LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-12-2005, 03:30 PM   #1
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 124Reputation: 124
Snort and Firewalls


I am wondering: if I have iptables dropping certain packets, will snort still see, log, and analyze those packets?
 
Old 05-12-2005, 04:59 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Depends on where snort is located. If snort is running on the firewall machine, then yes, it will see all incoming traffic as snort analyzes packets earlier in the networking stack than the relevant netfilter hooks. If snort is somewhere behind the firewall (like inside a LAN) then it will only see packets that pass through the border firewall and are forwarded into the LAN.
 
Old 05-12-2005, 05:07 PM   #3
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Original Poster
Rep: Reputation: 124Reputation: 124
My configuration is as follows:

Code:
VoIP Router -> DMZ Linux Firewall -> Network
Snort is running on the DMZed Linux Firewall. I had to run things this way for QoS on the VoIP router... so, unfortunately, packets undergo NAT twice, but with the Firewall being the "DMZ", it should see all packets, or so I believe.

I just rarely see many packets... not sure if I'm not being attacked much, or what. Usually I see "double decoding" and "bare byte" http attacks, but nothing else really. Maybe my snort is misconfigured, hrrm.
 
Old 05-12-2005, 07:12 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
As long as your VoIP router doesn't do any packet filtering, then snort should be able to see all incoming traffic.

I just rarely see many packets... not sure if I'm not being attacked much, or what. Usually I see "double decoding" and "bare byte" http attacks, but nothing else really. Maybe my snort is misconfigured, hrrm.
Could be. Alot of available options are not activated in default installs, for example the portscan preprocessor often is off by default and needs to be specifically activated. Alot of the viral traffic isn't logged as well. Keep in mind that when a major outbreak occurs, you'll likely get flooded with alerts if you log all viral traffic. Might help to take a look at a snort guide and fine tune your rules/conf a bit.
 
Old 05-12-2005, 08:02 PM   #5
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Original Poster
Rep: Reputation: 124Reputation: 124
I'm going to take a look at that now.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Error when starting up snort: bash:!/bin/sh/usr/local/bin/snort :Eent not found cynthia_thomas Linux - Software 1 11-11-2005 03:59 PM
snort failed: snort: symbol lookup error: undefined symbol: usmAES192PrivProtocol Emmanuel_uk Linux - Security 1 07-10-2005 11:29 AM
Firewalls matt3333 Linux - Software 4 07-03-2003 11:53 PM
snort snort.conf help crealkiller175 Linux - Software 1 03-08-2003 06:58 PM
Linux Firewalls [iso firewalls] yoogie Linux - Networking 3 01-28-2002 07:56 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:31 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration