I would like to run Snort before and after IPTable firewall rules on a
single NIC box.
I think this text from the Snort FAQ helps answer some of my question. I
think Snort can only listen to interfaces or virtual interfaces so I
will be able to see all pre Firewalled traffic on ppp0 without a problem
but now how can I run a second instance of Snort to monitor post
firewall traffic? Can I have the kernel dump it to a virtual interface
like ppp0:1 ?
Thanks!
Snort FAQ:
4.4 Does snort see packets filtered by IPTables/IPChains/IPF/PF?
Snort operates using libpcap. In general it sees everything the network
adapter driver sees before the network stack munges it. Linux IPTables,
Linux IPChains, BSD PF and IPF and other packet filters do not prevent
snort from seeing a packet that is present on the network wire. Even if
an inbound packet is denied by the packet filter Snort will still see
and analyze the packet if it is listening to that interface. Snort/pcap
sees whatever comes out of or goes into the network adapter.
Note however that Snort is affected to the extent that the stream of
data on the network wire is affected. Thus Snort will not see outbound
packets which were denied while being sent since they will never reach
the network adapter.
Under OpenBSD you can snort just the PF rejects by using the /dev/pflogN
interface.
|
Similar Threads
Linear Mode
