Running snort behind iptables

Question

I run a Centos 6.5 server with a highly restrictive iptables ruleset allowing incoming traffic only on a small handful of tcp ports (8 in total) and blocks all incoming unsolicited UDP traffic.

I recently built snort 2.9.7.0 from source and am running it in policy_mode:inline-test

I notice it's alerting on packets that are blocked by my iptables configuration, from which I surmise it's inserted itself in the processing chain before iptables.

I have read the manual and done several web searches but can find no mention of this behavior, or how to configure it so it runs after iptables. I don't believe I need alerts on traffic that will be blocked anyway.

Is there a reason I would want to see those alerts, and if not, is there a way to set things up so I don't get alerts for iptables-blocked packets?

Ex Umbris, did you find a way, how to do this? I am in the same situation and this post is quite old now. — ThommyCZ, Sep 26 '19 at 07:13

score 0 · Answer 1 · answered Oct 31 '14 at 06:48

0

Since both Snort and Iptables getting the packets from interface so both will process the packets and both will trigger the action which is given by you in the rule. There is no need to use Iptables if you are running Snort. Create a rule for Snort which you have configured Iptables and set the rule action Drop in Snort rule. It will do the same work as iptables. Since you are analyzing the traffic inline so you have compile the snort with nfq(netfilter queue). In inline mode snort will take the packets from the queue.

answered Oct 31 '14 at 06:48

ifexploit

109
1

It seems to me Snort and iptables have different purposes. Snort is a packet inspection/analysis tool, while iptables is primarily a port blocking firewall tool that has some packet inspection capabilities. I really want to use both, with iptables acting as the outer perimeter and Snort examining only what gets through iptables. Is this possible? – Ex Umbris Oct 31 '14 at 20:40
Both perform inspection and analysis. If you want the packet analysis which is passed through iptables then you have to run snort behind the system which is running iptables or on the same system. – ifexploit Nov 01 '14 at 04:22
I AM running both on the same system... – Ex Umbris Nov 01 '14 at 22:34
@ifexploit are wrong on this one. `iptables` are actually an interface tool for a `netfilter`, which are `packet filter` (i.e. firewall). While snort are `intrusion detection system`. While both share some common principles of operation, they aren't interchangeable as they serve completely different purposes. – NStorm May 13 '21 at 10:28

Running snort behind iptables

1 Answers1