Re: Snort with AFPacket

[James Lay <jlay () slave-tothe-box net>]

On Mon, 2014-11-03 at 20:44 -0500, Sec Aficionado wrote:
> Great, thank you for the explanation. NFQ was indeed my next step
> after trying AFPacket. AFPacket was easier to build, but I did not
> realize it might have serious side effects.
>
>
> From the high level description of NFQ, it still works with iptables,
> but in a more efficient manner?

It's.....interesting.  You have to be careful with where you place your
iptables QUEUE rule for Snort to use.  Because any rules placed AFTER
the QUEUE rule are not looked at....as soon as the packet hits the QUEUE
rule snort will either drop it as an IPS hit, or will pass it up the
stack.  So make sure you nmap the box once you put it in place...don't
want any open surprises ;)

James 




------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!