Re: snort + iptables

["Senthil Prabu.S" <prabu333 () hotpop com>]

> Hi
> I was wondering :
> If I put snort on the same machine iptables is running both will catch the
> same packets or frames?
> I think this is a waste of resources, isn't it?
> I know snort_inline accepts only packets from iptables, so that's OK!
> But what about snort? It is still using libpcap to catch the traffic,

          Snort operates using libpcap.It analysis everything the network 
adapter
driver sees before the network stack munges it. Linux IPTables, do not 
prevent
snort from seeing a packet that is present on the network wire. Even if an 
inbound
packet is denied by the packet filter,ie by IPTables. Snort will still see 
and analyze
the packet if it is listening to that interface. Snort/pcap sees whatever 
comes out of
or goes into the network adapter.
        The above said holds good for only inbound trafiic.


> how can  I make it listen only to the traffic iptables filter?
   Also Snort cannot look at the outgoing packets that are being
denied by filters,since they will never reach the network adapter.

Hopes this helps....


--
Senthil Prabu.S


Logic is a systematic method of coming to the wrong conclusion with 
confidence.
_________________________________________________________________





-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users