Snort mailing list archives
Re: Newbie question (FAQ 4.3 update requested)
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 21 Apr 2003 15:44:47 -0400
Despite the misleading statements in the FAQ entry 4.3, IPTables, IPChains, IPF, etc does NOT block snort from seeing the packets. Snort will see whatever is on the ethernet wire of the interface it listens on.
I run 2 snort boxes, both with "deny all" on their snort interfaces (one running Linux 2.2.x ipchains, the other is OpenBSD's PF). Neither interferes. Athough none of my boxes use IPTables, in general IPTables rules don't interfere either for the same reasons IPChains doesn't.. they see the packet later in the processing path than Snort does. (Scheduling might actually make it occur later in time, but snort will get a copy of the packet that's not in any way been touched by firewall rules. Snort gets raw ethernet frames, not IP stack processed data)
Now, if there's a IPTables firewall running on another system as a gateway firewall that is upstream of your snort box, of course snort will only see what makes it through the firewall, because they're killed long before they reach the machine snort is running on.
However IPTables running on the same machine as snort (no matter if it's set up as a gateway firewall or not) will not stop snort from seeing the packets that come in on the wire.
FAQ Maintainer: FAQ 4.3 should be clarified that IPTables etc won't interfere with pcap, and that the firewall will only keep snort from seeing packets if it prevents them from reaching the wire of whatever ethernet interface snort listens to.
At 02:28 PM 4/21/2003 -0400, Chris wrote:
Hi,I am now to IDS and Snort and have a question. Does having iptable rules setup on the machine affect it in any way? Oh, it will be behind our firewall.Thanks Chris
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Newbie question Chris (Apr 21)
- Re: Newbie question Erick Mechler (Apr 21)
- Re: Newbie question (FAQ 4.3 update requested) Matt Kettler (Apr 21)
- <Possible follow-ups>
- RE: Newbie question Potts, Ross A. (Apr 23)
- Newbie Question Wilcoxen, Scott (Apr 25)
- RE: Newbie Question Pacheco, Michael F. (Apr 25)
- RE: Newbie Question Wilcoxen, Scott (Apr 27)