a bunch of ports are open (the box has about a dozen servers running), but only traffic targetted at open ports is seen by snort. I get a lot of CodeRed/Nimda related activity and some Squid proxy scans, but not much else. The box is connected directly to a cable modem device, so there's no switches involved. Neither is the ISP filtering any traffic (that I know of). I don't know enough about the layers of networking to know why my box doesn't do what Matt's boxes do, so I'll leave that to the experts (i.e. you). Hope this helps build a general consensus. :-) (and ease Erek's conscience)G'nite for now...and a good morning too, Erek!----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPEGaKxLMC0rbivl4EQIY0gCbBjCfWyQBgNPGPAahcjZe2Z95tJQAoN3g OMmK7dpwJ60pESU995pVAe3m =A9wq -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort with IPTables jaalexan (Jan 10)
- Re: Snort with IPTables Mark Rowlands (Jan 12)
- Re: Snort with IPTables Erek Adams (Jan 12)
- Message not available
- Re: Snort with IPTables Matt Kettler (Jan 12)
- Re: Snort with IPTables Erek Adams (Jan 12)
- RE: Snort with IPTables Martijn Heemels (Jan 13)
- Re: Snort with IPTables Hasnain Atique (Jan 13)
- RE: Snort with IPTables neal (Jan 14)
- Re: Snort with IPTables David Lambert (Jan 13)
- Re: Snort with IPTables Fyodor (Jan 13)
- Re: Snort with IPTables John Sage (Jan 13)
- Re: Snort with IPTables Mark Rowlands (Jan 12)