Re: [Snort-inline-users] snort-inline with out ip_conntrack

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Murugavel Thiruvengadam wrote:
> Hi
> 
> My question  is  "Is it necessary to mark packet for snort-inline to process.?"
>  iptables -t mangle -A FORWARD -p tcp -s <xxxxxx> --syn -m state
>  --state NEW -j MARK --set-mark 1
> 
> regards
> murugavel
> 
> 
> 
> On Mon, 31 Jan 2005 09:22:06 +0000, Victor Julien <vi...@nk...> wrote:
> 
>>Murugavel Thiruvengadam wrote:
>>
>>>Hi,
>>>
>>>We have to implement snort-inline without ip_conntrack module.
>>>
>>>Is it possible?
>>>
>>>iptables -t mangle -A FORWARD -p tcp -s <xxxxxx> --syn -m state
>>>--state NEW -j MARK --set-mark 1
>>>iptables -t mangle -A FORWARD -p tcp -s <xxxxxxxxxx>  -m state --state
>>>ESTABLISHED -j MARK --set-mark 2
>>>iptables -A FORWARD -s <xxxxxxx>  -j QUEUE
>>>
>>>
>>>In the above rule ipt_state using ip_conntrack module.
>>>
>>>Is there any other way to modify the rule without ip_conntack?
>>>
>>>
>>>Regards
>>>Murugavel
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>Hi Murugavel,
>>
>>You can just use:
>>
>>iptables -A FORWARD -j QUEUE
>>
>>This way you send all forwarded traffic to snort_inline, and you won't
>>need ip_conntrack.
>>
>>Hope this helps,
>>
>>Regards,
>>Victor
>>
> 
> 
> 
  No it's not. The marking was add as a way to help the stream4 
preprocessor. But it's not needed.

BTW: 2.3 won't even have this function anymore...

Regards,
Victor