|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Steven McLaughlin (steve
Lan.com.au)
Date: Thu Jun 06 2013 - 23:13:58 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
That sort of makes sense since it is only listening in promisc mode, but
not actually allowing traffic in destined for its interface. I guess
IPtables works at L3 and without an IP it doesn't really matter if IPtables
is on or off then. Would this be a true statement? (I am only running as a
sniffer and not switching inline)
I'm interested to hear more feedback on this.
On 7 June 2013 14:08, Jeremy Hoel <jthoelgmail.com> wrote:
> we run iptables on all our sensors, but we don't give the sniffing
> port an ip and have no iptables entries for it.
>
> It works like a champ.
>
> On Thu, Jun 6, 2013 at 10:03 PM, Steven McLaughlin <stevelan.com.au>
> wrote:
> > Hi All,
> >
> > Whats the take on running a snort sensor with IPtables running. In first
> > instance I would think this interferes with sensor detection capability.
> >
> > Is anyone running IPtables on the same host as their Snort sensor? If so,
> > what is the best way to nail this? The reason I ask is that I have two
> > interfaces. One is the management interface which will have an IP
> address.
> > This interface will deny all incoming traffic except for tcp/22 and
> tcp/443
> > inbound connections.
> >
> > The other interface is the snort sensor on eth1. The sensor is listening
> > only. So is a rule allowing all incoming like so sufficient for Snort
> > sniffing:
> >
> > -A INPUT -i eth1 -j ACCEPT
> >
> > Or should I also allow all outbound as follows:
> >
> > -A INPUT -i eth1 -j ACCEPT
> > -A OUTPUT -i eth1 -j ACCEPT
> >
> > Alternatively, is there a best practice IPtables configuration for snort
> > sensors?
> >
> > thanks,
> >
> > Steve
> >
> >
> ------------------------------------------------------------------------------
> > How ServiceNow helps IT people transform IT departments:
> > 1. A cloud service to automate IT design, transition and operations
> > 2. Dashboards that offer high-level views of enterprise services
> > 3. A single system of record for all IT processes
> > http://p.sf.net/sfu/servicenow-d2d-j
> > _______________________________________________
> > Snort-users mailing list
> > Snort-userslists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort
> > news!
>
--
Best Regards,
Steven McLaughlin
steveLan.com.au
0459 351 266
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]