[Snort-users] Preventing Attacks

John Sage jsage at ...2022...
Fri Jun 28 05:32:05 EDT 2002


Jeff:

On Thu, Jun 27, 2002 at 09:57:20AM -0500, Jeff Taylor wrote:
> To clarify, I want to put Snort listening after the IPtables (linux
> 2.4.16) REJECT and DENY rules block from the external net.  To repeat,
> this is all on one host, adding extra NICs, hosts, hardware, etc. is
> not part of the answer I am looking for.
> 
> I am looking at Snort as a more sophisticated replacement for
> Portsentry.  It does not tell my about attacks that are stopped by
> IPtables, only about ones that get thru.  It is mildly interesting to
> see what attacks are being thrown at my box.  What I want to know is
> what attacks are penetrating the IPtables packet filter.

Although my experience is still back on ipchains, the answer in that
case is that -- when snort and ipchains are on the same box -- snort
sees everything that ipchains sees.

Not what's left over, but *everything*..

I have not heard anything to the contrary about iptables, again, when
snort and iptables *are on the same box*

(I emphasize that because invariably this sort of discussion gets
garbled by people who are running snort on a *different box* than the
ipchains/iptables box. Then snort only sees what ip[chains|tables] has
passed..)


- John
-- 
"You are in a little maze of twisty passages, all different."

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 




More information about the Snort-users mailing list