Menu
▾
▴
Re: [Snort-inline-users] FORWARD || OUTPUT
|
From: Norwich U. - I. S. <in...@no...> - 2005-05-13 15:16:16
|
I'm starting snort with... snort -QD -c /etc/snort/snort.conf -l /var/log/snort_inline Will Metcalf wrote: >>'cat /proc/sys/net/ipv4/ip_forward' shows a 1 > > > if you are bridiging traffic, this should be set to 0. > > what are you passing to snort on the command line? > > Regards, > > Will > > On 5/12/05, Norwich University - Information Security > <in...@no...> wrote: > > Hi, > > I'm setting up/testing snort inline like so... > > PC ---x----(snort_inline)--------network > > (yes that's a x-over cable) > > Bridging seems to work. Output from 'snort -Qvc <configuration file>' > shows headers so iptables should be sending traffic to the QUEUE and > snort should be seeing it. > > 'cat /proc/sys/net/ipv4/ip_forward' shows a 1 > > I'm just using a simple iptables script for testing... > > $IPTABLES -F > $IPTABLES -X > $IPTABLES -P FORWARD ACCEPT > $IPTABLES -P INPUT ACCEPT > $IPTABLES -P OUTPUT ACCEPT > $IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT > $IPTABLES -A OUTPUT -d 127.0.0.1 -j ACCEPT > > $IPTABLES -N ssh-allowed-in > $IPTABLES -F ssh-allowed-in > $IPTABLES -A ssh-allowed-in --proto tcp --destination-port ssh -m state > --state NEW,ESTABLISHED -j ACCEPT > $IPTABLES -A ssh-allowed-in --proto tcp --source-port ssh -m state > --state NEW,ESTABLISHED -j ACCEPT > > $IPTABLES -N ssh-allowed-out > $IPTABLES -F ssh-allowed-out > $IPTABLES -A ssh-allowed-out --proto tcp --destination-port ssh -m state > --state NEW,ESTABLISHED -j ACCEPT > $IPTABLES -A ssh-allowed-out --proto tcp --source-port ssh -m state > --state NEW,ESTABLISHED -j ACCEPT > > $IPTABLES -A INPUT -j ssh-allowed-in > $IPTABLES -A FORWARD -j QUEUE > $IPTABLES -A OUTPUT -j ssh-allowed-out > > And in my snort.conf I'm just using any/any right now... > > var HOME_NET any > var EXTERNAL_NET any > > And I'm NOT loading any rules. > > I thought if I did not load any rules traffic would enter the FORWARD > chain and be sent to QUEUE. Since no rules are loaded nothing should be > dropping packets and the traffic should be allowed out. > > I must be missing something though, because no traffic is getting > through from the PC. If I remove $IPTABLES -A FORWARD -j QUEUE from the > iptables script it works (obviously). To my untrained eye it looks like > the traffic is getting stuck (for the lack of a better word) in QUEUE. > > What am i missing? > > Jason > ------------------------------------------------------- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click _______________________________________________ Snort-inline-users mailing list Sno...@li... https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
