Re: [Snort-inline-users] Re :Re: Problem while running snort_inline

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

is this the only rule you have in your rule set?

On Wed, May 21, 2008 at 12:45 AM, vishal_nitr
<vis...@re...> wrote:
> yeh sure...
>
> my iptable rules are
>
> iptables -p tcp -A OUTPUT --sport 80 -j NFQUEUE --queue-num 100
> iptables -p tcp -A INPUT --dport 80 -j NFQUEUE --queue-num 100
>
> snort rule is
>
> pass tcp any any <> 172.30.11.120/32 80
>
> stream4 settings are
>
> preprocessor stream4:   disable_evasion_alerts,
>                         stream4inline,
>                         enforce_state pass,
>                         memcap 100000000,
>                         timeout 3600,
>                         truncate,
>                         window_size 3000
>
> preprocessor stream4_reassemble: both, ports "default", favor_new
>
> my HTTP configs are
>
> preprocessor http_inspect: global
>    iis_unicode_map unicode.map 1252
>
> preprocessor http_inspect_server: server default
>     profile all ports { 80 8080 8180 } oversize_dir_length 500
>
> Actually I  tried disabling all stream4 configs and HTTP configs but it
> wasn't working.
>
>
> On Tue, 20 May 2008 12:26:20 +0200 Victor Julien wrote
>
> I suspect there is some state issue here. Could you show us the iptables
> rules, relevant snort rules and your stream4/5 settings?
>
> Regards,
> Victor
>
> vishal_nitr wrote:
>> Hi ALL,
>> I am running snort in inline mode on a HTTP server by using
>> NFQUEUE. I have two queues for HTTP traffic destined to this server
>> one for incoming requests and another for responses given by this
>> server to client.
>> when I am sending HTTP request from a client with both the queues
>> present; TCP connection is getting established, GET request is coming
>> to server and acknowledgement is also reaching to client but 200 OK
>> packets are not reaching to client. Packets are dropped by snort as
>> it's a pass rule.
>>
>> I suspect it as a some configuration issue.
>>
>> Please help me resolve this issue.
>>
>> Thanks
>> vishal
>>
>> Thanks and Regards,
>> Vishal Kotalwar,
>> Software Engineer,
>> Aricent,
>> Chennai-35.
>> 09884074047.
>> IPL
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Microsoft
>> Defy all challenges. Microsoft(R) Visual Studio 2008.
>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Snort-inline-users mailing list
>> Sno...@li...
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
> Thanks and Regards,
> Vishal Kotalwar,
> Software Engineer,
> Aricent,
> Chennai-35.
> 09884074047.
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>