[Snort-users] running snort on webserver

Piers Williams PiersW at ...1865...
Fri Apr 27 06:46:49 EDT 2001

Is this true? There are seperate threads in this list (snort behind
firewall) that quote people on the snort forums claiming exactly the
opposite. Can anyone comprehensively put a stake in the ground and say that
libpcap definately runs pre/post kernel firewalling (please)?

Or (Josh) is that what you're saying?


> -----Original Message-----
> From: Josh Oshiro [mailto:josh at ...155...]
> This may have to do with the kernal version. libpcap reads eth data at
> the kernal level and it does not access the eth divice directly
> therefore the firewall rules should apply before snort can see the
> network traffic.

More information about the Snort-users mailing list