Menu
▾
▴
Re: [Snort-inline-users] using snort_inline for selected traffic only (was: help with setting up iptables for use with snort_inline)
|
From: James A. P. <ja...@pc...> - 2004-07-02 18:54:56
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Victor Julien wrote: | On Friday 02 July 2004 16:37, James A. Pattie wrote: | |>Victor Julien wrote: |>| On Thursday 01 July 2004 21:56, Geffrey Velasquez [MINAG] wrote: |>|>Excelent! your script always have on top the ESTABLISHED and RELATED |>|>states. I would like to see your frontend. |> |>I don't know what happend the last time, but I was letting you guys know |>about my iptables web frontend for the PCXFirewall project that supports |>snort-inline. It isn't as finegrained on the ESTABLISHED,RELATED -j QUEUE |>code, but you can limit what services initially are forced to -j QUEUE. |> |>you can get it at http://pcxfirewall.sf.net/ | | | Do you support something special from snort-inline or just the QUEUE target | (like me)? It would be cool to manage the snort-rules from the same tool as | the iptables rules, but i think that's fairly complex... I just support the QUEUE target and I have flags to know I'm in a bridged scenario. | | Also, how do you handle the snort_inline logs? My tool converts the iptables | logs from syslog into a human-readable file, i'm thinking about integrating | the snort_inline-fast file with that. However, is there a way to see what the | action was in the snort-inline log? (without changing all individual rules) I usually run an instance of snort logging to db and then access via acid_lab interface. Though it will be nice to start using the snort-inline w/ db support so I don't have to keep updating multiple rule sets, etc. and can get rid of the log file per-se. | | Something like this: | 06/27-11:26:58.883422 [**] [1:721:7] VIRUS OUTBOUND bad file attachment [**] | [Classification: A suspicious filename was detected] [Priority: 2] {TCP} | 192.168.0.167:33581 -> 192.168.0.102:25 [snort-inline action: DROP] | | That would be handy. yes that would be nice to see what action it took. - -- James A. Pattie ja...@pc... Linux -- SysAdmin / Programmer Xperience, Inc. http://www.pcxperience.com/ http://www.xperienceinc.com/ http://www.pcxperience.org/ GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFA5a90tUXjwPIRLVERArhfAJ4tjLB3ZBhJUIRHHP1h0DwZuBtdSwCgmQei 6uwGuCrzDUTt6QKNOuBRfjE= =gLJq -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. |
