[Snort-users] snort behind firewall

dotslash dotslash at ...1760...
Thu Apr 26 03:36:55 EDT 2001

i'm not sure if this is already in the faq because i sure haven't found one.
this is an answer i found in the snort.org forum which, to me, is one of the
sought after answers of IDS newbies.  can someone verify if this answers the
question of "Can snort still do it's job if it's firewalled?":

"Yes, libpcap grabs the packets well before the linux kernel IPChains
filters things. Remember, libpcap is used by tcpdump, and tcpdump can see
packets which aren't even IP (ie: IPX frames), and also sees packets
filtered by the IP handling of the Kernel. If I'm not mistaken, libpcap
grabs as  raw socket.."  -- mattkettler

"So to be quite precise, it's just the kernel of the OS"

-- Bill Joy, (http://www.linux-mag.com/1999-11/joy_01.html)

More information about the Snort-users mailing list