Snort mailing list archives
RE: Relationship between snort and ipchains and security strategies
From: "John Berkers" <berjo () ozemail com au>
Date: Mon, 20 Aug 2001 23:12:12 +1000
John, Steven, With regard to Snort seeing packets before IPChains, snort (libpcap actually) sees all traffic before the IP stack processes it. Since IPChains plugs into the IP stack, it therefore sees the traffic after snort. So if you see snort alert on something, this does not meant that it has got through your IPChains. You would need to check your IPChains logs (if you are logging) to verify whether or not it actually got through. While this is the case for network cards this does not appear to hold entirely true for PPP adapters. There certainly appears to be nothing wrong with your setup. Hope that clarifies some things. Regards, John Berkers ICQ: 112912 Network Operations Infrastructure Support - Hansen Corporation john.berkers () hancorp com au berjo () ozemail com au -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of John Sage Sent: Monday, 20 August 2001 13:49 To: Steven () heimann com au Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Relationship between snort and ipchains and security strategies Steven: Steven () heimann com au wrote: [snip]
I have been looking at the documentaion on Snort but I couldn't find anything about how it and ipchains integrate with the ip stack. (Understanding the source is beyond my abilities.) Could someone please briefly explain how snort does this and how this would relate to ipchains. i.e. Does snort get the packet before ipchains or is my setup wrong?
I can't say from technical knowledge which gets to see packets "before" one or the other, but from pratical use, snort and ipchains both see problematic packets. [snip] Just some thoughts.. ..I'm hope others will weigh in. - John -- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ mailto:jsage () finchhaven com "The web is so, like, five minutes ago..." _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Relationship between snort and ipchains and security strategies Steven (Aug 19)
- Re: Relationship between snort and ipchains and security strategies John Sage (Aug 19)
- RE: Relationship between snort and ipchains and security strategies John Berkers (Aug 20)
- Re: Relationship between snort and ipchains and security strategies John Sage (Aug 19)