Re: [Snort-inline-users] Snort_Inline not recognizing 'drop' rule

[Piyush_Mundra <Piy...@sa...>]

Hello will,
Thanks very much.
I tried to install the snort_inline on fedora and the installation =
process worked fine.
Right now i'm using snort_inline-2.6.1.5.Now,after inserting the =
ip_queue module i am running the following command
=20
snort_inline -Q -v -c /etc/snort_inline/snort_inline.conf -l =
/var/log/snort_inline

I am getting the following summary:
=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
Snort processed 0 packets.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
Breakdown by protocol:
    TCP: 0          (0.000%)
    UDP: 0          (0.000%)
   ICMP: 0          (0.000%)
    ARP: 0          (0.000%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
ETHLOOP: 0          (0.000%)
    IPX: 0          (0.000%)
   FRAG: 0          (0.000%)
  OTHER: 0          (0.000%)
DISCARD: 0          (0.000%)
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
Action Stats:
ALERTS: 0
LOGGED: 0
PASSED: 0
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D

In my snort.conf file i have commented all the rules except one=20
include $RULE_PATH/web-attacks.rules
At the end of the web-attacks.rule file i have added a simple rule:
drop tcp any 80 -> any 80 (classtype:attempted-user; msg:"Port 80 =
connection initiated";sid:1000001;)

Kindly tell me where i am going wrong. Why snort_inline is not able to =
process any packet.


Regards,

Piyush


________________________________

From: Will Metcalf [mailto:wil...@gm...]
Sent: Wed 7/11/2007 9:48 PM
To: Piyush_Mundra
Cc: sno...@li...
Subject: Re: [Snort-inline-users] Snort_Inline not recognizing 'drop' =
rule



for snort_inline-2.6.x you need libdnet installed.  I'm not sure what
OS you are running but you may want to make distclean ./autojunk.sh &&
./configure && make && make install from the source directory.

Regards,

Will

On 7/11/07, Piyush_Mundra <Piy...@sa...> wrote:
>
>
> Hello everybody,
>
> I am working on Redhat. To make use of the packet dropping and =
rejecting
> facility i installed the Snort_Inline. Snort inline makes use of the
>
> iptables
> Libnet-1.0.2a-FC2-Fixed
> pcre-7.2
> snort_inline-1.9.1
>
> The installation process went fine without any failure. I have =
installed
> snort_inline for the packet dropping facility. For that purpose i need =
to
> write rules in the snort.conf file in the Snort_Inline/etc/snort.conf =
file.
>
> There i wrote a very basic rule:
>
> drop tcp any any -> any any (msg: "Dropped Packet"; sid: 1000001;)
>
> This should cause all traffic coming to my system to be dropped and
> corresspondingly logging the alert to a default alert file.
>
> But When i try to run Snort_Inline after making above changes to the
> snort.conf file the Snort_Inline doesn't work stating:
>
> Unknown Rule Type: Drop.
>
> This thing get further clarified by the fact that when in snort.conf =
file we
> write any rule like "alert" "drop" then being the keyword these words =
become
> "Yellowish". As against them "drop" keyword is not becoming same which =
means
> the .Conf file is not able to recognize it as a command.
>
>
> Kindly tell me where the things are going wrong. Its really important. =
Is
> there any other way to configure Snort itself for dropping packet. I =
am
> running Snort-2.6.1.4 also and i tried to configure it using
>
> ./configure --enable_Inline
>
> configure and make and make install are running fine but later on when =
i
> insert the drop rule it is giving the same problem as above.
>
> Thanks in advance.
>
> Regards
> Piyush
>
>
>
> DISCLAIMER:
> This email (including any attachments) is intended for the sole use of =
the
> intended recipient/s and may contain material that is CONFIDENTIAL AND
> PRIVATE COMPANY INFORMATION. Any review or reliance by others or =
copying or
> distribution or forwarding of any or all of the contents in this =
message is
> STRICTLY PROHIBITED. If you are not the intended recipient, please =
contact
> the sender by email and delete all copies; your cooperation in this =
regard
> is appreciated..
> =
-------------------------------------------------------------------------=

> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>





DISCLAIMER:
This email (including any attachments) is intended for the sole use of =
the intended recipient/s and may contain material that is CONFIDENTIAL =
AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or =
copying or distribution or forwarding of any or all of the contents in =
this message is STRICTLY PROHIBITED. If you are not the intended =
recipient, please contact the sender by email and delete all copies; =
your cooperation in this regard is appreciated.