Menu
▾
▴
Re: [Snort-inline-users] configuring reporting/logfile questions
|
From: Michael W C. <co...@ca...> - 2006-01-16 16:41:22
|
On Fri, 13 Jan 2006 12:31:30 +0100, you wrote: >I am not totally sure, but i think only NEW traffic is passed the to the >QUEUE. As soon as it is ESTABLISHED, it will be ACCEPTed by the above >'-A net2fw -m state --state RELATED,ESTABLISHED -j ACCEPT' rule. But >like i said, i'm not completely sure, so you better check the shorewall >support channels for that. If i am right, snort_inline will hardly see >any traffic, so then it is not so strange it doesn't cause alerts... > >Another way to check this is to enable the enforce_state option in >stream4. If that blocks all your traffic you can be pretty sure >snort_inline sees only a part of the traffic... > >Hope this helps, >Victor > Hi Victor, As you'll probably already have seen elsewhere, I did indeed have snort_inline configured to check only the first packet in a transaction, but that was my goof, not shorewalls. I never got around to upgrading my rules file when version 3.0 of shorewall shipped. Firxed, and the how-to has been corrected. I do still have a question about the reporting capabilities of snort_inline though - I'm unsure if snort_inline contains the same logging and output capabilities as snort. Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments, |
