> Anyway, here is my situation. > I have fwsnort generate iptables rule (based on snort IDS rules) which are > running on a machine with two interfaces. One of the interfaces (eth1) ?is > connected to a SPAN port that mirrors traffic on part of our network, this > interface is in promiscuous mode. The other interface (eth0) is a regular > addressable interface. For some reason, the iptables rules seem to have no > effect on traffic seen by the SPAN port. AFAIK pcap library gets traffic before iptables rule processing (because it's promiscous mode), so snort and tcpdump (and any other tool which uses pcap) continues to see 'blocked by iptables' traffic. -- Best regards, Oleg
