Re: Re: Snort Behind IPtables, contradicting evidence...

[JSeddon () semtech com]

Oinkers Bob and John,

     Thanks!  That makes perfect sense and I should've known that!  To sum
up for the archives...When you have snort sitting behind iptables, snort
sees every packet coming in (same as iptables).  However, since iptables
denies connections, before the 3 way handshake is complete, you won't
probably see nearly as many alerts.  The packets with the exploit data that
snort is going to alert on come AFTER the connection is established (3-way
handshake done).  So with iptables denying connections, the data to trigger
alerts doesn't show up at the box at all.

     Thanks again for your help!  I can sleep better in my pen tonight....

Piglet James


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users