Re: [Snort-inline-users] Queued tcp packets not going through

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi again

 I also wanted to mention the snort-inline does see these packets. I checked
by running snort inline as=20
 snort_inline -Qvc  /etc/snort-inline/snort_inline.conf=20
But its just that the packets son't seem to pass through it. I don't see any
alerts either.
I tried to ssh  to test this configuration

thanks=20
Swami

On Tue, Oct 12, 2004 at 09:11:52PM -0500, Will Metcalf wrote:
> What does your snort_inline.conf look like?  It sounds like you might
> be using forceiptstate without using marks in iptables to track state.
>  Really can't say without seeing your snort_inline.conf and how your
> snort_inline box sits in relation to the rest of your network.
>=20
>         iptables -t mangle -A FORWARD -p tcp --syn -m state --state
> NEW -j MARK --set-mark 1
>         iptables -t mangle -A FORWARD -p tcp -m state --state
> ESTABLISHED -j MARK --set-mark 2
>         iptables -A FORWARD -j QUEUE
>=20
> Regards,
>=20
> Will
>=20
>=20
> On Tue, 12 Oct 2004 19:55:54 -0400, Swaminathan Srinivasan
> <ssr...@cs...> wrote:
> > hi all
> > I am new to snort-inline or even snort. I have been trying to get snort
> > inline(version 2.2.0 build 30) work on my machine for a very basic setu=
p.
> > I wanted all the packets in and out of my machine to go through snort
> >=20
> > so I setup my iptables with these 2 rules (only these 2 rules)
> > iptables -A INPUT -j QUEUE
> > iptables -A OUTPUT -j QUEUE
> >=20
> > Then I start my snort inline  as
> >   snort_inline -Qvc /etc/snort-inline/snort_inline.conf -l /var/log/sno=
rt
> >=20
> > I see my icmp and udp packets get through but not none of my tcp sessio=
ns(I
> > tried web and ssh) are intiated. I don't even see SYN packets
> >=20
> > I have used the sample snort_inline config file available with the dist=
ribution
> > with some changes to turning on preprocessors
> >=20
> > What am I missing ?
> >=20
> > thanks
> > Swami
> >=20
> > --
> >=20
> >=20
> >
>=20
>=20
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out mo=
re
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users

--=20