the snort "dropping" of packets, is meant in the sense that snort does no further inspecting of the packet, not literally drop it from the system, its just allowed to continue on thru snorts little hallway without further interruption by any more rules or inspections
-----Original Message----- From: Thomas Madhavan [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 29, 2002 1:13 PM To: Leon Ward Cc: [EMAIL PROTECTED] Subject: Re: Snort or Ethereal for a relative newbie? I thought Snort was capable of dropping packets based on the snort ruleset... am I wrong? Is that performed only by the firewall? I realise Ethereal is only for listening to what's happening. Does anyone have any in depth installation and config tutorials? Snort.org has a few, but nothing I can make good use of. I'll check out silicondefense... although I'm not on any MS product - Mandrake Linux 8.2 Regards, Thomas Madhavan Leon Ward wrote: >It seams that you are thinking on slightly along the wrong lines here, >Snort and Ethereal capture packets and do not do not block anything. >Snort has the capability to inspect packets against a set of rules and >report accordingly (alert on suspicious traffic). >Ethereal captures packets for the purpose of allowing a user to inspect what >is going on the "wire". > >As far as the snort compiling problems go, check that the directory that >libpcap installed its libraries into is listed in your /etc/ld.so.conf file. > >Try installing both libpcap and snort from source, you will get more >installation options. > >Nard > > > >-----Original Message----- >From: Thomas Madhavan [mailto:[EMAIL PROTECTED]] >Sent: 25 May 2002 15:29 >To: [EMAIL PROTECTED] >Subject: Snort or Ethereal for a relative newbie? > > >Hi all. Responses have been good before so I thought I'd try again. > >I've recently set up a Mandrake 8.2 workstation. I've used firestarter to >build a firewall, and I want to use a packet sniffer. > >After installing Snort, it didn't work due to a data type 113 error. I >uninstalled it, then reinstalled from an RPM, but apparently I don't have >libpcap installed (which I do). > >So, I tried Ethereal and it works fine. However, can rulesets be applied to >Ethereal as they can with Snort? I want a little extra security, not just >logs of packets. > >If Ethereal *can* be used to block packets, is it a good substitute for >snort? Or would I benefit from using Snort instead? There also seem to be a >lot of snort reporting tools - are there any for Ethereal? > >Thanks a lot, > >Thomas Madhavan > > > > >This E-mail and its attachments have been scanned for viruses before >delivery. For more information contact [EMAIL PROTECTED] > >This E-mail and its attachments have been scanned for viruses before delivery. >We recommend that all attachments are also checked by recipients before being viewed. >For more information contact [EMAIL PROTECTED] > >
