Menu
▾
▴
Re: [Snort-inline-users] Snort User HELP PLEASE!! Converting "alerts" to "drops" breaks Snort-Inline!!
|
From: Joel E. <es...@gm...> - 2008-09-23 16:54:38
|
You say that you are putting in your own drop rules? Or am I totally
missing your question. Would you be willing to post your drop rules that
you are putting in? Are you able to drop ANY traffic? Can you post your
Snort command line? How about your snort.conf file?
Joel
On Tue, Sep 23, 2008 at 2:38 AM, Snort User <pea...@ya...> wrote:
> To Any Snort_Inline Guru:
>
> I am an EXTREMELY FRUSTRATED snort_inline user. I am using snort 2.8 in
> inline mode and updating with oinkmaster 2.0. If I update via oinkmaster
> WITHOUT specifying {modifysid * "^alert" | "drop"} within the
> oinkmaster.conf file, the rules get updated and everything works. If I
> insert some simple drop rules for testing after the oinkmaster update, my
> "test" drop rules correctly drop and log dropped packets. If I test the
> updated alerts by restarting in non-inline mode, they work as well.
>
> STRANGELY, if I update via oinkmaster and DO specify {modifysid * "^alert"
> | "drop"} within the .conf file, oinkmaster "seems" to work (i.e., updates
> appear to have been made correctly, "alert" rules are all converted to
> "drop" rules, snort inline starts without errors, snort output lists rules
> as being correctly read, etc.), however, when I insert some simple drop
> rules for testing, my "test" drop rules do not work, nor do any of the
> converted drop rules that had worked prior as alerts. At least the "test"
> drop rules SHOULD work (but do not), since they work when I update without
> converting alerts to drops. This would seem impossible, but it IS
> occurring. I always restart snort after rules modifications to flush rules
> from memory and am only using dowloaded snort rules (i.e. other than some
> extremely simple "test" drop rules that DO work when I haven't converted
> "alert" rules to "drop").
>
> I understand that if I had "alert" rules similar to my test "drop" rules,
> then my test "drop" rules might not get triggered and logged (i.e., as a
> consequence of already being dropped by other rules that were prior only
> "alerts").. However, in that scenario, even though the test "drops"
> wouldn't show as triggered in the logs, the packets would still get dropped,
> due to other "drop" rules. This isn't what is happening, since none of my
> packets are getting dropped once I convert "alerts" to "drops". Again,
> extremely baffling!
>
> There must be a way to run snort-inline with automatic alert/drop
> conversions on updates, but I have not been able to to it.
>
> Any feedback would be GREATLY APPRECIATED!
>
> Peabody
>
>
>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
|
