Re: Snort Behind IPtables, contradicting evidence...

[John Sage <jsage () finchhaven com>]

As far as my recent involvement with this issue, let me restate that my 
experience has been with ip*chains*...

ipchains and snort, same box, each sees what it's supposed to see, 
depending on the rules each is given to work with..

- John

--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage () finchhaven com
And remember: it's spelled l-i-n-u-x, but it's pronounced "Linux"


JSeddon () semtech com wrote:

> Honorable Oinkers,
>
>      I fretted a long time before I sent this because I know it's been
> discussed many times and we are all very busy.  However, I wanted to bring
> it up because either I am missing or misreading something or the evidence I
> have seen does not support the consensus reached on this list.  I'm running
> snort on my firewall and have questions about whether snort will see
> traffic that iptables is configured to block.
>
>      The question is, "If you run snort on a box with iptables
> blocking/filtering stuff, will snort see/process all the traffic?".  I
> gleaned over the archives and it seems the consensus of the list was that
> "yes, snort will see the traffic".  One reason given was that the packet
> capture library takes packets and passes them to snort before the normal
> tcp stack processing.  So, iptables doesn't get a chance to see it.  There
> were also several people who said they were running snort on iptables
> firewalls and it was working fine.
>
>      However, I wasn't seeing the waves of Code Red traffic (or nimda for
> that matter).  I thought that perhaps my ISP was filtering the Code Red
> Traffic.  Just for kicks, I flushed my iptables chains.  BAM!  Snort
> starting alerting on all kinds of Code Red traffic.  Ran rc.firewall again,
> no snort alerts.  Hmmm..I said, maybe a coinky dink....Flushed again, waves
> of code red alerts....put the rules back in the chains....No alerts...I
> decided to let it go a day...sure enough, no rules in chains and snort sees
> the traffic, put the rules back in the chains and snort doesn't.
>
>      This seems to contradict the conclusion I got from the list archives.
> It seems that iptables is processing traffic before snort gets a chance to
> see it.  Snort is putting the NIC in promiscuous mode.  But it doesn't see
> traffic iptables is configured to block unless I flush the IPtables rules.
> Is something misconfigured with snort for me?  Did I draw the wrong
> conclusion from the list?
>
> Architecture: x86
> OS: RedHat 7.1
> Rules: Snort.org standard rules
> Command Line: snort -c /etc/snort/snort.conf -d -D -h myfirewall.ext.ip/32
> -i eth0
> Other: It is a ClarkConnect box (www.clarkconnect.org, pretty neat toy
> actually).
>
> Oinker (still a Piglet) James



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users