Re: Configuration issue, Part II

[Greg Sarsons <gsarsons () home com>]

Erek Adams wrote:
> 
> http://snort.sourcefire.com/docs/faq.html#4.3
>
> Basically, snort sits 'behind' the ipchains and ipf programs.  They see the
> packets before snort does.  If you've got things setup to drop/deny packets
> that you are expecting to see with snort, then you won't.
>
> > who, but all traffic passes across this machine.  All the interfaces
> > have been put into PROMISC mode (as I believed snort needed this).
> > It's placement on this machine would make me think it can see everything
> > that goes in and out of the network.

Okay I've got snort running collecting a big binary dump file and not
doing anything else but it is on a machine running iptables (the dump
file will be looked at latter on another machine).  So is it the case
that much of the traffic will be killed by iptables even if snort is
running in promiscuous mode?  Does that mean that I have to take down my
iptables firewall to collect everything?

Greg

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users