From: Robert M. <rv...@gm...> - 2011-02-23 11:10:17
|
You have to change your iptables rule to send FTP traffic to the queue instead of port 80. iptables -I INPUT -p tcp --dport 21 -j QUEUE But this will only work if the FTP server you are trying to monitor resides on the system with the iptables firewall. If the firewall is routing and you are trying to monitor FTP traffic going across the firewall, you will need to add the rule to the forward chain. Rob On Feb 23, 2011, at 5:02, anvin igcar <av...@gm...> wrote: > I have configured snort to IDS mode without using --enable-inline. > I have successfully installed snort_inline and iptables too using http://linuxgazette.net/117/savage.html. > > I have added the following rule in /etc/snort_inline/ftp.rules > > drop tcp any any -> any 21 (msg:"FTP AV ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:"w0rm"; distance:1; nocase; pcre:"/^USER\s+w0rm/smi"; reference:arachnids,01; classtype:suspicious-login; sid:1555; rev:9;) > > and in iptables, it is > iptables -I INPUT -p tcp --dport 80 -j QUEUE > > When I run the following with > snort_inline -c /etc/snort_inline/snort_inline.conf -Q -N -l /var/log/snort_inline/ -t /var/log/snort_inline/ -v > > I am able to access the ftp which is not supposed to get connected. What should I do? > > > > I am trying to run both Snort server and client in the same machine. > ------------------------------------------------------------------------------ > Free Software Download: Index, Search & Analyze Logs and other IT data in > Real-Time with Splunk. Collect, index and harness all the fast moving IT data > generated by your applications, servers and devices whether physical, virtual > or in the cloud. Deliver compliance at lower cost and gain new business > insights. http://p.sf.net/sfu/splunk-dev2dev > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users |