snort-inline-users

[Snort-inline-users] FW: flow of packet from iptable to snort_inline

[Schott, E. J Mr ANOSC/F. <eri...@NE...>]

Forwarded.

-----Original Message-----
From: saurabha [mailto:sau...@fu...]
Sent: Saturday, May 14, 2005 6:00 AM
To: foc...@se...
Subject: flow of packet from iptable to snort_inline


Hi,

I have query about flow of packets from iptables to snort_inline.

Problem discription:
-------------------
Assuming that iptables have filters to allow tcp packets, now since
the incomming packets (tcp) are permitted, iptables will maintain
session information in stateful inspection table.

I want to know if iptable send all incomming packets to snort_inline
or it sends only first few packets.

In case of TCP, does iptables send packets only till 3 way handshake 
is done(before entry is made into stateful table), or it sends all 
packets for that connection to snort_inline.

Thanks & Regards
Saurabh Agrawal



***************************************************************************
This message is proprietary to Future Software Limited (FSL)
and is intended solely for the use of the individual to whom it
is addressed. It may contain  privileged or confidential information
and should not be circulated or used for any purpose other than for
what it is intended.

If you have received this message in error, please notify the
originator immediately. If you are not the intended recipient,
you are notified that you are strictly prohibited from using,
copying, altering, or disclosing the contents of this message.
FSL accepts no responsibility for loss or damage arising from
the use of the information transmitted by this email including
damage from virus.
***************************************************************************


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

Re: [Snort-inline-users] FW: flow of packet from iptable to snort_inline

[Adayadil T. <ada...@gm...>]

This depends on the iptables rules set up

Snort inline reads the packets from the libipq and so gets all the packets
that comes to this queue according to the iptables rules.

On 5/16/05, Schott, Erik J Mr ANOSC/FCBS
<eri...@ne...> wrote:
> Forwarded.
>=20
> -----Original Message-----
> From: saurabha [mailto:sau...@fu...]
> Sent: Saturday, May 14, 2005 6:00 AM
> To: foc...@se...
> Subject: flow of packet from iptable to snort_inline
>=20
> Hi,
>=20
> I have query about flow of packets from iptables to snort_inline.
>=20
> Problem discription:
> -------------------
> Assuming that iptables have filters to allow tcp packets, now since
> the incomming packets (tcp) are permitted, iptables will maintain
> session information in stateful inspection table.
>=20
> I want to know if iptable send all incomming packets to snort_inline
> or it sends only first few packets.
>=20
> In case of TCP, does iptables send packets only till 3 way handshake
> is done(before entry is made into stateful table), or it sends all
> packets for that connection to snort_inline.
>=20
> Thanks & Regards
> Saurabh Agrawal
>=20
> *************************************************************************=
**
> This message is proprietary to Future Software Limited (FSL)
> and is intended solely for the use of the individual to whom it
> is addressed. It may contain  privileged or confidential information
> and should not be circulated or used for any purpose other than for
> what it is intended.
>=20
> If you have received this message in error, please notify the
> originator immediately. If you are not the intended recipient,
> you are notified that you are strictly prohibited from using,
> copying, altering, or disclosing the contents of this message.
> FSL accepts no responsibility for loss or damage arising from
> the use of the information transmitted by this email including
> damage from virus.
> *************************************************************************=
**
>=20
> -------------------------------------------------------------------------=
-
> Test Your IDS
>=20
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> -------------------------------------------------------------------------=
-
>=20
> -------------------------------------------------------
> This SF.Net email is sponsored by Oracle Space Sweepstakes
> Want to be the first software developer in space?
> Enter now for the Oracle Space Sweepstakes!
> http://ads.osdn.com/?ad_id=3D7412&alloc_id=3D16344&op=3Dclick
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

Re: [Snort-inline-users] FW: flow of packet from iptable to snort_inline

[C.G.Senthilkumar. <che...@cs...>]

This is my understanding..

'cos snort-inline matches rules against contents of packets,
all packets need to be passed to snort-inline. If a decision
can be made to drop a connection based on the 3-way handshake
packets, iptables can do that and there is no need for
snort-inline.

Thanks
Senthil.

On Mon, 16 May 2005, Schott, Erik J Mr ANOSC/FCBS wrote:

> Forwarded.
>
> -----Original Message-----
> From: saurabha [mailto:sau...@fu...]
> Sent: Saturday, May 14, 2005 6:00 AM
> To: foc...@se...
> Subject: flow of packet from iptable to snort_inline
>
>
> Hi,
>
> I have query about flow of packets from iptables to snort_inline.
>
> Problem discription:
> -------------------
> Assuming that iptables have filters to allow tcp packets, now since
> the incomming packets (tcp) are permitted, iptables will maintain
> session information in stateful inspection table.
>
> I want to know if iptable send all incomming packets to snort_inline
> or it sends only first few packets.
>
> In case of TCP, does iptables send packets only till 3 way handshake
> is done(before entry is made into stateful table), or it sends all
> packets for that connection to snort_inline.
>
> Thanks & Regards
> Saurabh Agrawal