[Snort-users] Preventing Attacks
jsage at ...2022...
Fri Jun 28 05:32:05 EDT 2002
On Thu, Jun 27, 2002 at 09:57:20AM -0500, Jeff Taylor wrote:
> To clarify, I want to put Snort listening after the IPtables (linux
> 2.4.16) REJECT and DENY rules block from the external net. To repeat,
> this is all on one host, adding extra NICs, hosts, hardware, etc. is
> not part of the answer I am looking for.
> I am looking at Snort as a more sophisticated replacement for
> Portsentry. It does not tell my about attacks that are stopped by
> IPtables, only about ones that get thru. It is mildly interesting to
> see what attacks are being thrown at my box. What I want to know is
> what attacks are penetrating the IPtables packet filter.
Although my experience is still back on ipchains, the answer in that
case is that -- when snort and ipchains are on the same box -- snort
sees everything that ipchains sees.
Not what's left over, but *everything*..
I have not heard anything to the contrary about iptables, again, when
snort and iptables *are on the same box*
(I emphasize that because invariably this sort of discussion gets
garbled by people who are running snort on a *different box* than the
ipchains/iptables box. Then snort only sees what ip[chains|tables] has
"You are in a little maze of twisty passages, all different."
PGP key http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
More information about the Snort-users