Snort mailing list archives
Re: Snort + ipchains
From: John Sage <jsage () finchhaven com>
Date: Fri, 30 Nov 2001 19:11:15 -0800
Guillaume:It's interesting to note that the HOW-TO doesn't even mention -o except in a crossreference to ipfwadm commands.
man ipchains says "Copy matching packets to the user space device..." I've never used it; hardly knew it existed. What exactly are you hoping to accomplish?As a side note: snort sees packets that ipchains DENY's or REJECT's, so I don't see why you don't just run ipchains *and* snort and be done with it.
That's what I do; it works great (and is Less Filling(tm)...) - John Guillaume wrote:
Hi.Does anybody use the -o option of ipchains to capture REJECTed or DENYied packets and send its to snort for log or analyse action ? How does it work ? (Please send a more detailed answer than just "fine" ! :-))I would like to enhance my ipchains filter by adding to it this facility: all REJECT or DENY packets are logged "à la tcpdump" and post-analyzed by running snort.Thanks. Guillaume
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort + ipchains Guillaume (Nov 30)
- Re: Snort + ipchains John Sage (Nov 30)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Erek Adams (Dec 01)
- Re: Snort + ipchains Ed Wiget (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Nov 30)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains John Berkers (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)