Snort mailing list archives
UDP packet supposedly DROPped, but seen by snort anyway
From: Jan Ploski <jpljpl () gmx de>
Date: Thu, 24 Oct 2002 17:22:54 +0200 (CEST)
Hello, I have the following rule in my Linux iptables configuration: iptables -A block -m state --state NEW -p udp --dport 161 -j DROP Basically, I want to ignore any traffic to UDP port 161. This rule seems to work okay, i.e. it fires when a packet is sent to the said port and the packet is never received by the process listening on that port. However, when I run snort in sniffer mode, I can see the packet coming. It also triggers an alert (false positive in this case) according to configured snort rules. My question is, why can this UDP packet, supposedly already dropped by the firewall, be sniffed at? This is not the case for any TCP packets that have been DROPped. Best regards - Jan Ploski ------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ad.doubleclick.net/clk;4729346;7592162;s?http://www.sun.com/javavote _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- UDP packet supposedly DROPped, but seen by snort anyway Jan Ploski (Oct 24)
- <Possible follow-ups>
- RE: UDP packet supposedly DROPped, but seen by snort anyway Jan Ploski (Oct 24)