[Snort-users] snort behind firewall

Prins, J.H. J.H.Prins at ...1070...
Thu Apr 26 04:04:55 EDT 2001

This is indeed correct if snort runs on the same system as the firewall
software. If it is a system behind the firewall system then I only sees
packets on the internal network. 

-----Original Message-----
From: dotslash [mailto:dotslash at ...1760...]
Sent: donderdag 26 april 2001 9:37
To: Snort
Subject: [Snort-users] snort behind firewall

i'm not sure if this is already in the faq because i sure haven't found one.
this is an answer i found in the snort.org forum which, to me, is one of the
sought after answers of IDS newbies.  can someone verify if this answers the
question of "Can snort still do it's job if it's firewalled?":

"Yes, libpcap grabs the packets well before the linux kernel IPChains
filters things. Remember, libpcap is used by tcpdump, and tcpdump can see
packets which aren't even IP (ie: IPX frames), and also sees packets
filtered by the IP handling of the Kernel. If I'm not mistaken, libpcap
grabs as  raw socket.."  -- mattkettler

"So to be quite precise, it's just the kernel of the OS"

-- Bill Joy, (http://www.linux-mag.com/1999-11/joy_01.html)

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list