[Snort-users] combination of snort & ipchains

Avleen Vig avleen at ...396...
Tue Jan 16 11:08:26 EST 2001


> On Tue, Jan 16, 2001 at 04:18:04PM +0100, Philipp Snizek wrote:
> > Dear list members,
> >
> > If I do a portscan using nmap, my ipchains log the scan with a lot of
DENY
> > messages. But Snort does not log anything. If something occurs that is
> > allowed by ipchains (e.g. ping-pong), it is logged by snort.
> >
> > Since I'm new to IDS, do I only have to control ports that are left open
by
> > the packet filter, or is it possible to have Snort controlling all (1 -
> > 65535) ports BEFORE packets hit the deny rules of ipchains?
> >
>
> hmm.. maybe new linux kernel `feature`(?), what libpcap/linix kernel
version you're using?

Fyodor:
Same things happens on FreeBSD with IPF.
If IPF blocks / drops a packet, SNORT cannot pick it up :(
Read my last mail about VLANs which I'm going to try next

Av - aka singh





More information about the Snort-users mailing list