Iptables rule on span traffic
sov.rbsec at gmail.com
Sat Apr 21 21:33:41 CEST 2007
AFAIK pcap library gets traffic before iptables rule processing (because it's
promiscous mode), so snort and tcpdump (and any other tool which uses pcap)
continues to see any traffic (even 'blocked by iptables', because its rules is
applied after interface pass).
> Anyway, here is my situation.
> I have fwsnort generate iptables rule (based on snort IDS rules) which are
> running on a machine with two interfaces. One of the interfaces (eth1) ?is
> connected to a SPAN port that mirrors traffic on part of our network, this
> interface is in promiscuous mode. The other interface (eth0) is a regular
> addressable interface. For some reason, the iptables rules seem to have no
> effect on traffic seen by the SPAN port.
Best regards, Oleg
More information about the netfilter