Security Basics mailing list archives

Re: locking down snort

From: Nelson Santos <nsantos () gmail com>
Date: Sun, 27 Jun 2004 09:46:50 -0300

Hi Jose,

IPTables always gets the traffic first so you wouldn't have a problem
locking it down. The actual order for incoming packages is:

{Checksum --> Sanity --> Routing decision --> Input chain} --> Local
processing (Snort and it's friends) --> {Output chain --> Routing
decision}

All between brackets is done by IPTables and the OS.

Packets that are forwarded take a slight different path.

Hope that helps,


Nelson

On Thu, 24 Jun 2004 10:28:43 -0700, Jose Guevarra <jose () iquest ucsb edu> wrote:


Hi,

 I have some machines running snort.  I'd like to restrict ssh/http and
other access to them. However, I'm not sure if in doing so, would snort not
'grab' and analyze traffic hitting those ports.  I guess I'm asking

- if I blocked those ports from the outside world would I still detect say a
port scan on those ports?

- Who captures the packets first: Firewall(IPTABLES) or SNORT?

Thanks,

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Current thread:

locking down snort Jose Guevarra (Jun 25)
- Re: locking down snort Nasir Ghaznavi (Jun 28)
- Re: locking down snort Nelson Santos (Jun 28)
- <Possible follow-ups>
- Locking down Snort Carey Myers (Jun 28)
  - Re: Locking down Snort Nelson Santos (Jun 29)
- RE: locking down snort Andrew Shore (Jun 28)