IDS mailing list archives
Re: Snort & iptables on the same box
From: Joachim Schipper <j.schipper () math uu nl>
Date: Mon, 13 Jun 2005 10:01:47 +0200
On Fri, Jun 10, 2005 at 05:04:28PM -0400, Jean-Pierre Denis wrote:
Hi, When running snort and iptables on the same box, which of the 2 act first ? Those it go thru snort and then the iptable rule allow or deny the connection or it's the other way around Merci, JP
Hi JP, Neither 'act first' in a standard configuration; if you use Snort in (standard) IDS mode, it sees the packets at the same time as Netfilter (the kernel part of IPTables) and acts independently. If you use Snort_inline (IPS mode), the packets enter Netfilter, which may choose to pass it to Snort_inline via the QUEUE target at some point. This is all in the snort documentation, BTW. Joachim -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Snort & iptables on the same box Jean-Pierre Denis (Jun 12)
- Re: Snort & iptables on the same box Will Metcalf (Jun 14)
- Re: Snort & iptables on the same box Michael Boman (Jun 16)
- Re: Snort & iptables on the same box Joachim Schipper (Jun 14)
- Re: Snort & iptables on the same box Michael Boman (Jun 14)
- Re: Snort & iptables on the same box snort user (Jun 16)
- Re: Snort & iptables on the same box Will Metcalf (Jun 14)