Snort mailing list archives
libpcap and iptables
From: "Jyri Hovila" <jyri.hovila () iki fi>
Date: Mon, 6 Aug 2001 13:53:30 +0300
Hi! I'm running Snort 1.8 on Red Hat Linux 7.1 and on OpenBSD 2.8 boxes. I've got Guardian wathing Snort logs, so it blocks attacking hosts by adding entries to firewall rules on-the-fly. On OpenBSD, after a host is blocked, it does not cause any further alerts. On Linux, alerts come up as long as host is continuing attacks, even if it has already been blocked. I guess this means that on Linux, libpcap captures packets *before* IP filtering, and on OpenBSD it captures them *after* the filtering. Is there a way I could make libpcap capture packets after IP filtering on Linux too? I don't like getting my Snort log full of alerts of a host that is already blocked... Thanks! =) - Jyri Information Security Specialist Tel: +358-41-448 3238 E-mail: jyri.hovila () iki fi Certifications: http://www.brainbench.com/transcript.jsp?pid=2301241 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- libpcap and ppp vs. ether Phil (Aug 06)
- libpcap and iptables Jyri Hovila (Aug 06)