Menu
▾
▴
Re: [Snort-inline-users] Snort-inline setup for a single computer (no-nat, no-bridge)
|
From: Will M. <wil...@gm...> - 2004-12-31 16:16:31
|
Try changing your -j ACCEPT rules to -j QUEUE the only caveot is that snort_inline needs to see both sides of the conversation to do it's job properly so you would need rules like the following. iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i eth0 -j QUEUE iptables -A OUTPUT -i eth0 -j QUEUE Even though you are using APF you should be able to get a list of the current iptables rules for INPUT FORWARD and OUTPUT by doing the following. iptables -L Regards, Will On Fri, 31 Dec 2004 10:55:19 +0100, phpMiX (snort) <sn...@ph...> wrote: > After the latest PHP/phpBB related worms I would like to use snort-inline to > prevent problems in the future. I believe this is a must these days. And > snort-inline is great, for what I've been reading (a lot, I think). > > I'm running RHEL 3 and I've been using APF and BFD (www.rfxnetworks.com). > I've been also using Snort in IDS mode with ACID for some time now. > > Now, I've been able to install the kernel-source package, iptables-devel, > libnet 1.0.2a and snort 2.3.0RC2 compiled with the --enable-inline option. > Tested and it works! However, it is still running in IDS mode. > > I downloaded the rc.firewall script from honeynet.org and I've been trying > to understand how do I need to change it to suit my needs. I do not need to > do NAT nor act as Bridge. My computer is connected to just one interface > (eth0), the net. Also, I still need to use APF, since it's easier to > customize than iptables. TBH, I feel somehow lost when trying to figure out > iptables seriously. > > Probably I need to setup the ip_queue chains to allow snort-inline do its > own job, but I also need to keep all the iptable settings APF builds when > it's started. ...or maybe I can't use APF+BFD anymore when using > snort-inline? > > Please, can anyone help me? > > Thanks a lot in advance ...and happy new year! :-) > > ------------------------------------------------------- > The SF.Net email is sponsored by: Beat the post-holiday blues > Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. > It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
