snort rely's on the QUEUE target in iptables to receive its data. So
lets say that you have a webserver that you wanted to protect with
snort. Let's also assume that you wanted to permit ssh access and not
inspect that traffic with snort. Your rules would look something like
this.
iptables -A FORWARD -p tcp --dport 80 -j QUEUE
iptables -A FORWARD -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -j DROP
The traffic bound for port 80 would be analyzed by snort and then a
verdict is sent back from snort to tell iptables to either drop or
accept the packet. The drop or accept verdict depends on whether or
not a rule is matched and the rule action associated with that rule.
clear as mud?????
Regards,
Will
On 6/10/05, Jean-Pierre Denis <jp@webglobe.ca> wrote:
Hi,
When running snort and iptables on the same box, which of the 2 act first ?
Those it go thru snort and then the iptable rule allow or deny the
connection
or it's the other way around
Merci,
JP
-----------------------------------------
WebMail Powered by WebGlobe.
http://www.webglobe.ca
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
