[Snort-users] newbe info needed
mkettler at ...4108...
Fri Sep 27 16:41:03 EDT 2002
Snort uses libpcap. Libpcap sees the packets at the Ethernet layer not at
the IP layer. Behaviors of iptables, and other "IP layer and higher" parts
of the kernel should not affect snort in any way, shape or form. For the
same reasons, the kernel's IP layer defragmentation is also not going to
affect snort. It will see the fragmented packets as they originally arrived
(although snort does have it's own defragmentation support). Heck,
technically speaking you could probably get snort to run on a machine that
didn't even have any IP support at all (ie: disable the entire IP stack and
not compile it in at all).
As far as which will get the packet "first".. both will get it more-or-less
at the same time. It's likely the stack will actually get it "first" in
terms of time, due to it being in-kernel, but snort will see the same
packet, unmodified by the IP stack.
I don't run snort on a 2.4 box, but I have run it on a 2.2 box with
ipchains blocking a large variety of stuff.. snort still sees it. I also
run snort on an OpenBSD box with their packet filtering set to deny *all*
packets on the interface snort sees. Works fine.
In general, if tcpdump can see it, snort will see it.. running tcpdump is a
quick way of testing for sure.
At 03:09 PM 9/27/2002 -0500, /dev/null wrote:
>RE: [Snort-users] Having trouble using -b switchWhich will get a packet
>first? Will snort or my iptables? Any good URLs you can recommend to
>help clear up what the kernel does with network traffic when it comes
>If I re-comp the kernel with the CONFIG_IP_ALWAYS_DEFRAG turned on, will
>snort see the fragmented packets before the kernel defragments them, or
>will it only see the defragged packet?
>Any URLs for further reading (besides the snort user manual)?
More information about the Snort-users