[Snort-users] AW: (Snort-users) Snort on Checkpoint Firewall-1

sandro.poppi at ...3316... sandro.poppi at ...3316...
Sun Oct 21 22:29:02 EDT 2001


I suppose Checkpoint uses a highly customized kernel (well it does for Nokia
appliance, so this is just a guess), therefor stateful inspection takes place
before any other tool could capture packets resulting in that behaviour. As
stated before just a guess.

I would suggest using an own snort box in front of the firewall because
a) you don't get probs with the firewall when snort for any reason has probs
b) of performance issues
c) I believe running as less services as possible is the right choice for a
firewall

So long,
Sandro
>
> possible to examine checkpoint binaries? :)
> On Fri, Oct 19, 2001 at 04:54:55PM -0400, Dresen, Scott wrote:
> > I'm running Snort v1.8.1 on the same Linux box that I'm running a
> > Checkpoint Firewall-1 firewall.  However, my snort logs are
> not showing
> > any activity.  When I ran Snort with IPTables, I saw plenty
> of activity.
> > I'm wondering if anyone knows whether or not Checkpoint
> runs at a higher
> > priority on Linux and therefore blocks packets before Snort
> has a chance
> > to analyze them?
> >
> > TIA,
> > Scott
>
> --
> http://www.notlsd.net
> PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>





More information about the Snort-users mailing list