Snort mailing list archives
Re: Iptables Prerouting chain
From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 14 Nov 2001 23:12:55 -0800 (PST)
On Wed, 14 Nov 2001, Madhav Diwan wrote:
Does Snort work on packets before or after the prerouting chain in IPtables? in other words what address should i use : the SNAT the DNAt or the Masq . for the HOME ip scheme so that i dont cause myself miscief in the form of huge alert logs?
Snort works at the same level as libpcap. Since I've not worked with IPTables, I don't know where that actually 'sits' in respect. (Anyone?) Check the Snort FAQ out. Especially #4.3 http://www.snort.org/docs/faq.html#4.3
what about postrouting : will it have any affect on the IDS at all if i sniff on the local lan interface as well as on the outside interface at the same time?
Well... RTFF (Read The Friendly FAQ) ;-) http://www.snort.org/docs/faq.html#2.3 Consider what you want to watch. That will let you know where you want to place the sensor, or want to monitor. If you place it "inside" your net (behind the firewall), then you are only concerned with what "gets through" the firewall, IMHO. Your firewall should log/alert you on what doesn't... Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Iptables Prerouting chain Madhav Diwan (Nov 14)
- Re: Iptables Prerouting chain Erek Adams (Nov 14)
- RE: Iptables Prerouting chain neal (Nov 15)
- Re: Iptables Prerouting chain Erek Adams (Nov 14)