Snort mailing list archives

Re: snort-inline question

From: Harry Brueckner <hb () o-d de>
Date: Tue, 07 Oct 2003 16:19:47 +0200

--On Tuesday, October 07, 2003 08:38:59 AM -0500 seclists () violating uswrote:

Using the normal non-inline version of snort, you still have access to
packets on your wire even if iptables explicitly blocks traffic on that
interface.  I can send you specific (sanitized) logs and rules if you
don't wish to take my word for it.

Hmm, but how should a userland application get access to data which isdropped at the kernel level already?

When I check the output of 'snort -dev' with iptables active compared toiptables turned off it shows a very big difference. With iptables on I cancomfortably read the output, with iptables off the data just rushes by.

How do you manage to get snort to read the unfiltered traffic on theinterface?


Harry



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort-inline question Harry Brueckner (Oct 07)
- Message not available
  - Re: snort-inline question Harry Brueckner (Oct 07)
    - Re: snort-inline question Guillaume Rix (Oct 07)
    - Re: snort-inline question seclists (Oct 07)
    - Message not available
    - Re: snort-inline question Harry Brueckner (Oct 07)