From: Will M. <wil...@gm...> - 2005-11-30 04:45:16
|
hmmmm can you send my packet dumps and possibly ./configure with --enable-debug. Then export SNORT_DEBUG=3D8192 if enforce_state is dropping your packets you should see something in the debug to the effect of "dropping packet not a synner". Let me know what you find, as long as stream4 can see the TWH enforce_state shouldn't be causing you any problems. Regards, Will On 11/29/05, Rob Campbell <rca...@pc...> wrote: > Will, > > I'm just checking back to see if you have found anything. I have done a > little more testing, but haven't found a way to fix it yet. It is > definitely related to enforce_state. If I use enforce_state, even > without stream4inline, it will not pass any TCP traffic. From what I > understand, without enforce_state I cannot drop TCP packets in > real-time, is that correct? I would really like to use Snort for an > IPS, but without TCP it wouldn't be very useful. Let me know if you > have any other ideas, or want me to give something a try. Thank you. > > Rob Campbell > Pacific Coast Wireless Internet > > Will Metcalf wrote: > > I'll see if I can reproduce it this weekend > > > > On 11/18/05, Rob Campbell <rca...@pc...> wrote: > >> I have also tried it with just "iptables -A FORWARD -j QUEUE" to make > >> sure that the specified interfaces wasn't causing a problem. Any idea= s > >> why it's not working with stream4inline and enforce_state? > >> > >> Rob Campbell > >> Pacific Coast Wireless Internet > >> > >> Rob Campbell wrote: > >>> No. That is the only iptables rule I have. The full rule was "iptab= les > >>> -A FORWARD -i br0 -o br0 -j QUEUE", could that cause any problems? > >>> > >>> Rob Campbell > >>> Pacific Coast Wireless Internet > >>> > >>> Will Metcalf wrote: > >>>> hmmm how odd, you don't have any other entries in your FORWARD chain > >>>> before you -A FORWARD -j QUEUE entry do you? > >>>> > >>>> Regards, > >>>> > >>>> Will > >>>> > >>>> On 11/17/05, Rob Campbell <rca...@pc...> wrote: > >>>>> It is happening on web traffic, IMAP traffic, and telnet to various > >>>>> ports. > >>>>> > >>>>> Rob Campbell > >>>>> Pacific Coast Wireless Internet > >>>>> > >>>>> Will Metcalf wrote: > >>>>>> sorry it's late missed the "iptables -A FORWARD -j QUEUE" part. J= ust > >>>>>> out of curiosity is it a particular protocol, or does all tcp traf= fic > >>>>>> get dropped? > >>>>>> > >>>>>> Regards, > >>>>>> > >>>>>> Will > >>>>>> > >>>>>> On 11/16/05, Will Metcalf <wil...@gm...> wrote: > >>>>>>> Hmmm Are you sure that snort-inline can see the full twh? i.e. a= re > >>>>>>> you queueing both client and server traffic? > >>>>>>> > >>>>>>> Regards, > >>>>>>> > >>>>>>> Will > >>>>>>> > >>>>>>> On 11/16/05, Rob Campbell <rca...@pc...> wrote: > >>>>>>>> Hello, > >>>>>>>> > >>>>>>>> I have been configuring an IPS using snort inline. I am running= the > >>>>>>>> latest version, 2.4.3RC2. It is running in bridge mode with > >>>>>>>> "iptables > >>>>>>>> -A FORWARD -j QUEUE" on the bridge interface. When I have > >>>>>>>> enforce_state > >>>>>>>> on, it seems to block all TCP traffic. With a packet capture I d= o see > >>>>>>>> the SYN being sent to the remote host, but I never get any > >>>>>>>> replies. If > >>>>>>>> I turn off enforce_state it starts working again. > >>>>>>>> > >>>>>>>> What are the downsides to turning off enforce_state or stream4in= line? > >>>>>>>> Thank you. > >>>>>>>> > >>>>>>>> Rob Campbell > >>>>>>>> Pacific Coast Wireless Internet > >>>>>>>> > >>>>>>>> > >>>>>>>> ------------------------------------------------------- > >>>>>>>> This SF.Net email is sponsored by the JBoss Inc. Get Certified = Today > >>>>>>>> Register for a JBoss Training Course. Free Certification Exam > >>>>>>>> for All Training Attendees Through End of 2005. For more info vi= sit: > >>>>>>>> http://ads.osdn.com/?ad_id=3D7628&alloc_id=3D16845&op=3Dclick > >>>>>>>> _______________________________________________ > >>>>>>>> Snort-inline-users mailing list > >>>>>>>> Sno...@li... > >>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users > >>>>>>>> > >>>>>> ------------------------------------------------------- > >>>>>> This SF.Net email is sponsored by the JBoss Inc. Get Certified To= day > >>>>>> Register for a JBoss Training Course. Free Certification Exam > >>>>>> for All Training Attendees Through End of 2005. For more info visi= t: > >>>>>> http://ads.osdn.com/?ad_idv28&alloc_id=16845&op=3Dclick > >>>>>> _______________________________________________ > >>>>>> Snort-inline-users mailing list > >>>>>> Sno...@li... > >>>>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users > >>> > >>> ------------------------------------------------------- > >>> This SF.Net email is sponsored by the JBoss Inc. Get Certified Today > >>> Register for a JBoss Training Course. Free Certification Exam > >>> for All Training Attendees Through End of 2005. For more info visit: > >>> http://ads.osdn.com/?ad_id=3D7628&alloc_id=3D16845&op=3Dclick > >>> _______________________________________________ > >>> Snort-inline-users mailing list > >>> Sno...@li... > >>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |