Re: [Snort-inline-users] Queued tcp packets not going through

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi

  So I tested my setup again. First let me describe the setup.

1. I have snort-inline running on my machine looking at packets in and out
   of the machine. The machine does not forward any packets. 
2. I setup iptables to queue all packets in and out the machine 
   iptables -A INPUT -j QUEUE 
   iptables -A OUTPUT -j QUEUE 
3. I start snort inline as follows 
   snort_inline -Qvc /etc/snort-inline/snort_inline.conf -l /var/log/snort
4. snort_inline starts up without complaining 

So now when I try to ssh to a host in my network I see snort giving
information on the SYN packet but tcpdump does not see the packet so I
assume the packet is getting dropped. But I do not get any alerts either.
At the same time DNS requests are also queued but those get through and so
do icmp packets.
(btw I am assuming all the alerts including from dropped packets can be seen
in /var/log/snort/alerts am I wrong ?)
I made some changes to snort_inline.conf file and I am sending it again.

Any suggestions on what am I doing wrong ?

thanks 
Swami

On Tue, Oct 12, 2004 at 09:11:52PM -0500, Will Metcalf wrote:
> What does your snort_inline.conf look like?  It sounds like you might
> be using forceiptstate without using marks in iptables to track state.
>  Really can't say without seeing your snort_inline.conf and how your
> snort_inline box sits in relation to the rest of your network.
> 
>         iptables -t mangle -A FORWARD -p tcp --syn -m state --state
> NEW -j MARK --set-mark 1
>         iptables -t mangle -A FORWARD -p tcp -m state --state
> ESTABLISHED -j MARK --set-mark 2
>         iptables -A FORWARD -j QUEUE
> 
> Regards,
> 
> Will
> 
> 
> On Tue, 12 Oct 2004 19:55:54 -0400, Swaminathan Srinivasan
> <ssr...@cs...> wrote:
> > hi all
> > I am new to snort-inline or even snort. I have been trying to get snort
> > inline(version 2.2.0 build 30) work on my machine for a very basic setup.
> > I wanted all the packets in and out of my machine to go through snort
> > 
> > so I setup my iptables with these 2 rules (only these 2 rules)
> > iptables -A INPUT -j QUEUE
> > iptables -A OUTPUT -j QUEUE
> > 
> > Then I start my snort inline  as
> >   snort_inline -Qvc /etc/snort-inline/snort_inline.conf -l /var/log/snort
> > 
> > I see my icmp and udp packets get through but not none of my tcp sessions(I
> > tried web and ssh) are intiated. I don't even see SYN packets
> > 
> > I have used the sample snort_inline config file available with the distribution
> > with some changes to turning on preprocessors
> > 
> > What am I missing ?
> > 
> > thanks
> > Swami
> > 
> > --
> > 
> > 
> >

-- 