[Snort-inline-users] snort inline can't prevent

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hello..
i've got problem with my snort inline. i 've install snort inline 2.4.5
on ubuntu edgy.
rule in iptable : iptables -I INPUT -p tcp --dport 80 -j QUEUE
and i want to test with modify rules web attack by add :
drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80
connection initiated";)
i follow step in http://linuxgazette.net/117/savage.html

Problem is :
when running, snort inline can read packet from ip_queue, but not block
port 80.
Please help :)

this is message when snort inline running.
Rule application order:
->activation->dynamic->drop->sdrop->reject->rejectboth->rejectsrc->rejectdst->alert->pass->log
Log directory = /var/log/snort/

        --== Initialization Complete ==--

   ,,_     -*> Snort_Inline! <*-
  o"  )~   Version 2.4.5 (Build 29)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/team.html
           (C) Copyright 1998-2005 Sourcefire Inc., et al.
           Snort_Inline Mod by William Metcalf, Victor Julien, Nick
Rogness,
           Dave Remien, Rob McMillen and Jed Haile
NOTE: Snort's default output has changed in version 2.4.1!
       The default logging mode is now PCAP, use "-K ascii" to activate
       the old default logging mode.

03/26-21:14:37.497682 127.0.0.1:80 -> 127.0.0.1:35218
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF
***A**S* Seq: 0x413860F1  Ack: 0x410A66AC  Win: 0x8000  TcpLen: 40
TCP Options (5) => MSS: 16396 SackOK TS: 7416483 7416483 NOP WS: 2
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
+=+

03/26-21:14:40.494183 127.0.0.1:80 -> 127.0.0.1:35218
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF
***A**S* Seq: 0x413860F1  Ack: 0x410A66AC  Win: 0x8000  TcpLen: 40
TCP Options (5) => MSS: 16396 SackOK TS: 7417233 7416483 NOP WS: 2
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
+=+

03/26-21:14:41.293851 127.0.0.1:80 -> 127.0.0.1:35218
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF
***A**S* Seq: 0x413860F1  Ack: 0x410A66AC  Win: 0x8000  TcpLen: 40
TCP Options (5) => MSS: 16396 SackOK TS: 7417433 7416483 NOP WS: 2
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
+=+

===============================================================================

Snort processed 3 packets.
===============================================================================
Breakdown by protocol:
    TCP: 3          (100.000%)
    UDP: 0          (0.000%)
   ICMP: 0          (0.000%)
    ARP: 0          (0.000%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
ETHLOOP: 0          (0.000%)
    IPX: 0          (0.000%)
   FRAG: 0          (0.000%)
  OTHER: 0          (0.000%)
DISCARD: 0          (0.000%)
===============================================================================
Action Stats:
ALERTS: 0
LOGGED: 0
PASSED: 0
===============================================================================
Final Flow Statistics
,----[ FLOWCACHE STATS ]----------
Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1)
Overhead blocks: 1 Could Hold: (0)
IPV4 count: 0 frees: 0
low_time: 0, high_time: 0, diff: 0h:00:00s
    finds: 0 reversed: 0(%0.000000)
    find_sucess: 0 find_fail: 0
percent_success: (%0.000000) new_flows: 0
Frag3 statistics:
        Total Fragments: 0
      Frags Reassembled: 0
               Discards: 0
          Memory Faults: 0
               Timeouts: 0
               Overlaps: 0
              Anomalies: 0
                 Alerts: 0
     FragTrackers Added: 0
    FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
    Frag Nodes Inserted: 0
     Frag Nodes Deleted: 0
===============================================================================
Snort exiting

thanks before

regards

harrismare