Snort mailing list archives

Previous By Date Next
Previous By Thread Next

libpcap and iptables

From: "Jyri Hovila" <jyri.hovila () iki fi>
Date: Mon, 6 Aug 2001 13:53:30 +0300
Hi!

I'm running Snort 1.8 on Red Hat Linux 7.1 and on OpenBSD 2.8 boxes.
I've got Guardian wathing Snort logs, so it blocks attacking hosts by
adding entries to firewall rules on-the-fly. On OpenBSD, after a host is
blocked, it does not cause any further alerts. On Linux, alerts come up
as long as host is continuing attacks, even if it has already been
blocked. I guess this means that on Linux, libpcap captures packets
*before* IP filtering, and on OpenBSD it captures them *after* the
filtering. Is there a way I could make libpcap capture packets after IP
filtering on Linux too? I don't like getting my Snort log full of alerts
of a host that is already blocked...

Thanks! =)

- Jyri
Information Security Specialist
Tel: +358-41-448 3238
E-mail: jyri.hovila () iki fi

Certifications:
http://www.brainbench.com/transcript.jsp?pid=2301241
 


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: