Snort mailing list archives
RE: Iptables Prerouting chain
From: "neal " <ntimm () austin rr com>
Date: Thu, 15 Nov 2001 14:22:27 -0600
Short will pick up stuff if you have it in the prerouting chain as I use iptables and had vnc running behind firewall and snort would log all my vnc connections. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Erek Adams Sent: Thursday, November 15, 2001 1:13 AM To: Madhav Diwan Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Iptables Prerouting chain On Wed, 14 Nov 2001, Madhav Diwan wrote:
Does Snort work on packets before or after the prerouting chain in IPtables? in other words what address should i use : the SNAT the DNAt or the Masq . for the HOME ip scheme so that i dont cause myself miscief in the form of huge alert logs?
Snort works at the same level as libpcap. Since I've not worked with IPTables, I don't know where that actually 'sits' in respect. (Anyone?) Check the Snort FAQ out. Especially #4.3 http://www.snort.org/docs/faq.html#4.3
what about postrouting : will it have any affect on the IDS at all if i sniff on the local lan interface as well as on the outside interface
at the same time?
Well... RTFF (Read The Friendly FAQ) ;-) http://www.snort.org/docs/faq.html#2.3 Consider what you want to watch. That will let you know where you want to place the sensor, or want to monitor. If you place it "inside" your net (behind the firewall), then you are only concerned with what "gets through" the firewall, IMHO. Your firewall should log/alert you on what doesn't... Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Iptables Prerouting chain Madhav Diwan (Nov 14)
- Re: Iptables Prerouting chain Erek Adams (Nov 14)
- RE: Iptables Prerouting chain neal (Nov 15)
- Re: Iptables Prerouting chain Erek Adams (Nov 14)