[Snort-users] Re: Snort Behind IPtables, contradicting evidence...
martijn at ...1873...
Fri Sep 28 17:10:23 EDT 2001
-----BEGIN PGP SIGNED MESSAGE-----
That was an interesting thread...
I think the FAQ should be updated with this, since this subject (that
has come up again and again) is dealt with in only one sentence and
the subject is apparently a little more complicated.
.: M. Heemels .:. webdesigner :.
.: Eindhoven, NL, martijn at ...1736... :.
.: PGP of S/MIME encrypted e-mail preferred :.
> Oinkers Bob and John,
> Thanks! That makes perfect sense and I should've known that!
> To sum up for the archives...When you have snort sitting behind
> iptables, snort sees every packet coming in (same as iptables).
> However, since iptables denies connections, before the 3 way
> handshake is complete, you won't probably see nearly as many
> alerts. The packets with the exploit data that
> snort is going to alert on come AFTER the connection is established
> (3-way handshake done). So with iptables denying connections, the
> to trigger
> alerts doesn't show up at the box at all.
> Thanks again for your help! I can sleep better in my pen
> Piglet James
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3206 bytes
Desc: not available
More information about the Snort-users