[Snort-inline-users] (no subject)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I adopted rc.firewall (which allows everthing in but limits everything out)
to allow everything in AND out except what snort-inline has to block (this is
ok for my intended setup to only block sessions belonging to worms e.g. ut
leaving legal traffic on the same port untouched).

BTW: I used the ebtables patch (it also includes bridge-nf, see
ebtables.sourceforge.net) for 2.4.21 (used original of kernel.org)

HTH,
Sandro

> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi guys,
> 
> 	I searched hi and low, googled, etc. and have not found 
> an answer that explains
> the situation I'm having.
> 
> 	I built a Debian testing box, kernel 2.4.21 (vanilla) 
> with the bridge-nf patch,
> snort-inline 2.0.1.  The box is in bridge mode and I have 
> iptables rules that
> QUEUE all the traffic I'm interested in.  The issue I'm having is that
> snort-inline never lets the traffic pass.  I've even put in 
> pass rules for each
> of the protocols (ip, tcp, udp, icmp).  It did take a while 
> to realize that you
> can't run snort-inline as snort and have the libipq work.
> 
> 
> 	If I don't QUEUE the traffic then everything flows 
> through the bridge and my
> other firewall rules work correctly.  It's just when I start 
> QUEUEing and run
> snort-inline.  I've used the honeynet config files as a 
> template for snort.conf
> but used the regular snort-inline rules.
> 
> 	What happens to a packet that snort-inline doesn't 
> trigger on (drop, reject,
> etc.)?  Do I have to have anything extra in my firewall rules 
> other than the -j
> QUEUE rule?
> 
> 	Suggestions, feedback, etc. most welcome.
> 
> 	Thanks,
> 
> - --
> James A. Pattie
> ja...@pc...
> 
> Linux  --  SysAdmin / Programmer
> Xperience, Inc.
> http://www.pcxperience.com/
> http://www.xperienceinc.com/
> 
> GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (GNU/Linux)
> Comment: Using GnuPG with Debian - http://enigmail.mozdev.org
> 
> iD8DBQE/WNY5tUXjwPIRLVERAqBWAJ0Y4GEyc/xk2M7iXMxKBzXZWZMYngCg1uPA
> qNwVA25V6MEVho4nfwGTLGE=
> =O1oh
> -----END PGP SIGNATURE-----
> 

-- 
COMPUTERBILD 15/03: Premium-e-mail-Dienste im Test
--------------------------------------------------
1. GMX TopMail - Platz 1 und Testsieger!
2. GMX ProMail - Platz 2 und Preis-Qualitätssieger!
3. Arcor - 4. web.de - 5. T-Online - 6. freenet.de - 7. daybyday - 8. e-Post