[Snort-users] Quick Question

Erick Mechler emechler at ...7719...
Wed Apr 9 11:58:05 EDT 2003

:: I want to IDS sense traffic on the unprotected 
:: side of my firewall.
:: If I block traffic to the IP address the SNORT 
:: machine is configured as,
:: that should not prevent it from "sniffing" the 
:: traffic on the network segment should it?

Snort uses libpcap to capture traffic, so it sits lower on the network 
stack than firewalls.  As such, libpcap will see all traffic before it's 
either allowed or denied by your firewall.

And I'm not picking on you personally, Jim, but FYI this question and
answer can be found in the list archives or on Google with a simple search.  
Be sure to check the available resources before posting to the list!

Cheers - Erick

More information about the Snort-users mailing list