Menu
▾
▴
Re: [Snort-inline-users] FORWARD || OUTPUT
|
From: Will M. <wil...@gm...> - 2005-05-13 15:25:31
|
Are you using the 2.4.x series of kernel or 2.6.x? Regards, Will On 5/13/05, Norwich University - Information Security <in...@no...> wrote: >=20 >=20 > I'm starting snort with... >=20 > snort -QD -c /etc/snort/snort.conf -l /var/log/snort_inline >=20 >=20 > Will Metcalf wrote: > >>'cat /proc/sys/net/ipv4/ip_forward' shows a 1 > > > > > > if you are bridiging traffic, this should be set to 0. > > > > what are you passing to snort on the command line? > > > > Regards, > > > > Will > > > > On 5/12/05, Norwich University - Information Security > > <in...@no...> wrote: > > > > Hi, > > > > I'm setting up/testing snort inline like so... > > > > PC ---x----(snort_inline)--------network > > > > (yes that's a x-over cable) > > > > Bridging seems to work. Output from 'snort -Qvc <configuration file>' > > shows headers so iptables should be sending traffic to the QUEUE and > > snort should be seeing it. > > > > 'cat /proc/sys/net/ipv4/ip_forward' shows a 1 > > > > I'm just using a simple iptables script for testing... > > > > $IPTABLES -F > > $IPTABLES -X > > $IPTABLES -P FORWARD ACCEPT > > $IPTABLES -P INPUT ACCEPT > > $IPTABLES -P OUTPUT ACCEPT > > $IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT > > $IPTABLES -A OUTPUT -d 127.0.0.1 -j ACCEPT > > > > $IPTABLES -N ssh-allowed-in > > $IPTABLES -F ssh-allowed-in > > $IPTABLES -A ssh-allowed-in --proto tcp --destination-port ssh -m stat= e > > --state NEW,ESTABLISHED -j ACCEPT > > $IPTABLES -A ssh-allowed-in --proto tcp --source-port ssh -m stat= e > > --state NEW,ESTABLISHED -j ACCEPT > > > > $IPTABLES -N ssh-allowed-out > > $IPTABLES -F ssh-allowed-out > > $IPTABLES -A ssh-allowed-out --proto tcp --destination-port ssh -m stat= e > > --state NEW,ESTABLISHED -j ACCEPT > > $IPTABLES -A ssh-allowed-out --proto tcp --source-port ssh -m stat= e > > --state NEW,ESTABLISHED -j ACCEPT > > > > $IPTABLES -A INPUT -j ssh-allowed-in > > $IPTABLES -A FORWARD -j QUEUE > > $IPTABLES -A OUTPUT -j ssh-allowed-out > > > > And in my snort.conf I'm just using any/any right now... > > > > var HOME_NET any > > var EXTERNAL_NET any > > > > And I'm NOT loading any rules. > > > > I thought if I did not load any rules traffic would enter the FORWARD > > chain and be sent to QUEUE. Since no rules are loaded nothing should be > > dropping packets and the traffic should be allowed out. > > > > I must be missing something though, because no traffic is getting > > through from the PC. If I remove $IPTABLES -A FORWARD -j QUEUE from th= e > > iptables script it works (obviously). To my untrained eye it looks like > > the traffic is getting stuck (for the lack of a better word) in QUEUE. > > > > What am i missing? > > > > Jason > > >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by Oracle Space Sweepstakes > Want to be the first software developer in space? > Enter now for the Oracle Space Sweepstakes! > http://ads.osdn.com/?ad_id=3D7393&alloc_id=3D16281&op=3Dclick > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by Oracle Space Sweepstakes > Want to be the first software developer in space? > Enter now for the Oracle Space Sweepstakes! > http://ads.osdn.com/?ad_id=3D7393&alloc_id=3D16281&op=3Dclick > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
