[Snort-users] UDP packet supposedly DROPped, but seen by snort anyway

Jan Ploski jpljpl at ...348...
Thu Oct 24 08:24:01 EDT 2002


I have the following rule in my Linux iptables configuration:

iptables -A block -m state --state NEW -p udp --dport 161 -j DROP

Basically, I want to ignore any traffic to UDP port 161. This rule
seems to work okay, i.e. it fires when a packet is sent to the said
port and the packet is never received by the process listening on
that port.

However, when I run snort in sniffer mode, I can see the packet
coming. It also triggers an alert (false positive in this case)
according to configured snort rules.

My question is, why can this UDP packet, supposedly already dropped
by the firewall, be sniffed at? This is not the case for any TCP
packets that have been DROPped.

Best regards -
Jan Ploski

More information about the Snort-users mailing list