[Snort-users] Where does Snort sit...

John Sage jsage at ...2022...
Sun May 13 12:24:52 EDT 2001


Andreas Hasenack wrote:

> Em Sun, May 13, 2001 at 01:00:33AM -0700, John Sage escreveu:
>> ...as it were, in relation to ppp0 and ipchains?
>> As I understand it, now I've got:
>>                 _______________________________________
>>                |              firewall box             |
>> Internet <---> ppp0 <-> ipchains <-> portsentry <-> eth0 <---> LAN
>> Does Snort sit between ppp0 and ipchains (which is what I hope..) or is 
>> it after ipchains and thus is going to see only the stuff that ipchains 
>> lets it?
> I don't know exactly how it works, but snort sees everything, even if
> ipchains/iptables block the packets.
> I believe they get it at "the same time".

Excellent! That's just what I'd hoped..

If anyone else has more detailed information about "how", I'd appreciate hearing,
but this is basically what I needed to know.


- John

John Sage
FinchHaven, Vashon Island, WA, USA
mailto:jsage at ...2022...
And remember: it's spelled l-i-n-u-x, but it's pronounced "Linux"

