snort_inline , and ipv6

  • k11stan

    Hey every1

    Ive been trying to set up snort in inline mode with ipv6 , but for some reason while snort is running (with the following args : snort_inline -Qev -i eth6  -h fec0::0:2:1234:567a/96 -c /etc/snort/snort.conf -L /var/log ) but as soon as i add this rule - ip6tables -A FORWARD -i eth6 -j QUEUE , traffic no longer forwards between the two interfaces (  box with snort is inline between two interfaces on a box sending bad traffic from one interface to another ) and I do not see anything in the logs indicating that the bits are actually being looked at ... The config file is all default values except for the net_external being my external interface address (fec0::0:1:1234:567a/96)  and net_internal , the internal address (fec0::0:2:1234:567a/96) .. Now this setup seems to work perfectly in ids mode - so whats the trick ?

    thanx for any suggestions


    • Dave Remien
      Dave Remien

      Try using nfqueues instead of ipqueue. The queue socket needs to be ipv6 enabled; I don't think that's on by default for ipqueue. IDS mode gets packets in a totally different way.