[Snort-users] combination of snort & ipchains

Fyodor fygrave at ...121...
Wed Jan 17 13:32:47 EST 2001


On Tue, Jan 16, 2001 at 10:00:47PM +0000, andy lowton wrote:
> >>>>> On Tue, 16 Jan 2001, "Avleen" == Avleen Vig wrote:
> 
>   Avleen> Fyodor:  Same things happens on FreeBSD with IPF.  If IPF blocks /
>   Avleen> drops a packet, SNORT cannot pick it up :( Read my last mail about
>   Avleen> VLANs which I'm going to try next
> 
> Interesting, I run IPF and Snort on the same interface under OpenBSD and Snort 
> picks everything up whatever IPF does.
> 
> Maybe the original poster is doing his tests from a network that Snort doesn't 
> consider to be 'external' and the rules are configured to look for external->
> home?
> 


That is the only scenario I could think of, we read data off the datalink, ipf/ipchains shouldn't
interfere with it, everything that is on the wire we should be able to see.




More information about the Snort-users mailing list