Snort mailing list archives

Re: Snort+iptables in the same machine

From: Nick Hatch <nick () restek wwu edu>
Date: Thu, 11 Mar 2004 14:47:03 -0800

From the snort FAQ at http://www.snort.org/docs/FAQ.txt

4.4 Does snort see packets filtered by IPTables/IPChains/IPF/PF?

Snort operates using libpcap. In general it sees everything the network adapter
driver sees before the network stack munges it. Linux IPTables, Linux IPChains,
BSD PF and IPF and other packet filters do not prevent snort from seeing a
packet that is present on the network wire. Even if an inbound packet is denied
by the packet filter Snort will still see and analyze the packet if it is
listening to that interface. Snort/pcap sees whatever comes out of or goes into
the network adapter.

Note however that Snort is affected to the extent that the stream of data on
the network wire is affected. Thus Snort will not see outbound packets which
were denied while being sent since they will never reach the network adapter.

There might be some way to use preprocessing settings to do about thesame thing, but I've never had a need to do it.


-Nick

Luis Claudio R. da Silveira wrote:

Hi all,

What are the implications about using iptables with snort in the same
machine? Is it possible? Is there any problem with packets that arriving
from promiscuous interface? I need to restrict input packets using iptables
in snort box, permiting only output traffic to an ACID console. I'd
appreciate some help on this.

Thanks in advance,

Luis Claudio



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort+iptables in the same machine Luis Claudio R. da Silveira (Mar 11)
- Re: Snort+iptables in the same machine Nick Hatch (Mar 11)
- <Possible follow-ups>
- RE: Snort+iptables in the same machine SN ORT (Mar 12)