Hello hello,

I'm running a Ubuntu 10.04 server system with snort and iptables that have a default policy to DROP all traffic.
Even though I have my iptables configured snort still picks up traffic that is dropped by my iptables. This is in my understanding correct and is exactly what snort should do.
But this leaves me with the following question: Why should I let my IDS check dropped traffic? This is traffic that isn't going to do anything so why monitor this traffic for events?
If this traffic is indeed not interesting, how can I configure snort to only analyze traffic that actually is processes by my server?

Cheers,
LeDieu.