Menu
▾
▴
Re: [Snort-inline-users] snort_inline not dropping packets
|
From: Robert M. <rv...@gm...> - 2011-02-24 13:06:30
|
Do you have drop rules? Have you configured iptables to send the traffic you want to monitor to snort_inline? Rob On Feb 24, 2011, at 3:54, anvin igcar <av...@gm...> wrote: > > I have tried to run Snort_inline in two methods with drop rules. > But I don't find any packets being dropped. What might be the problem? > > [root@testpc ~]# snort_inline -c /etc/snort_inline/snort_inline.conf -l /var/log/snort_inline/ -A console -i eth0 > > Running in IDS mode > Initializing Network Interface eth0 > > --== Initializing Snort ==-- > Initializing Output Plugins! > Decoding Ethernet on interface eth0 > Initializing Preprocessors! > Initializing Plug-ins! > Parsing Rules file /etc/snort_inline/snort_inline.conf > > +++++++++++++++++++++++++++++++++++++++++++++++++++ > Initializing rule chains... > ,-----------[Flow Config]---------------------- > | Stats Interval: 0 > | Hash Method: 2 > | Memcap: 10485760 > | Rows : 4099 > | Overhead Bytes: 16400(%0.16) > `---------------------------------------------- > > Rule application order: ->activation->dynamic->drop->sdrop->reject->rejectboth->rejectsrc->rejectdst->alert->pass->log > Log directory = /var/log/snort_inline/ > > --== Initialization Complete ==-- > > ,,_ -*> Snort_Inline! <*- > o" )~ Version 2.4.5 (Build 29) > '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html > (C) Copyright 1998-2005 Sourcefire Inc., et al. > Snort_Inline Mod by William Metcalf, Victor Julien, Nick Rogness, > Dave Remien, Rob McMillen and Jed Haile > NOTE: Snort's default output has changed in version 2.4.1! > The default logging mode is now PCAP, use "-K ascii" to activate > the old default logging mode. > > ^C > > =============================================================================== > > Snort received 769 packets > Analyzed: 769(100.000%) > Dropped: 0(0.000%) > =============================================================================== > Breakdown by protocol: > TCP: 104 (13.524%) > UDP: 153 (19.896%) > ICMP: 0 (0.000%) > ARP: 307 (39.922%) > EAPOL: 0 (0.000%) > IPv6: 6 (0.780%) > ETHLOOP: 0 (0.000%) > IPX: 3 (0.390%) > FRAG: 0 (0.000%) > OTHER: 198 (25.748%) > DISCARD: 0 (0.000%) > =============================================================================== > Action Stats: > ALERTS: 0 > LOGGED: 0 > PASSED: 0 > =============================================================================== > TCP Stream Reassembly Stats: > TCP Packets Used: 9 (1.170%) > Stream Trackers: 4 > Stream flushes: 0 > Segments used: 0 > Stream4 Memory Faults: 0 > =============================================================================== > Final Flow Statistics > ,----[ FLOWCACHE STATS ]---------- > Memcap: 10485760 Overhead Bytes 16400 used(%0.241756)/blocks (25350/51) > Overhead blocks: 1 Could Hold: (58579) > IPV4 count: 50 frees: 0 > low_time: 1298537116, high_time: 1298537132, diff: 0h:00:16s > finds: 124 reversed: 0(%0.000000) > find_sucess: 74 find_fail: 50 > percent_success: (%59.677419) new_flows: 50 > Protocol: 6 (%7.258065) > finds: 9 > reversed: 0(%0.000000) > find_sucess: 5 > find_fail: 4 > percent_success: (%55.555556) > new_flows: 4 > Protocol: 17 (%92.741935) > finds: 115 > reversed: 0(%0.000000) > find_sucess: 69 > find_fail: 46 > percent_success: (%60.000000) > new_flows: 46 > Snort exiting > > > > -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > [root@testpc ~]# snort_inline -c /etc/snort_inline/snort_inline.conf -Q -N -l /var/log/snort_inline/ -t /var/log/snort_inline/ -v > Reading from iptables > Running in IDS mode > Initializing Inline mode > > --== Initializing Snort ==-- > Initializing Output Plugins! > Setting the Packet Processor to decode packets from iptables > Initializing Preprocessors! > Initializing Plug-ins! > Parsing Rules file /etc/snort_inline/snort_inline.conf > ~~~~~~~~~~~~~~~~~~~~~ > Rule application order: ->activation->dynamic->drop->sdrop->reject->rejectboth->rejectsrc->rejectdst->alert->pass->log > Log directory = /var/log/snort_inline/ > > --== Initialization Complete ==-- > > ,,_ -*> Snort_Inline! <*- > o" )~ Version 2.4.5 (Build 29) > '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html > (C) Copyright 1998-2005 Sourcefire Inc., et al. > Snort_Inline Mod by William Metcalf, Victor Julien, Nick Rogness, > Dave Remien, Rob McMillen and Jed Haile > NOTE: Snort's default output has changed in version 2.4.1! > The default logging mode is now PCAP, use "-K ascii" to activate > the old default logging mode. > > > Snort processed 0 packets. > ============================================================ > Action Stats: > ALERTS: 0 > LOGGED: 0 > PASSED: 0 > =============================================================================== > Final Flow Statistics > ,----[ FLOWCACHE STATS ]---------- > Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1) > Overhead blocks: 1 Could Hold: (0) > IPV4 count: 0 frees: 0 > low_time: 0, high_time: 0, diff: 0h:00:00s > finds: 0 reversed: 0(%0.000000) > find_sucess: 0 find_fail: 0 > percent_success: (%0.000000) new_flows: 0 > Snort exiting > > > > ------------------------------------------------------------------------------ > Free Software Download: Index, Search & Analyze Logs and other IT data in > Real-Time with Splunk. Collect, index and harness all the fast moving IT data > generated by your applications, servers and devices whether physical, virtual > or in the cloud. Deliver compliance at lower cost and gain new business > insights. http://p.sf.net/sfu/splunk-dev2dev > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
