[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-basics
Subject:    Re: Snort question
From:       "Kutulu" <kutulu () kutulu ! org>
Date:       2001-09-29 3:43:52
[Download RAW message or body]

From: "Michael Kjorling" <michael@kjorling.com>
Sent: Thursday, September 27, 2001 4:06 AM


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I belive not. The firewall code (the rules of which are managed
> through ipfwadm/ipchains/iptables depending on your kernel version) is
> executing directly in the kernel and TCP/IP stack, IIRC. Snort is most
> likely executing in user mode - albeit I bet privileged, but still
> user mode as opposed to kernel mode.

Many people gave this response, but there's something that does fit with it.
In order to process user-space TCP packets, snort would have to open *every
single TCP port* on the host system.  This is obviously not the case.  In
fact, Snort is able to log packets that are neither sourced, destined, not
routed through the machine running snort.  If snort was processing IP
packets in the port-kernel-processed user space, this would be impossible.
The kernel's IP stack would reject any packets destined for it.

Snort puts the NIC in promiscuous mode.  This means it receives all Ethernet
traffic directly.  I assume it reassembles those frames into IP packets,
then TCP/UDP/whatever, on it's own.  Otherwise, I know of no way it could
possible receive and log the kind of data it does.

Of course, just because I don't know of a way obviously does not mean there
is none.  So, if someone can tell me of one, I'm always interested to
increase my knowledge.  But as far as I know, since Snort can receive IP
packets that would normally be rejected by the kernel for other reasons (no
open port, wrong machine), I see no reason it wouldn't receive data rejected
by the kernel due to firewall rules.

--K

[prev in list] [next in list] [prev in thread] [next in thread]