Menu
▾
▴
[Snort-inline-users] snort-inline dropping only TCP packets.
|
From: Pravin <shi...@gm...> - 2006-10-06 04:35:43
|
Hi, I have a problem that snort-inline is allowing UDP and ICMP packets but dropping TCP packets. I Fedora core - 5 on my box. I refered the http://linuxgazette.net/117/savage.html tutorial for this installation and configuration purpose. I run snort-inline using following command. snort_inline -c /etc/snort_inline/snort_inline.conf -Q -N -l /var/log/snort_inline/ \ -t /var/log/snort_inline/ -v after starting snort-inline ICMP and UDP packets are able to get through but TCP packets are getting dropped I used simple IPTABLES rules to queue up the packets to user space. iptables -I INPUT -p tcp --dport 80 -j QUEUE iptables -I INPUT -p udp --dport 20000 -j QUEUE iptables -I INPUT -p icmp -j QUEUE I checked logs files and all of them are empty. I also tried to go through the source code. I found following lines which are responsible for packet droping or packet allowing. inline.c : 948. status = ipq_set_verdict(ipqh, m->packet_id, NF_DROP, 0, NULL); inline.c :1025 status = ipq_set_verdict(ipqh, m->packet_id, NF_ACCEPT, 0, NULL); inline.c :1047 status = ipq_set_verdict(ipqh, m->packet_id, NF_ACCEPT, m->data_len, m->payload ); I added some printf after them for debugging purpose, and find out that ICMP and UDP packets were being accepted by second ipq_set_verdict function call (inline.c:1025) but TCP packets were getting droped by first ipq_set_verdict function call (inline.c:948). My guess is that there is something wrong in configuration file, As per me, the default rules are not supposed to drop any packets. The only change that I have done in config file is to change "var RULE_PATH /etc/snort_inline/drop_rules" to "var RULE_PATH /etc/snort_inline/rules " I am attaching my snort_inline.conf file with this mail. can someone please help me to find out what I am missing ? -- Pravin Shinde |
