Re: Snort question
From: J Troy Piper (jtp@dok.org)Date: 09/27/01
- Previous message: Don Weber: "RE: Help with Cisco"
- Maybe in reply to: Claudiu Ionescu: "Snort question"
- Next in thread: Michael Kjorling: "Re: Snort question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 26 Sep 2001 21:41:07 -0500 From: J Troy Piper <jtp@dok.org> To: Security Basics <SECURITY-BASICS@SECURITYFOCUS.COM> Subject: Re: Snort question Message-ID: <20010926214107.B20776@dok.org>
attached mail follows:
> Hi all,
> Premises: a Linux box with two NICs working as a router and packet filtering
> device (ipchains or iptable) for a small network behind it. Snort installed on
> it.
> Question: Would packets that are dropped by the filtering rules reach snort?
> Please explain your answer. Thank you.
Answer: No. The netfilter interface ip(tables|chains) uses is located at
the kernel level. Snort reads packets by placing the interface in
'promiscuous' mode to view all the packets the kernel hands it, therefore,
packets that are dropped by filtering with iptables or ipchains will never
make it to the snort process.
---/************************/ /* J. Troy Piper */ /* <jtp@dok.org> */ /* Ignotum per Ignotius */ /************************/
- application/pgp-signature attachment: stored
- Previous message: Don Weber: "RE: Help with Cisco"
- Maybe in reply to: Claudiu Ionescu: "Snort question"
- Next in thread: Michael Kjorling: "Re: Snort question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
