Menu
▾
▴
Re: [Snort-inline-users] Queued tcp packets not going through
|
From: Swaminathan S. <ssr...@cs...> - 2004-10-13 17:04:25
|
Hi thanks for the reply. I am not using forceiptstate. As far as the network config goes I have my machine with one network interface connected to the internet. I am running snort_inline so that all the packets in and out of my machine are inspected by it. This is a basic config I wanted to test first before I used it as an IPS for a network. I am attaching my config file with the mail. It is mostly an unedited version of sample config file that came with the snort-inline distribution. thanks Swami On Tue, Oct 12, 2004 at 09:11:52PM -0500, Will Metcalf wrote: > What does your snort_inline.conf look like? It sounds like you might > be using forceiptstate without using marks in iptables to track state. > Really can't say without seeing your snort_inline.conf and how your > snort_inline box sits in relation to the rest of your network. > > iptables -t mangle -A FORWARD -p tcp --syn -m state --state > NEW -j MARK --set-mark 1 > iptables -t mangle -A FORWARD -p tcp -m state --state > ESTABLISHED -j MARK --set-mark 2 > iptables -A FORWARD -j QUEUE > > Regards, > > Will > > > On Tue, 12 Oct 2004 19:55:54 -0400, Swaminathan Srinivasan > <ssr...@cs...> wrote: > > hi all > > I am new to snort-inline or even snort. I have been trying to get snort > > inline(version 2.2.0 build 30) work on my machine for a very basic setup. > > I wanted all the packets in and out of my machine to go through snort > > > > so I setup my iptables with these 2 rules (only these 2 rules) > > iptables -A INPUT -j QUEUE > > iptables -A OUTPUT -j QUEUE > > > > Then I start my snort inline as > > snort_inline -Qvc /etc/snort-inline/snort_inline.conf -l /var/log/snort > > > > I see my icmp and udp packets get through but not none of my tcp sessions(I > > tried web and ssh) are intiated. I don't even see SYN packets > > > > I have used the sample snort_inline config file available with the distribution > > with some changes to turning on preprocessors > > > > What am I missing ? > > > > thanks > > Swami > > > > -- > > > > > > -- |
