Menu
▾
▴
Re: [Snort-inline-users] using snort_inline for selected traffic only (was: help with setting up iptables for use with snort_inline)
|
From: Victor J. <vi...@nk...> - 2004-07-02 15:24:19
|
On Friday 02 July 2004 16:37, James A. Pattie wrote: > Victor Julien wrote: > | On Thursday 01 July 2004 21:56, Geffrey Velasquez [MINAG] wrote: > |>Excelent! your script always have on top the ESTABLISHED and RELATED > |>states. I would like to see your frontend. > > I don't know what happend the last time, but I was letting you guys know > about my iptables web frontend for the PCXFirewall project that supports > snort-inline. It isn't as finegrained on the ESTABLISHED,RELATED -j QUEUE > code, but you can limit what services initially are forced to -j QUEUE. > > you can get it at http://pcxfirewall.sf.net/ Do you support something special from snort-inline or just the QUEUE target (like me)? It would be cool to manage the snort-rules from the same tool as the iptables rules, but i think that's fairly complex... Also, how do you handle the snort_inline logs? My tool converts the iptables logs from syslog into a human-readable file, i'm thinking about integrating the snort_inline-fast file with that. However, is there a way to see what the action was in the snort-inline log? (without changing all individual rules) Something like this: 06/27-11:26:58.883422 [**] [1:721:7] VIRUS OUTBOUND bad file attachment [**] [Classification: A suspicious filename was detected] [Priority: 2] {TCP} 192.168.0.167:33581 -> 192.168.0.102:25 [snort-inline action: DROP] That would be handy. Regards, Victor |
