this is system dependent. i don't believe snort will see the traffic on a linux box, but it will on an openBSD box. i think this is a result of where the promisicous device is located in the kernel structures. on linux, it is obviously after the firewall code, on openBSD it appears to be before the firewall code.
you will find discussions of this on the perl mailing list here: http://groups.google.com/groups?q=firewall+group%3A*snort*&num=30&hl=en&meta= Claudiu Ionescu wrote: > Hi all, > Premises: a Linux box with two NICs working as a router and packet filtering > device (ipchains or iptable) for a small network behind it. Snort installed on > it. > Question: Would packets that are dropped by the filtering rules reach snort? > Please explain your answer. Thank you. -- ___cliff [EMAIL PROTECTED]http://www.genwax.com/
