Ive been trying to set up snort in inline mode with ipv6 , but for some reason while snort is running (with the following args : snort_inline -Qev -i eth6 -h fec0::0:2:1234:567a/96 -c /etc/snort/snort.conf -L /var/log ) but as soon as i add this rule - ip6tables -A FORWARD -i eth6 -j QUEUE , traffic no longer forwards between the two interfaces ( box with snort is inline between two interfaces on a box sending bad traffic from one interface to another ) and I do not see anything in the logs indicating that the bits are actually being looked at ... The config file is all default values except for the net_external being my external interface address (fec0::0:1:1234:567a/96) and net_internal , the internal address (fec0::0:2:1234:567a/96) .. Now this setup seems to work perfectly in ids mode - so whats the trick ?
thanx for any suggestions
Try using nfqueues instead of ipqueue. The queue socket needs to be ipv6 enabled; I don't think that's on by default for ipqueue. IDS mode gets packets in a totally different way.