[Snort-inline-users] command line options

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi people,

I am using snort_inline 2.0.0 and it all appears to be functioning
normally (I  have iptables set up with the "-j QUEUE" target for all
incoming traffic on port 80, without snort_inline running I get no
connections, with it running my web server sees the requests) but after
extensive testing I can confirm that it is letting through sequences
that "normal" snort will alert on.

There are a few things that I have noticed that may have a bearing.

When I used to run normal snort, I started it with the "-i ppp0" command
line option, as that is my external interface. I also had the line "var
HOME_NET [10.0.0.0/8,$ppp0_ADDRESS]" in my conf file. This does not
appear to work for snort_inline. I get an error about undefined variables.

Also when I start up normal snort, during initialisation it reports 1331
rules active etc.. However, snort_inline says 0 rules activated BUT it
does appear to be applying rules (it caught a WEB-IIS cmd.exe attack).

The reason I am using snort_inline is that I am trying to get a true
count of web site hits, but I am getting so many "code red" attempts it
is distorting the figures. So I was trying to drop the connections
before they even get to the web server. I know that there are issues
with detecting code red attacks (no established flag etc) but I can
handle that.

Any advice would be cool.

Cheers

Dan Hennessey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+t5hEUGFfCkMKT4ERAlJLAJ9M1ebZ5ne29yTDPNoev+W5oq70wwCgiZWu
U9xK7AWqL6S2LDExVrmXsoA=
=AJSh
-----END PGP SIGNATURE-----