[Snort-inline-users] rule to test inline and transparent proxy question

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

i have snort 2.3, compiled with --enable-inline, on a box behind a firewall, 
inline, to scan traffic. two questions.  al ittle history first... when i 
enable transparent proxy (iptables -t nat -A PREROUTING -p tcp --dport 80 -j 
REDIRECT --to-port 8080 ) by itself, it works. just as a router, good. when 
i comment out the tp and uncomment ( iptables -t mangle -A PREROUTING -j 
QUEUE ) -without snort, it doesn't work(i.e no traffic passes); with snort 
running (snort -D -Q -c /etc/snort/rules ) it works but doesn't drop 
anything. ip_queue is loaded.  i need advice on A. a rule to test the inline 
drop functionality and/or advice on proper config.; B.how to run inline and 
tranparent proxy;  i tried:

drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware 180solutions Spyware"; uricontent:"180solutions.com"; nocase; 
classtype:trojan-activity; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; 
flow:to_server,established; sid:2001051; rev:3;)

and browsed to http://180solutions.com from an internal host. obviously 
fruitlously. is that the wrong way to write a drop rule or did i configure 
wrong? either way, a simple test drop rule would be much appreciated...

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/