[Snort-users] Re: Snort Behind IPtables, contradicting evidence...

Martijn Heemels martijn at ...1873...
Fri Sep 28 17:10:23 EDT 2001


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That was an interesting thread...

I think the FAQ should be updated with this, since this subject (that
has come up again and again) is dealt with in only one sentence and
the subject is apparently a little more complicated.

Greets, Martijn
- -- 
.: M. Heemels .:. webdesigner :.
.: Eindhoven, NL, martijn at ...1736... :.
.: PGP of S/MIME encrypted e-mail preferred :.

> Oinkers Bob and John,
> 
>      Thanks!  That makes perfect sense and I should've known that! 
> To sum up for the archives...When you have snort sitting behind
> iptables, snort sees every packet coming in (same as iptables). 
> However, since iptables denies connections, before the 3 way
> handshake is complete, you won't probably see nearly as many
> alerts.  The packets with the exploit  data that
> snort is going to alert on come AFTER the connection is established
> (3-way handshake done).  So with iptables denying connections, the
> data 
> to trigger
> alerts doesn't show up at the box at all.
> 
>      Thanks again for your help!  I can sleep better in my pen
> tonight....  
> 
> Piglet James
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO7URTRLMC0rbivl4EQI0IgCdGJqRxFlGV+PfHawHMlwMB3LiA1gAoPm/
4VOf3xQlvzn40HkJxdNkXwiP
=tgf0
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3206 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010928/9a9d9e3c/attachment.bin>


More information about the Snort-users mailing list