Re: [Snort-inline-users] FORWARD || OUTPUT

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

>'cat /proc/sys/net/ipv4/ip_forward' shows a 1

if you are bridiging traffic, this should be set to 0.

what are you passing to snort on the command line?

Regards,

Will

On 5/12/05, Norwich University - Information Security
<in...@no...> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>=20
> Hi,
>=20
> I'm setting up/testing snort inline like so...
>=20
> PC ---x----(snort_inline)--------network
>=20
> (yes that's a x-over cable)
>=20
> Bridging seems to work. Output from 'snort -Qvc <configuration file>'
> shows headers so iptables should be sending traffic to the QUEUE and
> snort should be seeing it.
>=20
> 'cat /proc/sys/net/ipv4/ip_forward' shows a 1
>=20
> I'm just using a simple iptables script for testing...
>=20
> $IPTABLES -F
> $IPTABLES -X
> $IPTABLES -P FORWARD ACCEPT
> $IPTABLES -P INPUT   ACCEPT
> $IPTABLES -P OUTPUT  ACCEPT
> $IPTABLES -A INPUT  -s 127.0.0.1 -j ACCEPT
> $IPTABLES -A OUTPUT -d 127.0.0.1 -j ACCEPT
>=20
> $IPTABLES -N ssh-allowed-in
> $IPTABLES -F ssh-allowed-in
> $IPTABLES -A ssh-allowed-in  --proto tcp --destination-port ssh -m state
> - --state NEW,ESTABLISHED -j ACCEPT
> $IPTABLES -A ssh-allowed-in  --proto tcp --source-port      ssh -m state
> - --state NEW,ESTABLISHED -j ACCEPT
>=20
> $IPTABLES -N ssh-allowed-out
> $IPTABLES -F ssh-allowed-out
> $IPTABLES -A ssh-allowed-out --proto tcp --destination-port ssh -m state
> - --state NEW,ESTABLISHED -j ACCEPT
> $IPTABLES -A ssh-allowed-out --proto tcp --source-port      ssh -m state
> - --state NEW,ESTABLISHED -j ACCEPT
>=20
> $IPTABLES -A INPUT -j ssh-allowed-in
> $IPTABLES -A FORWARD -j QUEUE
> $IPTABLES -A OUTPUT -j ssh-allowed-out
>=20
> And in my snort.conf I'm just using any/any right now...
>=20
> var HOME_NET any
> var EXTERNAL_NET any
>=20
> And I'm NOT loading any rules.
>=20
> I thought if I did not load any rules traffic would enter the FORWARD
> chain and be sent to QUEUE. Since no rules are loaded nothing should be
> dropping packets and the traffic should be allowed out.
>=20
> I must be missing something though, because no traffic is getting
> through from the PC. If I remove  $IPTABLES -A FORWARD -j QUEUE from the
> iptables script it works (obviously). To my untrained eye it looks like
> the traffic is getting stuck (for the lack of a better word) in QUEUE.
>=20
> What am i missing?
>=20
> Jason
>=20
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
>=20
> iD8DBQFCg7ufpmEqH5sLlmsRAmJAAJ9KtjylLX+Vmi6d6cfkzbA+ZBA0QQCeL7vL
> FIGsFSbBgw4WK6U/SroKmqo=3D
> =3D1+kE
> -----END PGP SIGNATURE-----
>=20
> -------------------------------------------------------
> This SF.Net email is sponsored by Oracle Space Sweepstakes
> Want to be the first software developer in space?
> Enter now for the Oracle Space Sweepstakes!
> http://ads.osdn.com/?ad_id=3D7393&alloc_id=3D16281&op=3Dclick
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>