|
-
July 22nd, 2006, 04:03 AM
#7
Member
Originally posted here by S3cur|ty4ng31
actually there may be something wrong here
im not 100% sure but if your using iptables to drop packets from that class A then you should not be getting any events to your IDS, snort generally uses libpcap which I believe would 'grab' packets higher up in the protocol stack, now if you using snort inline then this pulls packets from the kernel that could be jumped from the INPUT chain as well so it would then be a matter of how your iptables rules are ordered
have you taken a look at your iptables to verify that packets are going to the DROP chain (iptables -vnL)
I did some more investigating today...
Iptables is dropping the packets , but Snort reads the packets before IPtables does on the NIC connected to the internet. I guess how the machine is setup, snort is higher on the kernel stack then iptables.
Snort is reading the garbage attacks coming to the NIC connected to the internet, then Iptables is dropping them. The internal NIC connected to the LAN sees them all being droped, and nothing goes through.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote