Re: [Snort-inline-users] Queued tcp packets not going through

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

I haven't forgotten about you, I've just been super busy.  I'll look
over the files you have sent this evening.  Sorry it has taken so long
for me to get back to you.

Regards,

Will

On Thu, 14 Oct 2004 14:51:24 -0400, Swaminathan Srinivasan
<ssr...@cs...> wrote:
> Hi
> 
>  So I tested my setup again. First let me describe the setup.
> 
> 1. I have snort-inline running on my machine looking at packets in and out
>   of the machine. The machine does not forward any packets.
> 2. I setup iptables to queue all packets in and out the machine
>   iptables -A INPUT -j QUEUE
>   iptables -A OUTPUT -j QUEUE 
> 3. I start snort inline as follows
>   snort_inline -Qvc /etc/snort-inline/snort_inline.conf -l /var/log/snort
> 4. snort_inline starts up without complaining
> 
> So now when I try to ssh to a host in my network I see snort giving
> information on the SYN packet but tcpdump does not see the packet so I
> assume the packet is getting dropped. But I do not get any alerts either.
> At the same time DNS requests are also queued but those get through and so
> do icmp packets.
> (btw I am assuming all the alerts including from dropped packets can be seen
> in /var/log/snort/alerts am I wrong ?)
> I made some changes to snort_inline.conf file and I am sending it again.
> 
> Any suggestions on what am I doing wrong ?
> 
> 
> 
> thanks
> Swami
> 
> On Tue, Oct 12, 2004 at 09:11:52PM -0500, Will Metcalf wrote:
> > What does your snort_inline.conf look like?  It sounds like you might
> > be using forceiptstate without using marks in iptables to track state.
> >  Really can't say without seeing your snort_inline.conf and how your
> > snort_inline box sits in relation to the rest of your network.
> >
> >         iptables -t mangle -A FORWARD -p tcp --syn -m state --state
> > NEW -j MARK --set-mark 1
> >         iptables -t mangle -A FORWARD -p tcp -m state --state
> > ESTABLISHED -j MARK --set-mark 2
> >         iptables -A FORWARD -j QUEUE
> >
> > Regards,
> >
> > Will
> >
> >
> > On Tue, 12 Oct 2004 19:55:54 -0400, Swaminathan Srinivasan
> > <ssr...@cs...> wrote:
> > > hi all
> > > I am new to snort-inline or even snort. I have been trying to get snort
> > > inline(version 2.2.0 build 30) work on my machine for a very basic setup.
> > > I wanted all the packets in and out of my machine to go through snort
> > >
> > > so I setup my iptables with these 2 rules (only these 2 rules)
> > > iptables -A INPUT -j QUEUE
> > > iptables -A OUTPUT -j QUEUE
> > >
> > > Then I start my snort inline  as
> > >   snort_inline -Qvc /etc/snort-inline/snort_inline.conf -l /var/log/snort
> > >
> > > I see my icmp and udp packets get through but not none of my tcp sessions(I
> > > tried web and ssh) are intiated. I don't even see SYN packets
> > >
> > > I have used the sample snort_inline config file available with the distribution
> > > with some changes to turning on preprocessors
> > >
> > > What am I missing ?
> > >
> > > thanks
> > > Swami
> > >
> > > --
> > >
> > >
> > >
> 
> --
> 
> 
>