Re: Snort & iptables on the same box

• Previous message: Will Metcalf: "Re: Snort & iptables on the same box"
• In reply to: Jean-Pierre Denis: "Snort & iptables on the same box"
• Next in thread: Michael Boman: "Re: Snort & iptables on the same box"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 13 Jun 2005 10:01:47 +0200
To: focus-ids@securityfocus.com

On Fri, Jun 10, 2005 at 05:04:28PM -0400, Jean-Pierre Denis wrote:
> Hi,
>
>
> When running snort and iptables on the same box, which of the 2 act first ?
>
> Those it go thru snort and then the iptable rule allow or deny the
> connection
> or it's the other way around
>
>
> Merci,
> JP

Hi JP,

Neither 'act first' in a standard configuration; if you use Snort in
(standard) IDS mode, it sees the packets at the same time as Netfilter
(the kernel part of IPTables) and acts independently.

If you use Snort_inline (IPS mode), the packets enter Netfilter, which
may choose to pass it to Snort_inline via the QUEUE target at some
point.

This is all in the snort documentation, BTW.

                Joachim

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

• Previous message: Will Metcalf: "Re: Snort & iptables on the same box"
• In reply to: Jean-Pierre Denis: "Snort & iptables on the same box"
• Next in thread: Michael Boman: "Re: Snort & iptables on the same box"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]