Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort, iptables, eth0 - ARP issue

From: BTP <smokefat () gmail com>
Date: Mon, 17 Apr 2006 19:45:05 -0600
Hello,

I have this strange problem that I can't figure out, and I'm not an
expert in this area yet so I was wondering if someone could shed some
light on this for me.

I am hooked up to a cable modem, whose activity light is always
flashing and turns out to be sending my directly hooked up laptop ARP
packets, averaging 11Kb/s (who-has xxx.xxx.xxx.xxx tell
xxx.xxx.xxx.xxx) - whether connected or not.

In Windows XP Pro when I run snort, I can log this incoming stream all
the time. On my Linux system, it is possible to also receive this
stream (and snort logs it into the database for me as "BAD-TRAFFIC" -
loopback) or not to receive this stream, depending on the _order_ in
which I invoke snort, eth0 (the only interface), and iptables.

[start snort]
[ifup eth0]
[invoke iptables firewall rules] **

** As soon as I invoke iptables, snort begins to record all this
traffic as alerts into my database.

[ifup eth0]
[start snort]
[invoke iptables firewall rules]

The preceding order of commands does NOT make snort log all this
traffic log to the database.

After my hard drive is going crazy filling up the database, it does
not matter if I play around with bringing up/down my interface eth0 or
changing the rules in iptables (I just set all Policies to accept, as
I don't know how to unload the whole program modules from memory).

However, running 'ifconfig' will display as my eth0 and lo interfaces
to be constantly receiving approximately 11Kb/s. Sometimes if eth0 is
down, lo receives all the traffic. Sometimes they both do, and
sometimes just eth0. I have been experimenting for a while, but
dealing with three variables and constantly rebooting to notice
changes is time consuming.

Why am I getting this constant flow of ARP packets? but more
importantly, what is the order in which iptables and snort see
traffic?? They're both hooked up to the same interface and I'm just
using iptables as a firewall. I believe snort does not rely on
iptables/netfilter's behaviour in order to see traffic unless snort is
running with the 'inline' option, which isn't the case here.

Although, I am confused. Is there something I should know about how
snort and iptables behave in relation to eachother and the order of
bring up the interface??


Thanks

Bart


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: