Snort captures using tcpdump (binary) format by default, does it not? Best practice, of course, would say to run the IDS on a separate box (single-purpose server), but on a home network, I can see how that may not be possible. It seems to me that it's a configuration issue on a single-box. Unfortunately, I'm not sure of what that might be. :-( Is the box dual-homed?
Here's a link to a paper on using Snort-inline w/ IPTABLES. I'm not sure if it will help or not. :-P http://www.snort.org/docs/Snort-Inline_and_IPTABLES.pdf HTH, Curtis. -----Original Message----- From: Shawn Grover [mailto:[EMAIL PROTECTED]] Sent: Friday, February 07, 2003 10:15 AM To: '[EMAIL PROTECTED]' Subject: RE: (clug-talk) Snort and IPtables Can you use tcpdump? I don't know if it's possible to use it's output in Snort or not, but tcpdump reports EVERYTHING (within the parameters you specify).... Shawn -----Original Message----- From: Johnny Stork [mailto:[EMAIL PROTECTED]] Sent: Friday, February 07, 2003 10:04 AM To: [EMAIL PROTECTED] Subject: (clug-talk) Snort and IPtables Does anyone know if there is a way to have snort monitor an external NIC so that it responds BEFORE the iptables firewall rules? So far, when running on the same box I can only get it to respond to scans on ports that are open and make it through the firewall. <hr> <b><font color=blue size=4>Open Enterprise Solutions</font></b> <b><font color=red>Linux & Open Source Solutions for Business</font></b> Johnny Stork, BA Calgary, AB Canada <a href="http://www.openenterprise.ca";> www.openenterprise.ca</a> --------------------------------------------------- The Webtop Personal Web-based Email System http://www.yourwebtop.com
