Re: [Snort-inline-users] Snort_Inline not recognizing 'drop'

[Dave R. <da...@re...>]

On Sat, 14 Jul 2007, sno...@li... wrote:


+I tried to install the snort_inline on fedora and the installation process worked fine.
+Right now i'm using snort_inline-2.6.1.5.Now,after inserting the ip_queue module i am running the following command
+ 
+snort_inline -Q -v -c /etc/snort_inline/snort_inline.conf -l /var/log/snort_inline


Your iptables needs to send packets to ip_queue:

iptables -I FORWARD -j QUEUE

if you're doing this as a bridge/router, or, if to/from localhost:

iptables -I INPUT -j QUEUE
iptables -I OUTPUT -j QUEUE

+
+I am getting the following summary:
+ 
+===============================================================================
+Snort processed 0 packets.
+===============================================================================
+Breakdown by protocol:
+    TCP: 0          (0.000%)
+    UDP: 0          (0.000%)
+   ICMP: 0          (0.000%)
+    ARP: 0          (0.000%)
+  EAPOL: 0          (0.000%)
+   IPv6: 0          (0.000%)
+ETHLOOP: 0          (0.000%)
+    IPX: 0          (0.000%)
+   FRAG: 0          (0.000%)
+  OTHER: 0          (0.000%)
+DISCARD: 0          (0.000%)
+===============================================================================
+Action Stats:
+ALERTS: 0
+LOGGED: 0
+PASSED: 0
+===============================================================================
+
+In my snort.conf file i have commented all the rules except one 
+include $RULE_PATH/web-attacks.rules
+At the end of the web-attacks.rule file i have added a simple rule:

+drop tcp any 80 -> any 80 (classtype:attempted-user; msg:"Port 80 
+connection initiated";sid:1000001;)
+

I think you want this:

drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80 connection initiated";sid:1000001;)

Unless you're really (highly unlikely) expecting packets to be sourced 
from port 80. The norm for source packets is 1024 up...

+Kindly tell me where i am going wrong. Why snort_inline is not able to process any packet.

Iptables needs to be told to send packets to the QUEUE, it doesn't just 
"happen".

Cheers,

Dave

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.