RE: Re: Snort Behind IPtables, contradicting evidence...

["Martijn Heemels" <martijn () yggdrasil yi org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That was an interesting thread...

I think the FAQ should be updated with this, since this subject (that
has come up again and again) is dealt with in only one sentence and
the subject is apparently a little more complicated.

Greets, Martijn
- -- 
.: M. Heemels .:. webdesigner :.
.: Eindhoven, NL, martijn () heemels com :.
.: PGP of S/MIME encrypted e-mail preferred :.

> Oinkers Bob and John,
>
>      Thanks!  That makes perfect sense and I should've known that! 
> To sum up for the archives...When you have snort sitting behind
> iptables, snort sees every packet coming in (same as iptables). 
> However, since iptables denies connections, before the 3 way
> handshake is complete, you won't probably see nearly as many
> alerts.  The packets with the exploit  data that
> snort is going to alert on come AFTER the connection is established
> (3-way handshake done).  So with iptables denying connections, the
> data 
> to trigger
> alerts doesn't show up at the box at all.
>
>      Thanks again for your help!  I can sleep better in my pen
> tonight....  
>
> Piglet James

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO7URTRLMC0rbivl4EQI0IgCdGJqRxFlGV+PfHawHMlwMB3LiA1gAoPm/
4VOf3xQlvzn40HkJxdNkXwiP
=tgf0
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: