Re: [Snort-inline-users] Blocking Anomalous Events (fwd)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Josh, 
	I would simply add a call do InlineDrop() right before the call to 
CallAlertFuncs().  InlineDrop() does not take any arguments.  I've 
highlighted the insertion below with 3 asterix(***).  This will drop the 
packet and continue to alert or log as required.
	The Inline functions do not do any alerting or logging.  They 
simply tell iptables to drop the packet.  Therefore, we still require the 
use of snort Alert and Log functions.

Rob

On Mon, 1 Dec 2003, Josh Berry wrote:

> Sorry I am not much of a developer,  So for this piece of code:
> 
> 
>                     if((runMode == MODE_IDS) &&
> pv.decoder_flags.decode_alerts)
>                     {
>                         SetEvent(&event, GENERATOR_SNORT_DECODE,
>                                  DECODE_BAD_80211_ETHLLC, 1, DECODE_CLASS,

                          /***/ InlineDrop();
> 5, 0);
>                         CallAlertFuncs(p, DECODE_BAD_80211_ETHLLC_STR,
> NULL, &event);
>                         CallLogFuncs(p, DECODE_BAD_80211_ETHLLC_STR, NULL,
> &event);
>                     }
> 
>                     return;
>                 }
> 
> Would I just replace the CallAlertFuncs with InlineDrop();?  Do I need to
> pass anything to InlineDrop?