Re: Preventing Attacks

[John Sage <jsage () finchhaven com>]

Jeff:

On Thu, Jun 27, 2002 at 09:57:20AM -0500, Jeff Taylor wrote:
> To clarify, I want to put Snort listening after the IPtables (linux
> 2.4.16) REJECT and DENY rules block from the external net.  To repeat,
> this is all on one host, adding extra NICs, hosts, hardware, etc. is
> not part of the answer I am looking for.
>
> I am looking at Snort as a more sophisticated replacement for
> Portsentry.  It does not tell my about attacks that are stopped by
> IPtables, only about ones that get thru.  It is mildly interesting to
> see what attacks are being thrown at my box.  What I want to know is
> what attacks are penetrating the IPtables packet filter.

Although my experience is still back on ipchains, the answer in that
case is that -- when snort and ipchains are on the same box -- snort
sees everything that ipchains sees.

Not what's left over, but *everything*..

I have not heard anything to the contrary about iptables, again, when
snort and iptables *are on the same box*

(I emphasize that because invariably this sort of discussion gets
garbled by people who are running snort on a *different box* than the
ipchains/iptables box. Then snort only sees what ip[chains|tables] has
passed..)


- John
-- 
"You are in a little maze of twisty passages, all different."

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Caffeinated soap. No kidding.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users