Snort mailing list archives
Re: precedence question
From: "J. Craig Woods" <drjung () sprynet com>
Date: Sun, 02 Sep 2001 19:24:07 -0500
al3x payne wrote:
a rather basic question: say i'm running bastille firewall on my machine, and snort. i have portscan packets coming in. which "answers" or "sees" the packets first, snort, or the firewall? will ports i have blocked via the firewall simply be ignored by snort, or what? thanks for your thoughts, in advance... ::al3x ps. i'm working on updated t-shirt designs for the snortstore. never fear.
Your input chain for your firewall is processed through a kernel process, either ipchain or iptable, depending on your kernel, and this will see all input chain values first, and will log to syslog if you have the "l" switch included in your rules. Snort will still log and let you know what it "saw". To think about this as a "who see what first" maybe be deceptive: kernel sees all things first but it is in a way simultaneous with snort. Glad I was able to confuse..ehr, elucidate for you..... drjung _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- precedence question al3x payne (Sep 02)
- Re: precedence question J. Craig Woods (Sep 02)