Snort mailing list archives

Re: Snort + ipchains

From: John Sage <jsage () finchhaven com>
Date: Fri, 30 Nov 2001 19:11:15 -0800

Guillaume:

It's interesting to note that the HOW-TO doesn't even mention -o exceptin a crossreference to ipfwadm commands.


man ipchains says "Copy matching packets to the user space device..."

I've never used it; hardly knew it existed.

What exactly are you hoping to accomplish?

As a side note: snort sees packets that ipchains DENY's or REJECT's, soI don't see why you don't just run ipchains *and* snort and be done with it.


That's what I do; it works great (and is Less Filling(tm)...)

- John

Guillaume wrote:

Hi.
Does anybody use the -o option of ipchains to capture REJECTed or DENYiedpackets and send its to snort for log or analyse action ? How does it work ?(Please send a more detailed answer than just "fine" ! :-))
I would like to enhance my ipchains filter by adding to it this facility: allREJECT or DENY packets are logged "à la tcpdump" and post-analyzed by runningsnort.
Thanks.

Guillaume





_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort + ipchains Guillaume (Nov 30)
- Re: Snort + ipchains John Sage (Nov 30)
  - RE: Snort + ipchains Martijn Heemels (Dec 01)
    - Re: Snort + ipchains John Sage (Dec 01)
    - RE: Snort + ipchains Martijn Heemels (Dec 01)
    - Re: Snort + ipchains John Sage (Dec 01)
    - RE: Snort + ipchains Erek Adams (Dec 01)
    - Re: Snort + ipchains Ed Wiget (Dec 01)
  - Re: Snort + ipchains Guillaume (Dec 01)
    - Re: Snort + ipchains John Sage (Dec 01)
    - RE: Snort + ipchains John Berkers (Dec 01)
    - Re: Snort + ipchains John Sage (Dec 01)

(Thread continues...)