i have an ubuntu system and i want to implement iptables as firewall, modsecurity as WAF and snort as IDS in this system and i have a server behind this system and i want to protect the server with this system. i want when the packet recieves first iptables process it then if is ok pass to snort and snort process it and then pass this packet to modsecurity and modsecurity process it. how can i specify this order ? first iptables , second snort and final modsecurity . what should i do?
Asked
Active
Viewed 574 times
1 Answers
0
Snort and IPTables are both monitoring packets at the interface, so they more or less sit alongside each other. The Modsecurity WAF sits at the webserver level, after the OS processing is done, so that one will come 'last' anyway.
Here they explain how to have IPTables put packets in the Snort queue, so you have your desired order:
http://seclists.org/snort/2014/q4/363
This example has IPTables DROP everything but port 80, which Snort then does its thing on:
At this point, a "blacklist" type firewall setup may be a better fit. If we assume that the NFQUEUE rule is effectively an ACCEPT consider the below:
sudo /sbin/iptables -A INPUT -d IP.ADDRESS -p tcp --dport 0-79 -j DROP sudo /sbin/iptables -A INPUT -d IP.ADDRESS -p tcp --dport 80 -j NFQUEUE --queue-num 1 sudo /sbin/iptables -A INPUT -d IP.ADDRESS -p tcp --dport 81-65535 -j DROP
JayMcTee
- 3,763
- 12
- 20