[Snort-users] precedence question

J. Craig Woods drjung at ...2066...
Sun Sep 2 17:36:01 EDT 2001


al3x payne wrote:
> 
> a rather basic question:  say i'm running bastille firewall on my
> machine, and snort.  i have portscan packets coming in.  which "answers"
> or "sees" the packets first, snort, or the firewall?  will ports i have
> blocked via the firewall simply be ignored by snort, or what?
> 
> thanks for your thoughts, in advance...
> 
> ::al3x
> 
> ps. i'm working on updated t-shirt designs for the snortstore.  never
> fear.

Your input chain for your firewall is processed through a kernel
process, either ipchain or iptable, depending on your kernel, and this
will see all input chain values first, and will log to syslog if you
have the "l" switch included in your rules. Snort will still log and let
you know what it "saw". To think about this as a "who see what first"
maybe be deceptive: kernel sees all things first but it is in a way
simultaneous with snort. Glad I was able to confuse..ehr, elucidate for
you.....

drjung




More information about the Snort-users mailing list