From: Steven McLaughlin (steveLan.com.au)
Date: Thu Jun 06 2013 - 23:03:07 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi All,

Whats the take on running a snort sensor with IPtables running. In first
instance I would think this interferes with sensor detection capability.

Is anyone running IPtables on the same host as their Snort sensor? If so,
what is the best way to nail this? The reason I ask is that I have two
interfaces. One is the management interface which will have an IP address.
This interface will deny all incoming traffic except for tcp/22 and tcp/443
inbound connections.

The other interface is the snort sensor on eth1. The sensor is listening
only. So is a rule allowing all incoming like so sufficient for Snort
sniffing:

-A INPUT -i eth1 -j ACCEPT

Or should I also allow all outbound as follows:

-A INPUT -i eth1 -j ACCEPT
-A OUTPUT -i eth1 -j ACCEPT

Alternatively, is there a best practice IPtables configuration for snort
sensors?

thanks,

Steve

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j

_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]