Menu
▾
▴
Re: [Snort-inline-users] FORWARD || OUTPUT
|
From: Norwich U. - I. S. <in...@no...> - 2005-05-13 15:32:48
|
2.6.x Will Metcalf wrote: > Are you using the 2.4.x series of kernel or 2.6.x? > > Regards, > > Will > > On 5/13/05, Norwich University - Information Security > <in...@no...> wrote: > >> >>I'm starting snort with... >> >>snort -QD -c /etc/snort/snort.conf -l /var/log/snort_inline >> >> >>Will Metcalf wrote: >> >>>>'cat /proc/sys/net/ipv4/ip_forward' shows a 1 >>> >>> >>>if you are bridiging traffic, this should be set to 0. >>> >>>what are you passing to snort on the command line? >>> >>>Regards, >>> >>>Will >>> >>>On 5/12/05, Norwich University - Information Security >>><in...@no...> wrote: >>> >>>Hi, >>> >>>I'm setting up/testing snort inline like so... >>> >>>PC ---x----(snort_inline)--------network >>> >>>(yes that's a x-over cable) >>> >>>Bridging seems to work. Output from 'snort -Qvc <configuration file>' >>>shows headers so iptables should be sending traffic to the QUEUE and >>>snort should be seeing it. >>> >>>'cat /proc/sys/net/ipv4/ip_forward' shows a 1 >>> >>>I'm just using a simple iptables script for testing... >>> >>>$IPTABLES -F >>>$IPTABLES -X >>>$IPTABLES -P FORWARD ACCEPT >>>$IPTABLES -P INPUT ACCEPT >>>$IPTABLES -P OUTPUT ACCEPT >>>$IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT >>>$IPTABLES -A OUTPUT -d 127.0.0.1 -j ACCEPT >>> >>>$IPTABLES -N ssh-allowed-in >>>$IPTABLES -F ssh-allowed-in >>>$IPTABLES -A ssh-allowed-in --proto tcp --destination-port ssh -m state >>>--state NEW,ESTABLISHED -j ACCEPT >>>$IPTABLES -A ssh-allowed-in --proto tcp --source-port ssh -m state >>>--state NEW,ESTABLISHED -j ACCEPT >>> >>>$IPTABLES -N ssh-allowed-out >>>$IPTABLES -F ssh-allowed-out >>>$IPTABLES -A ssh-allowed-out --proto tcp --destination-port ssh -m state >>>--state NEW,ESTABLISHED -j ACCEPT >>>$IPTABLES -A ssh-allowed-out --proto tcp --source-port ssh -m state >>>--state NEW,ESTABLISHED -j ACCEPT >>> >>>$IPTABLES -A INPUT -j ssh-allowed-in >>>$IPTABLES -A FORWARD -j QUEUE >>>$IPTABLES -A OUTPUT -j ssh-allowed-out >>> >>>And in my snort.conf I'm just using any/any right now... >>> >>>var HOME_NET any >>>var EXTERNAL_NET any >>> >>>And I'm NOT loading any rules. >>> >>>I thought if I did not load any rules traffic would enter the FORWARD >>>chain and be sent to QUEUE. Since no rules are loaded nothing should be >>>dropping packets and the traffic should be allowed out. >>> >>>I must be missing something though, because no traffic is getting >>>through from the PC. If I remove $IPTABLES -A FORWARD -j QUEUE from the >>>iptables script it works (obviously). To my untrained eye it looks like >>>the traffic is getting stuck (for the lack of a better word) in QUEUE. >>> >>>What am i missing? >>> >>>Jason >>> >> >>------------------------------------------------------- >>This SF.Net email is sponsored by Oracle Space Sweepstakes >>Want to be the first software developer in space? >>Enter now for the Oracle Space Sweepstakes! >>http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click >>_______________________________________________ >>Snort-inline-users mailing list >>Sno...@li... >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> >>------------------------------------------------------- >>This SF.Net email is sponsored by Oracle Space Sweepstakes >>Want to be the first software developer in space? >>Enter now for the Oracle Space Sweepstakes! >>http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click >>_______________________________________________ >>Snort-inline-users mailing list >>Sno...@li... >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> |
