[Snort-users] a couple of questions
mkettler at ...4108...
Thu Dec 11 08:46:03 EST 2003
At 07:04 AM 12/11/2003, Giannakis Eleftherios wrote:
>i would like to ask a couple of things:
>first of all, I would like to know whether snort can work with TCP
>wrappers (compiled with libwrap) because I couldn't find this option in
>snort 2.0.5 compilation and secondly, how can we protect the TCP 2525 port
>on a snort center server?
>Generally if anyone can write which ports should one protect to be safe
>enough in the open space-hmm Internet I mean :)
Tcp_wrappers is a tool to control access to ports in programs that accept
connections... snort never opens sockets to accept connections in the first
place. Thus, wrappers would be irrelevant to snort. It would be completely
pointless to support librwap in snort.. it's a sniffer.
In general snort operates by using libpcap to pick up packets. It does not
use the IP stack, it does not bind sockets, it does not "listen" in the
same manner that server daemons like webservers do.
Instead libpcap scrapes off a copy of every packet coming in from the
ethernet driver and passes them to snort. This happens in parallel with the
copy that is sent to the IP stack. Thus, this happens irrespective of local
firewall rules, stack behaviors, and anything else that is "higher level"
than the ethernet driver itself.
What's tcp/2525 for? This doesn't sound like anything snort related to me.
AFAIK that's the port used by ms-vworlds...
More information about the Snort-users