UDP packet supposedly DROPped, but seen by snort anyway

[Jan Ploski <jpljpl () gmx de>]

Hello,

I have the following rule in my Linux iptables configuration:

iptables -A block -m state --state NEW -p udp --dport 161 -j DROP

Basically, I want to ignore any traffic to UDP port 161. This rule
seems to work okay, i.e. it fires when a packet is sent to the said
port and the packet is never received by the process listening on
that port.

However, when I run snort in sniffer mode, I can see the packet
coming. It also triggers an alert (false positive in this case)
according to configured snort rules.

My question is, why can this UDP packet, supposedly already dropped
by the firewall, be sniffed at? This is not the case for any TCP
packets that have been DROPped.

Best regards -
Jan Ploski



-------------------------------------------------------
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ad.doubleclick.net/clk;4729346;7592162;s?http://www.sun.com/javavote
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users