[Snort-users] snort + iptables
prabu333 at ...8908...
Fri Nov 26 01:21:18 EST 2004
> I was wondering :
> If I put snort on the same machine iptables is running both will catch the
> same packets or frames?
> I think this is a waste of resources, isn't it?
> I know snort_inline accepts only packets from iptables, so that's OK!
> But what about snort? It is still using libpcap to catch the traffic,
Snort operates using libpcap.It analysis everything the network
driver sees before the network stack munges it. Linux IPTables, do not
snort from seeing a packet that is present on the network wire. Even if an
packet is denied by the packet filter,ie by IPTables. Snort will still see
the packet if it is listening to that interface. Snort/pcap sees whatever
comes out of
or goes into the network adapter.
The above said holds good for only inbound trafiic.
>how can I make it listen only to the traffic iptables filter?
Also Snort cannot look at the outgoing packets that are being
denied by filters,since they will never reach the network adapter.
Hopes this helps....
Logic is a systematic method of coming to the wrong conclusion with
More information about the Snort-users