Menu
▾
▴
Re: [Snort-inline-users] FORWARD || OUTPUT
|
From: Will M. <wil...@gm...> - 2005-05-13 15:41:58
|
And you are running in bridge mode and not NAT mode? If you start snort with -v instead of -D do you see any traffic? Regards, Will On 5/13/05, Norwich University - Information Security <in...@no...> wrote: > 2.6.x >=20 > Will Metcalf wrote: > > Are you using the 2.4.x series of kernel or 2.6.x? > > > > Regards, > > > > Will > > > > On 5/13/05, Norwich University - Information Security > > <in...@no...> wrote: > > > >> > >>I'm starting snort with... > >> > >>snort -QD -c /etc/snort/snort.conf -l /var/log/snort_inline > >> > >> > >>Will Metcalf wrote: > >> > >>>>'cat /proc/sys/net/ipv4/ip_forward' shows a 1 > >>> > >>> > >>>if you are bridiging traffic, this should be set to 0. > >>> > >>>what are you passing to snort on the command line? > >>> > >>>Regards, > >>> > >>>Will > >>> > >>>On 5/12/05, Norwich University - Information Security > >>><in...@no...> wrote: > >>> > >>>Hi, > >>> > >>>I'm setting up/testing snort inline like so... > >>> > >>>PC ---x----(snort_inline)--------network > >>> > >>>(yes that's a x-over cable) > >>> > >>>Bridging seems to work. Output from 'snort -Qvc <configuration file>' > >>>shows headers so iptables should be sending traffic to the QUEUE and > >>>snort should be seeing it. > >>> > >>>'cat /proc/sys/net/ipv4/ip_forward' shows a 1 > >>> > >>>I'm just using a simple iptables script for testing... > >>> > >>>$IPTABLES -F > >>>$IPTABLES -X > >>>$IPTABLES -P FORWARD ACCEPT > >>>$IPTABLES -P INPUT ACCEPT > >>>$IPTABLES -P OUTPUT ACCEPT > >>>$IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT > >>>$IPTABLES -A OUTPUT -d 127.0.0.1 -j ACCEPT > >>> > >>>$IPTABLES -N ssh-allowed-in > >>>$IPTABLES -F ssh-allowed-in > >>>$IPTABLES -A ssh-allowed-in --proto tcp --destination-port ssh -m sta= te > >>>--state NEW,ESTABLISHED -j ACCEPT > >>>$IPTABLES -A ssh-allowed-in --proto tcp --source-port ssh -m sta= te > >>>--state NEW,ESTABLISHED -j ACCEPT > >>> > >>>$IPTABLES -N ssh-allowed-out > >>>$IPTABLES -F ssh-allowed-out > >>>$IPTABLES -A ssh-allowed-out --proto tcp --destination-port ssh -m sta= te > >>>--state NEW,ESTABLISHED -j ACCEPT > >>>$IPTABLES -A ssh-allowed-out --proto tcp --source-port ssh -m sta= te > >>>--state NEW,ESTABLISHED -j ACCEPT > >>> > >>>$IPTABLES -A INPUT -j ssh-allowed-in > >>>$IPTABLES -A FORWARD -j QUEUE > >>>$IPTABLES -A OUTPUT -j ssh-allowed-out > >>> > >>>And in my snort.conf I'm just using any/any right now... > >>> > >>>var HOME_NET any > >>>var EXTERNAL_NET any > >>> > >>>And I'm NOT loading any rules. > >>> > >>>I thought if I did not load any rules traffic would enter the FORWARD > >>>chain and be sent to QUEUE. Since no rules are loaded nothing should b= e > >>>dropping packets and the traffic should be allowed out. > >>> > >>>I must be missing something though, because no traffic is getting > >>>through from the PC. If I remove $IPTABLES -A FORWARD -j QUEUE from t= he > >>>iptables script it works (obviously). To my untrained eye it looks lik= e > >>>the traffic is getting stuck (for the lack of a better word) in QUEUE. > >>> > >>>What am i missing? > >>> > >>>Jason > >>> > >> > >>------------------------------------------------------- > >>This SF.Net email is sponsored by Oracle Space Sweepstakes > >>Want to be the first software developer in space? > >>Enter now for the Oracle Space Sweepstakes! > >>http://ads.osdn.com/?ad_id=3D7393&alloc_id=3D16281&op=3Dclick > >>_______________________________________________ > >>Snort-inline-users mailing list > >>Sno...@li... > >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users > >> > >>------------------------------------------------------- > >>This SF.Net email is sponsored by Oracle Space Sweepstakes > >>Want to be the first software developer in space? > >>Enter now for the Oracle Space Sweepstakes! > >>http://ads.osdn.com/?ad_id=3D7393&alloc_id=3D16281&op=3Dclick > >>_______________________________________________ > >>Snort-inline-users mailing list > >>Sno...@li... > >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users > >> >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by Oracle Space Sweepstakes > Want to be the first software developer in space? > Enter now for the Oracle Space Sweepstakes! > http://ads.osdn.com/?ad_id=3D7393&alloc_id=3D16281&op=3Dclick > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
