[Snort-users] snort + iptables

Senthil Prabu.S prabu333 at ...8908...
Fri Nov 26 01:21:18 EST 2004


> Hi
> I was wondering :
> If I put snort on the same machine iptables is running both will catch the
> same packets or frames?
> I think this is a waste of resources, isn't it?
> I know snort_inline accepts only packets from iptables, so that's OK!
> But what about snort? It is still using libpcap to catch the traffic,

           Snort operates using libpcap.It analysis everything the network 
adapter
 driver sees before the network stack munges it. Linux IPTables, do not 
prevent
 snort from seeing a packet that is present on the network wire. Even if an 
inbound
 packet is denied by the packet filter,ie by IPTables. Snort will still see 
and analyze
 the packet if it is listening to that interface. Snort/pcap sees whatever 
comes out of
or goes into the network adapter.
         The above said holds good for only inbound trafiic.


>how can  I make it listen only to the traffic iptables filter?
>
    Also Snort cannot look at the outgoing packets that are being
denied by filters,since they will never reach the network adapter.

Hopes this helps....


--
Senthil Prabu.S


Logic is a systematic method of coming to the wrong conclusion with 
confidence.
_________________________________________________________________







More information about the Snort-users mailing list