Menu
▾
▴
Re: [Snort-inline-users] snort inline can't prevent
|
From: Victor J. <li...@in...> - 2007-04-09 08:23:00
|
Hi harrismare, How are you running Snort_inline (what commandline arguments)? Can you attach the configuration file you are using? Regards, Victor maremare mare wrote: > Hello.. > i've got problem with my snort inline. i 've install snort inline 2.4.5 > on ubuntu edgy. > rule in iptable : iptables -I INPUT -p tcp --dport 80 -j QUEUE > and i want to test with modify rules web attack by add : > drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80 > connection initiated";) > i follow step in http://linuxgazette.net/117/savage.html > > Problem is : > when running, snort inline can read packet from ip_queue, but not block > port 80. > Please help :) > > this is message when snort inline running. > Rule application order: > ->activation->dynamic->drop->sdrop->reject->rejectboth->rejectsrc->rejectdst->alert->pass->log > Log directory = /var/log/snort/ > > --== Initialization Complete ==-- > > ,,_ -*> Snort_Inline! <*- > o" )~ Version 2.4.5 (Build 29) > '''' By Martin Roesch & The Snort Team: > http://www.snort.org/team.html > (C) Copyright 1998-2005 Sourcefire Inc., et al. > Snort_Inline Mod by William Metcalf, Victor Julien, Nick > Rogness, > Dave Remien, Rob McMillen and Jed Haile > NOTE: Snort's default output has changed in version 2.4.1! > The default logging mode is now PCAP, use "-K ascii" to activate > the old default logging mode. > > 03/26-21:14:37.497682 *MailScanner warning: numerical links are often > malicious:* 127.0.0.1:80 <http://127.0.0.1:80> -> *MailScanner > warning: numerical links are often malicious:* 127.0.0.1:35218 > <http://127.0.0.1:35218> > TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF > ***A**S* Seq: 0x413860F1 Ack: 0x410A66AC Win: 0x8000 TcpLen: 40 > TCP Options (5) => MSS: 16396 SackOK TS: 7416483 7416483 NOP WS: 2 > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= > +=+ > > 03/26-21:14:40.494183 *MailScanner warning: numerical links are often > malicious:* 127.0.0.1:80 <http://127.0.0.1:80> -> *MailScanner > warning: numerical links are often malicious:* 127.0.0.1:35218 > <http://127.0.0.1:35218> > TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF > ***A**S* Seq: 0x413860F1 Ack: 0x410A66AC Win: 0x8000 TcpLen: 40 > TCP Options (5) => MSS: 16396 SackOK TS: 7417233 7416483 NOP WS: 2 > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= > +=+ > > 03/26-21:14:41.293851 *MailScanner warning: numerical links are often > malicious:* 127.0.0.1:80 <http://127.0.0.1:80> -> *MailScanner > warning: numerical links are often malicious:* 127.0.0.1:35218 > <http://127.0.0.1:35218> > TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF > ***A**S* Seq: 0x413860F1 Ack: 0x410A66AC Win: 0x8000 TcpLen: 40 > TCP Options (5) => MSS: 16396 SackOK TS: 7417433 7416483 NOP WS: 2 > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= > +=+ > > > > =============================================================================== > > Snort processed 3 packets. > =============================================================================== > Breakdown by protocol: > TCP: 3 (100.000%) > UDP: 0 (0.000%) > ICMP: 0 (0.000%) > ARP: 0 (0.000%) > EAPOL: 0 (0.000%) > IPv6: 0 (0.000%) > ETHLOOP: 0 (0.000%) > IPX: 0 (0.000%) > FRAG: 0 (0.000%) > OTHER: 0 (0.000%) > DISCARD: 0 (0.000%) > =============================================================================== > Action Stats: > ALERTS: 0 > LOGGED: 0 > PASSED: 0 > =============================================================================== > Final Flow Statistics > ,----[ FLOWCACHE STATS ]---------- > Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1) > Overhead blocks: 1 Could Hold: (0) > IPV4 count: 0 frees: 0 > low_time: 0, high_time: 0, diff: 0h:00:00s > finds: 0 reversed: 0(%0.000000) > find_sucess: 0 find_fail: 0 > percent_success: (%0.000000) new_flows: 0 > Frag3 statistics: > Total Fragments: 0 > Frags Reassembled: 0 > Discards: 0 > Memory Faults: 0 > Timeouts: 0 > Overlaps: 0 > Anomalies: 0 > Alerts: 0 > FragTrackers Added: 0 > FragTrackers Dumped: 0 > FragTrackers Auto Freed: 0 > Frag Nodes Inserted: 0 > Frag Nodes Deleted: 0 > =============================================================================== > Snort exiting > > > thanks before > > regards > > harrismare > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > ------------------------------------------------------------------------ > > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
