Re: snort & iptables

[Michael Boman <michael.boman () securecirt com>]

I beg to differ:

root # iptables-save      
[ ... ]
-A INPUT -i bond0 -j DROP 
[ ... ]

root # tcpdump -i bond0 -n | head -n 10                                                                                 
                                     
tcpdump: WARNING: bond0: no IPv4 address assigned
tcpdump: listening on bond0
21:35:14.166486 a.a.a.a.32771 > b.b.b.b.80: P 4075192145:4075192269(124) ack 228300336 win 63712 <nop,nop,timestamp 
3111266 2982409305> (DF) [tos 0x2,ECT(0)] 
21:35:14.169396 c.c.c.c.47427 > d.d.d.d.25: . ack 3577127110 win 32829 (DF)
21:35:14.170558 e.e.e.e.4662 > f.f.f.f.65180: P 3132372856:3132372880(24) ack 1676293902 win 17240 (DF)
21:35:14.171502 g.g.g.g.2609 > h.h.h.h.1525: . 1563131911:1563133371(1460) ack 4254965276 win 17112 (DF)
21:35:14.171751 i.i.i.i > j.j.j.j: icmp: 192.168.1.6 udp port 4156 unreachable [tos 0xc0] 
21:35:14.172030 k.k.k.k.4662 > f.f.f.f.64685: . 2140710545:2140712005(1460) ack 1274000279 win 16511 (DF)
21:35:14.176884 l.l.l.l.80 > f.f.f.f.65238: S 1471187206:1471187206(0) ack 1682762100 win 17520 <mss 
1460,nop,nop,sackOK> (DF)
21:35:14.177382 c.c.c.c.47427 > d.d.d.d.25: P 0:6(6) ack 1 win 32850 (DF)
21:35:14.180303 m.m.m.m.161 > n.n.n.n.1055:  C=public GetResponse(33)  .1.3.6.1.2.1.1.3.0=361957300 [|snmp]
21:35:14.185509 o.o.o.o.6346 > p.p.p.p.55064: . ack 3979290537 win 33580 (DF)

As both Snort and TCPDump uses libpcap, they should see the same thing. 

Best regards
 Michael

 ( This is on a Linux 2.4.19 maching using IPTables 1.2.7a and Snort 1.9-cvs )

Best regards
 Michael Boman

On Wed, Dec 18, 2002 at 12:55:40PM -0800, Jacob Redding wrote:
>   I think the question is asking what application gets the packets first
> Snort or IPTables.
>   Since iptables works with the kernel, and they are dropped by the
> kernel, iptables is first. All packets that make it past iptables are then
> passed to applications(I'm not talking layers, just an analogy), in this
> case snort.
>   At least I'm 99.99% sure that iptables comes first, but I've been wrong
> in the past.
>
>   So in short. Iptables --> Snort
>
> -Jacob
>
> On Wed, 18 Dec 2002, twig les wrote:
>
> > Packet analyzing can be done if you let zero packets
> > thru your host firewall, whichever one you want to
> > use.  Unless you have connected the two features thru
> > Guardian or something they don't have any direct
> > relationship that pops into my head.
> >
> >
> > --- Eduard San Anselmo Mateu
> > <esananselmo () albasoft com> wrote:
> > > Hello everyone,
> > > I'm using snort+iptables on the same box, and I have
> > > one question for you: what
> > > comes first, packet analyzing (snort) or packet
> > > filtering (iptables)?
> > > Thanks in advance

-- 
Michael Boman
Security Architect, SecureCiRT (A SBU of Z-Vance Pte Ltd)
http://www.securecirt.com

Attachment: _bin
Description: