Re: precedence question

["J. Craig Woods" <drjung () sprynet com>]

al3x payne wrote:
> a rather basic question:  say i'm running bastille firewall on my
> machine, and snort.  i have portscan packets coming in.  which "answers"
> or "sees" the packets first, snort, or the firewall?  will ports i have
> blocked via the firewall simply be ignored by snort, or what?
>
> thanks for your thoughts, in advance...
>
> ::al3x
>
> ps. i'm working on updated t-shirt designs for the snortstore.  never
> fear.

Your input chain for your firewall is processed through a kernel
process, either ipchain or iptable, depending on your kernel, and this
will see all input chain values first, and will log to syslog if you
have the "l" switch included in your rules. Snort will still log and let
you know what it "saw". To think about this as a "who see what first"
maybe be deceptive: kernel sees all things first but it is in a way
simultaneous with snort. Glad I was able to confuse..ehr, elucidate for
you.....

drjung

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users