IDS mailing list archives
Re: Snort & iptables on the same box
From: Joachim Schipper <j.schipper () math uu nl>
Date: Mon, 13 Jun 2005 10:01:47 +0200
On Fri, Jun 10, 2005 at 05:04:28PM -0400, Jean-Pierre Denis wrote:
Hi, When running snort and iptables on the same box, which of the 2 act first ? Those it go thru snort and then the iptable rule allow or deny the connection or it's the other way around Merci, JP
Hi JP,
Neither 'act first' in a standard configuration; if you use Snort in
(standard) IDS mode, it sees the packets at the same time as Netfilter
(the kernel part of IPTables) and acts independently.
If you use Snort_inline (IPS mode), the packets enter Netfilter, which
may choose to pass it to Snort_inline via the QUEUE target at some
point.
This is all in the snort documentation, BTW.
Joachim
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
Current thread:
- Snort & iptables on the same box Jean-Pierre Denis (Jun 12)
- Re: Snort & iptables on the same box Will Metcalf (Jun 14)
- Re: Snort & iptables on the same box Michael Boman (Jun 16)
- Re: Snort & iptables on the same box Joachim Schipper (Jun 14)
- Re: Snort & iptables on the same box Michael Boman (Jun 14)
- Re: Snort & iptables on the same box snort user (Jun 16)
- Re: Snort & iptables on the same box Will Metcalf (Jun 14)