AW: (Snort-users) Snort on Checkpoint Firewall-1

[<sandro.poppi () wacker com>]

I suppose Checkpoint uses a highly customized kernel (well it does for Nokia
appliance, so this is just a guess), therefor stateful inspection takes place
before any other tool could capture packets resulting in that behaviour. As
stated before just a guess.

I would suggest using an own snort box in front of the firewall because
a) you don't get probs with the firewall when snort for any reason has probs
b) of performance issues
c) I believe running as less services as possible is the right choice for a
firewall

So long,
Sandro
> possible to examine checkpoint binaries? :)
> On Fri, Oct 19, 2001 at 04:54:55PM -0400, Dresen, Scott wrote:
> > I'm running Snort v1.8.1 on the same Linux box that I'm running a
> > Checkpoint Firewall-1 firewall.  However, my snort logs are
> not showing
> > any activity.  When I ran Snort with IPTables, I saw plenty
> of activity.
> > I'm wondering if anyone knows whether or not Checkpoint
> runs at a higher
> > priority on Linux and therefore blocks packets before Snort
> has a chance
> > to analyze them?
> >
> > TIA,
> > Scott
>
> --
> http://www.notlsd.net
> PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users