RE: Snort question
From: Chris Wilkes (cwilkes@ladro.com)Date: 09/27/01
- Previous message: theog@yoda.dnsq.org: "RE: Hardware Firewall vs Software Firewall"
- In reply to: Peter Mueller: "RE: Snort question"
- Next in thread: Claudiu Ionescu: "Re: Snort question-follow-up"
- Next in thread: Kutulu: "Re: Snort question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 27 Sep 2001 09:51:17 -0700 (PDT) From: Chris Wilkes <cwilkes@ladro.com> To: Security Basics <SECURITY-BASICS@securityfocus.com> Subject: RE: Snort question Message-ID: <Pine.LNX.4.10.10109270949060.12366-100000@cjw.depechecode.com>
On Wed, 26 Sep 2001, Peter Mueller wrote:
> > Question: Would packets that are dropped by the filtering
> > rules reach snort?
> > Please explain your answer. Thank you.
>
> No. Snort functions post-kernel space. On linux the packet filtering
> (ipchains, iptables) is done at the kernel level.
Also (this probably goes without saying) you won't be able to see packets
that are dropped by the NIC; like runts, jumbo packets, etc. Those show
more of a hardware (faulty hub, router, wires, etc) problem and aren't
probably a sign of attack.
- Previous message: theog@yoda.dnsq.org: "RE: Hardware Firewall vs Software Firewall"
- In reply to: Peter Mueller: "RE: Snort question"
- Next in thread: Claudiu Ionescu: "Re: Snort question-follow-up"
- Next in thread: Kutulu: "Re: Snort question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
