Order of Processing? - PFBlockerNH/Snort
-
Hi,
If I have both PFBlockerNG and Snort running which gets processed first?
Or…..
Will Snort record an alert for an IP that is blocked by PFBlockerNG?
Granted I may be a little confused as I am a bit new to all of this....
Thanks,
JB
-
Snort's blocks are inserted in one of the first few tables in the firewall chain, so generally Snort blocks happen early in a packet's traversal of the rules.
Snort uses libpcap to get copies of packets flowing through the interface for inspection. That means it will always see a packet even if that packet is later dropped by the firewall. Snort sees traffic raw straight off the interface before the firewall rules have acted upon it.
Bill
-
Excellent! That's was I was hoping.
Thanks,
JB