[Snort-inline-users] Snort Inline Basic Doubt

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I have configured snort to IDS mode without using --enable-inline.
I have successfully installed snort_inline and iptables too using*
http://linuxgazette.net/117/savage.html.*

I have added the following rule in /etc/snort_inline/ftp.rules

*drop tcp any any -> any 21 (msg:"FTP AV ftp login attempt";
flow:to_server,established; content:"USER"; nocase; content:"w0rm";
distance:1; nocase; pcre:"/^USER\s+w0rm/smi"; reference:arachnids,01;
classtype:suspicious-login; sid:1555; rev:9;)

*and in iptables, it is

iptables -I INPUT -p tcp --dport 80 -j QUEUE

When I run the following with

*snort_inline -c /etc/snort_inline/snort_inline.conf -Q -N -l
/var/log/snort_inline/ -t /var/log/snort_inline/ -v*

 I am able to access the ftp which is not supposed to get connected.
What should I do?

I am trying to run both Snort server and client in the same machine.