Snort mailing list archives
RE: Snort + ipchains
From: "Martijn Heemels" <martijn () heemels com>
Date: Sun, 2 Dec 2001 22:42:18 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Perhaps it should be brought up-to-date by adding something like this: 4.19 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Snort is on my firewall (ipf/pf/ipchains/ipfilter) and awfully quiet... A: While Snort also sees the packets that the firewall does, if the exploit that the signature catches requires a connection to be established, the exploit will never be sent. The firewall blocks the three-way-handshake process and you never get a connection, therefore you never get the exploit packet.
Definitely! Good suggestion... I remember this thread from a while ago and it certainly makes sense... Is there any way of testing whether this is what's actually happening on my box? I'd like to verify that my snort actually sees the packets, because until now, I assumed snort never saw them because they were blocked by ipchains. Any thougths? Greets, Martijn -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPAqgORLMC0rbivl4EQIJXACcCnksBXeF+rOIUfn8I1dzeNVv4nYAnjqg 8KxXvPKQ7ubG2LhyYawVOaKO =A9ak -----END PGP SIGNATURE-----
Attachment:
smime.p7s
Description:
Current thread:
- RE: Snort + ipchains, (continued)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Erek Adams (Dec 01)
- Re: Snort + ipchains Ed Wiget (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains John Berkers (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 02)
- Re: Snort + ipchains John Sage (Dec 02)