Snort mailing list archives
Re: snort & iptables
From: Michael Boman <michael.boman () securecirt com>
Date: Fri, 20 Dec 2002 05:45:02 +0800
I beg to differ: root # iptables-save [ ... ] -A INPUT -i bond0 -j DROP [ ... ] root # tcpdump -i bond0 -n | head -n 10 tcpdump: WARNING: bond0: no IPv4 address assigned tcpdump: listening on bond0 21:35:14.166486 a.a.a.a.32771 > b.b.b.b.80: P 4075192145:4075192269(124) ack 228300336 win 63712 <nop,nop,timestamp 3111266 2982409305> (DF) [tos 0x2,ECT(0)] 21:35:14.169396 c.c.c.c.47427 > d.d.d.d.25: . ack 3577127110 win 32829 (DF) 21:35:14.170558 e.e.e.e.4662 > f.f.f.f.65180: P 3132372856:3132372880(24) ack 1676293902 win 17240 (DF) 21:35:14.171502 g.g.g.g.2609 > h.h.h.h.1525: . 1563131911:1563133371(1460) ack 4254965276 win 17112 (DF) 21:35:14.171751 i.i.i.i > j.j.j.j: icmp: 192.168.1.6 udp port 4156 unreachable [tos 0xc0] 21:35:14.172030 k.k.k.k.4662 > f.f.f.f.64685: . 2140710545:2140712005(1460) ack 1274000279 win 16511 (DF) 21:35:14.176884 l.l.l.l.80 > f.f.f.f.65238: S 1471187206:1471187206(0) ack 1682762100 win 17520 <mss 1460,nop,nop,sackOK> (DF) 21:35:14.177382 c.c.c.c.47427 > d.d.d.d.25: P 0:6(6) ack 1 win 32850 (DF) 21:35:14.180303 m.m.m.m.161 > n.n.n.n.1055: C=public GetResponse(33) .1.3.6.1.2.1.1.3.0=361957300 [|snmp] 21:35:14.185509 o.o.o.o.6346 > p.p.p.p.55064: . ack 3979290537 win 33580 (DF) As both Snort and TCPDump uses libpcap, they should see the same thing. Best regards Michael ( This is on a Linux 2.4.19 maching using IPTables 1.2.7a and Snort 1.9-cvs ) Best regards Michael Boman On Wed, Dec 18, 2002 at 12:55:40PM -0800, Jacob Redding wrote:
I think the question is asking what application gets the packets first Snort or IPTables. Since iptables works with the kernel, and they are dropped by the kernel, iptables is first. All packets that make it past iptables are then passed to applications(I'm not talking layers, just an analogy), in this case snort. At least I'm 99.99% sure that iptables comes first, but I've been wrong in the past. So in short. Iptables --> Snort -Jacob On Wed, 18 Dec 2002, twig les wrote:Packet analyzing can be done if you let zero packets thru your host firewall, whichever one you want to use. Unless you have connected the two features thru Guardian or something they don't have any direct relationship that pops into my head. --- Eduard San Anselmo Mateu <esananselmo () albasoft com> wrote:Hello everyone, I'm using snort+iptables on the same box, and I have one question for you: what comes first, packet analyzing (snort) or packet filtering (iptables)? Thanks in advance
-- Michael Boman Security Architect, SecureCiRT (A SBU of Z-Vance Pte Ltd) http://www.securecirt.com
Attachment:
_bin
Description:
Current thread:
- snort & iptables Eduard San Anselmo Mateu (Dec 18)
- Re: snort & iptables twig les (Dec 18)
- Re: snort & iptables Jacob Redding (Dec 19)
- Re: snort & iptables Michael Boman (Dec 19)
- Re: FAQ Suggestion: snort & iptables Matt Kettler (Dec 19)
- Re: FAQ Suggestion: snort & iptables Phil Wood (Dec 20)
- Re: snort & iptables Jacob Redding (Dec 19)
- Re: snort & iptables twig les (Dec 18)