[Snort-users] Snort + ipchains

John Sage jsage at ...2022...
Fri Nov 30 19:12:02 EST 2001


It's interesting to note that the HOW-TO doesn't even mention -o except 
in a crossreference to ipfwadm commands.

man ipchains says "Copy matching packets to the user space device..."

I've never used it; hardly knew it existed.

What exactly are you hoping to accomplish?

As a side note: snort sees packets that ipchains DENY's or REJECT's, so 
I don't see why you don't just run ipchains *and* snort and be done with it.

That's what I do; it works great (and is Less Filling(tm)...)

- John

Guillaume wrote:

> Hi.
> Does anybody use the -o option of ipchains to capture REJECTed or DENYied 
> packets and send its to snort for log or analyse action ? How does it work ? 
> (Please send a more detailed answer than just "fine" ! :-))
> I would like to enhance my ipchains filter by adding to it this facility: all 
> REJECT or DENY packets are logged "à la tcpdump" and post-analyzed by running 
> snort.
> Thanks.
> Guillaume

More information about the Snort-users mailing list