[Snort-users] UDP packet supposedly DROPped, but seen by snort anyway
jpljpl at ...348...
Thu Oct 24 08:24:01 EDT 2002
I have the following rule in my Linux iptables configuration:
iptables -A block -m state --state NEW -p udp --dport 161 -j DROP
Basically, I want to ignore any traffic to UDP port 161. This rule
seems to work okay, i.e. it fires when a packet is sent to the said
port and the packet is never received by the process listening on
However, when I run snort in sniffer mode, I can see the packet
coming. It also triggers an alert (false positive in this case)
according to configured snort rules.
My question is, why can this UDP packet, supposedly already dropped
by the firewall, be sniffed at? This is not the case for any TCP
packets that have been DROPped.
Best regards -
More information about the Snort-users