Snort mailing list archives
Re: Snort + ipchains
From: John Sage <jsage () finchhaven com>
Date: Sat, 01 Dec 2001 10:40:50 -0800
Martijn:Seems this was a recurring topic, maybe last spring, with inconclusive answers, depending on how well the network layout was described.
I posted my experiences back then, but what I posted was only based upon my setup.
As you state, snort FAQ 1.8 sez:
4.3 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Snort is behind a firewall (ipf/pf/ipchains/ipfilter) and awfully quiet...
A: Your firewall rules will also block traffic to the snort processes.
Certainly snort wouldn't see packets if it was off on *another* box behind the firewall, which I think is what the FAQ is really describing: "...snort is *behind* a firewall..."
My snort is running *on* my firewall box in conjuction with ipchains. Maybe that's the difference... Later.. - John Martijn Heemels wrote:
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1As a side note: snort sees packets that ipchains DENY's or REJECT's, so I don't see why you don't just run ipchains *and*snort and be done with it.It doesn't for everyone. In fact, according to the snort faq for most people ipchains does block traffic to snort (including me). So he may not be able to do this. Greets, Martijn -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPAkb+hLMC0rbivl4EQKR+wCeOIQnDCq3F1GCofi0n1HM3UUXR5IAn1s8 ztA+2VO+CEqe0tmq7Mje/hat =DjAb -----END PGP SIGNATURE-----
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort + ipchains Guillaume (Nov 30)
- Re: Snort + ipchains John Sage (Nov 30)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Erek Adams (Dec 01)
- Re: Snort + ipchains Ed Wiget (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Nov 30)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains John Berkers (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 02)
- Re: Snort + ipchains John Sage (Dec 02)