snort-inline-users

[Snort-inline-users] Snort-inline setup for a single computer (no-nat, no-bridge)

[phpMiX \(snort\) <sn...@ph...>]

After the latest PHP/phpBB related worms I would like to use snort-inline to
prevent problems in the future. I believe this is a must these days. And
snort-inline is great, for what I've been reading (a lot, I think).

I'm running RHEL 3 and I've been using APF and BFD (www.rfxnetworks.com).
I've been also using Snort in IDS mode with ACID for some time now.

Now, I've been able to install the kernel-source package, iptables-devel,
libnet 1.0.2a and snort 2.3.0RC2 compiled with the --enable-inline option.
Tested and it works! However, it is still running in IDS mode.

I downloaded the rc.firewall script from honeynet.org and I've been trying
to understand how do I need to change it to suit my needs. I do not need to
do NAT nor act as Bridge. My computer is connected to just one interface
(eth0), the net. Also, I still need to use APF, since it's easier to
customize than iptables. TBH, I feel somehow lost when trying to figure out
iptables seriously.

Probably I need to setup the ip_queue chains to allow snort-inline do its
own job, but I also need to keep all the iptable settings APF builds when
it's started. ...or maybe I can't use APF+BFD anymore when using
snort-inline?

Please, can anyone help me?

Thanks a lot in advance ...and happy new year! :-)

Re: [Snort-inline-users] Snort-inline setup for a single computer (no-nat, no-bridge)

[Will M. <wil...@gm...>]

Try changing your -j ACCEPT rules to -j QUEUE the only caveot is that
snort_inline needs to see both sides of the conversation to do it's
job properly so you would need rules like the following.

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j QUEUE
iptables -A OUTPUT -i eth0 -j QUEUE

Even though you are using APF you should be able to get a list of the
current iptables rules for INPUT FORWARD and OUTPUT by doing the
following.

iptables -L

Regards,

Will

On Fri, 31 Dec 2004 10:55:19 +0100, phpMiX (snort) <sn...@ph...> wrote:
> After the latest PHP/phpBB related worms I would like to use snort-inline to
> prevent problems in the future. I believe this is a must these days. And
> snort-inline is great, for what I've been reading (a lot, I think).
> 
> I'm running RHEL 3 and I've been using APF and BFD (www.rfxnetworks.com).
> I've been also using Snort in IDS mode with ACID for some time now.
> 
> Now, I've been able to install the kernel-source package, iptables-devel,
> libnet 1.0.2a and snort 2.3.0RC2 compiled with the --enable-inline option.
> Tested and it works! However, it is still running in IDS mode.
> 
> I downloaded the rc.firewall script from honeynet.org and I've been trying
> to understand how do I need to change it to suit my needs. I do not need to
> do NAT nor act as Bridge. My computer is connected to just one interface
> (eth0), the net. Also, I still need to use APF, since it's easier to
> customize than iptables. TBH, I feel somehow lost when trying to figure out
> iptables seriously.
> 
> Probably I need to setup the ip_queue chains to allow snort-inline do its
> own job, but I also need to keep all the iptable settings APF builds when
> it's started. ...or maybe I can't use APF+BFD anymore when using
> snort-inline?
> 
> Please, can anyone help me?
> 
> Thanks a lot in advance ...and happy new year! :-)
> 
> -------------------------------------------------------
> The SF.Net email is sponsored by: Beat the post-holiday blues
> Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
> It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>