Re: Snort & iptables on the same box

From: Will Metcalf (william.metcalf_at_gmail.com)
Date: 06/13/05

  • Next message: Joachim Schipper: "Re: Snort & iptables on the same box" 
    Date: Mon, 13 Jun 2005 11:06:42 -0500
To: Jean-Pierre Denis <jp@webglobe.ca>

    snort rely's on the QUEUE target in iptables to receive its data. So
    lets say that you have a webserver that you wanted to protect with
    snort. Let's also assume that you wanted to permit ssh access and not
    inspect that traffic with snort. Your rules would look something like
    this.

    iptables -A FORWARD -p tcp --dport 80 -j QUEUE
    iptables -A FORWARD -p tcp --dport 22 -j ACCEPT
    iptables -A FORWARD -j DROP

    The traffic bound for port 80 would be analyzed by snort and then a
    verdict is sent back from snort to tell iptables to either drop or
    accept the packet. The drop or accept verdict depends on whether or
    not a rule is matched and the rule action associated with that rule.

    clear as mud?????

    Regards,

    Will

    On 6/10/05, Jean-Pierre Denis <jp@webglobe.ca> wrote:
    > Hi,
    >
    >
    > When running snort and iptables on the same box, which of the 2 act first ?
    >
    > Those it go thru snort and then the iptable rule allow or deny the
    > connection
    > or it's the other way around
    >
    >
    > Merci,
    > JP
    >
    >
    > -----------------------------------------
    > WebMail Powered by WebGlobe.
    > http://www.webglobe.ca
    >
    >
    > --------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from
    > CORE IMPACT.
    > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    > --------------------------------------------------------------------------
    >
    >

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------

  • Next message: Joachim Schipper: "Re: Snort & iptables on the same box"

    Relevant Pages

    • Re: IPS & IPv6
      ... Yes snort is so is Sourcefire which is the commercial version of snort. ... Chief Strategy Officer ... with real-world attacks from CORE IMPACT. ...
      (Focus-IDS)
    • Re: use of bloom filters in commercial iDS/IPS architectures
      ... seemed pretty cool (and they used Snort as their test bed). ... using hash based techniques such as bloom filters/rabin finger prints ... Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. ...
      (Focus-IDS)
    • Re: newbie needs help with iptables basics (please)
      ... >I have RTFM (man iptables) and have read several docs off the net and pages ... Implement Multi-Router Traffic Grapher to establish network ... discuss & plan the implementation of Snort 2.0 Intrustion ... Install Snort 2.0 Network-based Intrusion Detection System ...
      (comp.os.linux.security)
    • Re: newbie quetsions
      ... Although, keep in mind, Snort completely fails the CRI test, and does ... Do I need IDS? ... >CORE IMPACT. ... >Find out quickly and easily by testing it with real-world attacks from ...
      (Focus-IDS)
    • Re: Snort.org on Fedora
      ... > logcheck) that is being maintained and doesn't have licensing issues when I ... but Snort works wonderfully with FC:) ... only snort works well with iptables with the inline patch. ...
      (Fedora)