[Snort-users] newbe info needed

Matt Kettler mkettler at ...4108...
Fri Sep 27 16:41:03 EDT 2002


Snort uses libpcap. Libpcap sees the packets at the Ethernet layer not at 
the IP layer. Behaviors of iptables, and other "IP layer and higher" parts 
of the kernel should not affect snort in any way, shape or form. For the 
same reasons, the kernel's IP layer defragmentation is also not going to 
affect snort. It will see the fragmented packets as they originally arrived 
(although snort does have it's own defragmentation support). Heck, 
technically speaking you could probably get snort to run on a machine that 
didn't even have any IP support at all (ie: disable the entire IP stack and 
not compile it in at all).

As far as which will get the packet "first".. both will get it more-or-less 
at the same time. It's likely the stack will actually get it "first" in 
terms of time, due to it being in-kernel, but snort will see the same 
packet, unmodified by the IP stack.

I don't run snort on a 2.4 box, but I have run it on a 2.2 box with 
ipchains blocking a large variety of stuff.. snort still sees it. I also 
run snort on an OpenBSD box with their packet filtering set to deny *all* 
packets on the interface snort sees. Works fine.

In general, if tcpdump can see it, snort will see it.. running tcpdump is a 
quick way of testing for sure.

At 03:09 PM 9/27/2002 -0500, /dev/null wrote:
>RE: [Snort-users] Having trouble using -b switchWhich will get a packet
>first?  Will snort or my iptables?  Any good URLs you can recommend to
>help clear up what the kernel does with network traffic when it comes
>in?
>
>If I re-comp the kernel with the CONFIG_IP_ALWAYS_DEFRAG turned on, will
>snort see the fragmented packets before the kernel defragments them, or
>will it only see the defragged packet?
>
>Any URLs for further reading (besides the snort user manual)?





More information about the Snort-users mailing list