Re: [Snort-inline-users] snort-inline 2.2.0a issue after upgrading from 2.1.1

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Try using the state tracking mechanisms we built into 2.2.0a.  We
accomplished by using marks in iptables and arguments to stream4.
Something like:

        /usr/local/sbin/iptables -t mangle -A FORWARD -p tcp --syn -m state
--state NEW -j MARK --set-mark 1
        /usr/local/sbin/iptables -t mangle -A FORWARD -p tcp -m state
--state ESTABLISHED -j MARK --set-mark 2
        /usr/local/sbin/iptables -I FORWARD -m mark --mark 1 -j QUEUE
        /usr/local/sbin/iptables -I FORWARD -m mark --mark 2 -j QUEUE
        /usr/local/sbin/iptables -I FORWARD -p udp -j QUEUE
        /usr/local/sbin/iptables -I FORWARD -p icmp -j QUEUE

And then modify the stream4 line to read:

preprocessor stream4: disable_evasion_alerts, iptablesnewmark,
iptablesestmark, forceiptstate
preprocessor stream4_reassemble: both

In addition I don't see anything in your conf regarding http_inspect, if
you are going to be matching rules that have uricontent in them you are
going to need the following.

preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
    profile all ports { 80 8080 8180 } oversize_dir_length 500 \
    no_alerts

Regards,

Will