[Snort-inline-users] preventing telnet session !!

[Murugavel T. <tmu...@gm...>]

Hi

We have implmented snort-inline .

For testing purpose we removed all the rules .

setup will be like below

APC -sytem -------ROUTER--- SNORT-INLINE------ BPC-system

WHEN WE TRY TO DO telnet from  BPC -system to router snort-inline
preventing the telnet session

snort-inline is in bridge mode. when we remove the iptables rules  it
is working fine without any issue.

Any suggestion welcome
Iptables rules used

iptables -t mangle -A FORWARD -p tcp -s  xxxx --syn -m state --state
NEW -j MARK --set-mark 1
iptables -t mangle -A FORWARD -p tcp -s  xxxx -m state --state
ESTABLISHED -j MARK --set-mark 2

iptables -A FORWARD -s xxxx  -j QUEUE

snort.conf file
var HOME_NET any
var HONEYNET any
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH /usr/local/rules/rules
preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global \
   iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
   profile all ports { 80 8080 8180 } oversize_dir_length 500

preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode: 23 25 21 119
include classification.config
include reference.config
#include $RULE_PATH/local.rules
#include $RULE_PATH/bad-traffic.rules
#include $RULE_PATH/exploit.rules
#include $RULE_PATH/scan.rules
#include $RULE_PATH/finger.rules
#include $RULE_PATH/ftp.rules
#include $RULE_PATH/telnet.rules

Regards
tmv
"Success comes to the person who does today"