[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: UDP Port 0 not blockable



Andres Taylor wrote:
> On ons, 2003-05-14 at 11:01, Boyan Krosnov wrote:
[...]
> > You can't stop the packets from coming to your machine. If your IDS
> > (snort) is listening on the outside interface, then you'll see the
> > packets regardless if you drop them or not.
> 
> Now, this is where my understanding differs from yours. As far as I
> understand, iptables works in kernelland, and will drop the packets
> without them ever reaching userland. Snort, on the other hand, lives and
> works in userland, and should NOT see packets dropped by the kernel.
> I've made some very simple tests, but they support my belief. Are you
> 100% certain that snort should be able to see the packets even if I drop
> them?

Snort and tcpdump use libpcap, which uses raw sockets at the device
level, so it receives packets before netfilter/iptables, which works at
the IP level, even sees them. See packet(7). I find this diagram useful
for seeing the sequence of networking operations (notice <tcpdump process>
at the left): http://open-source.arkoon.net/kernel/kernel_net.png

HTH,

Jason



Reply to: