[Snort-users] iptables vs snort vs portsentry order

Sonia Hamilton sonia at ...8932...
Sun Apr 20 21:02:07 EDT 2003


In what order would packets traverse iptables, snort, & portsentry?

I've printed and read both the FAQ & 'Snort Overview'; searching the archives
I've found:

> http://marc.theaimsgroup.com/?l=snort-users&m=104033416708534&w=2
> Jacob Redding
> Since iptables works with the kernel, and they are dropped by the
> kernel, iptables is first. All packets that make it past iptables are then
> passed to applications(I'm not talking layers, just an analogy), in this
> case snort.
> 
> http://marc.theaimsgroup.com/?l=snort-users&m=100164539612753&w=2
> JSeddon
>      This seems to contradict the conclusion I got from the list archives.
> It seems that iptables is processing traffic before snort gets a chance to
> see it.  Snort is putting the NIC in promiscuous mode.  But it doesn't see
> traffic iptables is configured to block unless I flush the IPtables rules.
> Is something misconfigured with snort for me?  Did I draw the wrong
> conclusion from the list?

So from these it would seem that iptables sees the packets before snort; how
would portsentry fit in here?

--
Sonia                     |   GNU/Linux - free as in 'free speech',
                          |   not 'free beer'.





More information about the Snort-users mailing list