Can you filter packets before sending to snort?

Gozzer · March 30, 2021, 8:48am

Hi there,
I was just wondering if it was possible to prevent snort from seeing packets that have been dropped by iptables. I believe this would be possible if openwrt supported NFQ and then you could use that to pass the packets to snort after they have been filtered. But is there a way to do this on openwrt?

Basically I don't want snort to see packets that have been dropped by iptables or ebtables.

dl12345 · March 30, 2021, 10:50am

Why don't you run snort on the br-lan interface, then you won't see the dropped packets?

If you run it on the wan interface, you're going to see ip adresses that are NATed already instead of the internal ip addresses...

Gozzer · March 30, 2021, 1:47pm

Thank you, I'll give that a go