Menu
▾
▴
Re: [Snort-inline-users] rule to test inline and transparent proxy question
|
From: Will M. <wil...@gm...> - 2005-03-12 21:51:54
|
B.how to run inline and tranparent proxy, I'm assuming that you are running the proxy on the same box you are running snort-inline on. Try the following, I can't promise anything as I don't have box running NAT mode right now. iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -A INPUT -p tcp --dport 8080 -j QUEUE iptables -A OUTPUT -p tcp --sport 8080 -j QUEUE snort_inline.conf config checksum_mode:none On Tue, 08 Mar 2005 22:43:18 -0500, joe z <sec...@ho...> wrote: > i have snort 2.3, compiled with --enable-inline, on a box behind a firewall, > inline, to scan traffic. two questions. al ittle history first... when i > enable transparent proxy (iptables -t nat -A PREROUTING -p tcp --dport 80 -j > REDIRECT --to-port 8080 ) by itself, it works. just as a router, good. when > i comment out the tp and uncomment ( iptables -t mangle -A PREROUTING -j > QUEUE ) -without snort, it doesn't work(i.e no traffic passes); with snort > running (snort -D -Q -c /etc/snort/rules ) it works but doesn't drop > anything. ip_queue is loaded. i need advice on A. a rule to test the inline > drop functionality and/or advice on proper config.; B.how to run inline and > tranparent proxy; i tried: > > drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE > Malware 180solutions Spyware"; uricontent:"180solutions.com"; nocase; > classtype:trojan-activity; > reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; > flow:to_server,established; sid:2001051; rev:3;) > > and browsed to http://180solutions.com from an internal host. obviously > fruitlously. is that the wrong way to write a drop rule or did i configure > wrong? either way, a simple test drop rule would be much appreciated... > > _________________________________________________________________ > Express yourself instantly with MSN Messenger! Download today - it's FREE! > http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
