From: Victor J. <vi...@nk...> - 2005-11-30 07:43:15
|
Rob Campbell wrote: > Will, > > I'm just checking back to see if you have found anything. I have done a > little more testing, but haven't found a way to fix it yet. It is > definitely related to enforce_state. If I use enforce_state, even > without stream4inline, it will not pass any TCP traffic. From what I > understand, without enforce_state I cannot drop TCP packets in > real-time, is that correct? No, that is not correct. If enforce_state is enabled stream4 will drop packets that do not belong to an existing connection and are not valid tcp-connection initializers. If enforce_state is disabled, you can still drop tcp packets. I cannot reproduce this problem, but i don't use a bridge. Other than the debug info Will asked for, i would be interested in a tcpdump file and the output of iptables -vnL ... Regards, Victor > I would really like to use Snort for an > IPS, but without TCP it wouldn't be very useful. Let me know if you > have any other ideas, or want me to give something a try. Thank you. > > Rob Campbell > Pacific Coast Wireless Internet > > Will Metcalf wrote: > >> I'll see if I can reproduce it this weekend >> >> On 11/18/05, Rob Campbell <rca...@pc...> wrote: >> >>> I have also tried it with just "iptables -A FORWARD -j QUEUE" to make >>> sure that the specified interfaces wasn't causing a problem. Any ideas >>> why it's not working with stream4inline and enforce_state? >>> >>> Rob Campbell >>> Pacific Coast Wireless Internet >>> >>> Rob Campbell wrote: >>> >>>> No. That is the only iptables rule I have. The full rule was >>>> "iptables >>>> -A FORWARD -i br0 -o br0 -j QUEUE", could that cause any problems? >>>> >>>> Rob Campbell >>>> Pacific Coast Wireless Internet >>>> >>>> Will Metcalf wrote: >>>> >>>>> hmmm how odd, you don't have any other entries in your FORWARD chain >>>>> before you -A FORWARD -j QUEUE entry do you? >>>>> >>>>> Regards, >>>>> >>>>> Will >>>>> >>>>> On 11/17/05, Rob Campbell <rca...@pc...> wrote: >>>>> >>>>>> It is happening on web traffic, IMAP traffic, and telnet to various >>>>>> ports. >>>>>> >>>>>> Rob Campbell >>>>>> Pacific Coast Wireless Internet >>>>>> >>>>>> Will Metcalf wrote: >>>>>> >>>>>>> sorry it's late missed the "iptables -A FORWARD -j QUEUE" part. >>>>>>> Just >>>>>>> out of curiosity is it a particular protocol, or does all tcp >>>>>>> traffic >>>>>>> get dropped? >>>>>>> >>>>>>> Regards, >>>>>>> >>>>>>> Will >>>>>>> >>>>>>> On 11/16/05, Will Metcalf <wil...@gm...> wrote: >>>>>>> >>>>>>>> Hmmm Are you sure that snort-inline can see the full twh? i.e. are >>>>>>>> you queueing both client and server traffic? >>>>>>>> >>>>>>>> Regards, >>>>>>>> >>>>>>>> Will >>>>>>>> >>>>>>>> On 11/16/05, Rob Campbell <rca...@pc...> wrote: >>>>>>>> >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> I have been configuring an IPS using snort inline. I am >>>>>>>>> running the >>>>>>>>> latest version, 2.4.3RC2. It is running in bridge mode with >>>>>>>>> "iptables >>>>>>>>> -A FORWARD -j QUEUE" on the bridge interface. When I have >>>>>>>>> enforce_state >>>>>>>>> on, it seems to block all TCP traffic. With a packet capture I >>>>>>>>> do see >>>>>>>>> the SYN being sent to the remote host, but I never get any >>>>>>>>> replies. If >>>>>>>>> I turn off enforce_state it starts working again. >>>>>>>>> >>>>>>>>> What are the downsides to turning off enforce_state or >>>>>>>>> stream4inline? >>>>>>>>> Thank you. >>>>>>>>> >>>>>>>>> Rob Campbell >>>>>>>>> Pacific Coast Wireless Internet >>>>>>>>> >>>>>>>>> |