Re: Where does Snort sit...

[John Sage <jsage () finchhaven com>]

Andreas:

Andreas Hasenack wrote:

> Em Sun, May 13, 2001 at 01:00:33AM -0700, John Sage escreveu:
>
> > ...as it were, in relation to ppp0 and ipchains?
> >
> > As I understand it, now I've got:
> >                 _______________________________________
> >                |              firewall box             |
> >
> > Internet <---> ppp0 <-> ipchains <-> portsentry <-> eth0 <---> LAN
> >
> > Does Snort sit between ppp0 and ipchains (which is what I hope..) or is 
> > it after ipchains and thus is going to see only the stuff that ipchains 
> > lets it?
>
> I don't know exactly how it works, but snort sees everything, even if
> ipchains/iptables block the packets.
>
> I believe they get it at "the same time".

Excellent! That's just what I'd hoped..

If anyone else has more detailed information about "how", I'd appreciate hearing,
but this is basically what I needed to know.

Thnx..

- John

--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage () finchhaven com
And remember: it's spelled l-i-n-u-x, but it's pronounced "Linux"


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users