Thread: [Snort-inline-users] snort-inline with out ip_conntrack

Brought to you by: count_zero_rod, redmaze, vicjul78

snort-inline-users

[Snort-inline-users] snort-inline with out ip_conntrack

From: Murugavel T. <tmu...@gm...> - 2005-01-31 05:56:55

Hi,

We have to implement snort-inline without ip_conntrack module.

Is it possible?

iptables -t mangle -A FORWARD -p tcp -s <xxxxxx> --syn -m state
--state NEW -j MARK --set-mark 1
iptables -t mangle -A FORWARD -p tcp -s <xxxxxxxxxx>  -m state --state
ESTABLISHED -j MARK --set-mark 2
iptables -A FORWARD -s <xxxxxxx>  -j QUEUE


In the above rule ipt_state using ip_conntrack module. 

Is there any other way to modify the rule without ip_conntack?


Regards
Murugavel






-- 

Regards
Muruga>>----le>
 "Success comes to the person who does today"

Re: [Snort-inline-users] snort-inline with out ip_conntrack

From: Victor J. <vi...@nk...> - 2005-01-31 08:17:56

Murugavel Thiruvengadam wrote:
> Hi,
> 
> We have to implement snort-inline without ip_conntrack module.
> 
> Is it possible?
> 
> iptables -t mangle -A FORWARD -p tcp -s <xxxxxx> --syn -m state
> --state NEW -j MARK --set-mark 1
> iptables -t mangle -A FORWARD -p tcp -s <xxxxxxxxxx>  -m state --state
> ESTABLISHED -j MARK --set-mark 2
> iptables -A FORWARD -s <xxxxxxx>  -j QUEUE
> 
> 
> In the above rule ipt_state using ip_conntrack module. 
> 
> Is there any other way to modify the rule without ip_conntack?
> 
> 
> Regards
> Murugavel
> 
> 
> 
> 
> 
> 
Hi Murugavel,

You can just use:

iptables -A FORWARD -j QUEUE

This way you send all forwarded traffic to snort_inline, and you won't 
need ip_conntrack.

Hope this helps,

Regards,
Victor

Re: [Snort-inline-users] snort-inline with out ip_conntrack

From: Murugavel T. <tmu...@gm...> - 2005-01-31 09:49:46

Hi

My question  is  "Is it necessary to mark packet for snort-inline to process.?"
 iptables -t mangle -A FORWARD -p tcp -s <xxxxxx> --syn -m state
 --state NEW -j MARK --set-mark 1

regards
murugavel



On Mon, 31 Jan 2005 09:22:06 +0000, Victor Julien <vi...@nk...> wrote:
> Murugavel Thiruvengadam wrote:
> > Hi,
> >
> > We have to implement snort-inline without ip_conntrack module.
> >
> > Is it possible?
> >
> > iptables -t mangle -A FORWARD -p tcp -s <xxxxxx> --syn -m state
> > --state NEW -j MARK --set-mark 1
> > iptables -t mangle -A FORWARD -p tcp -s <xxxxxxxxxx>  -m state --state
> > ESTABLISHED -j MARK --set-mark 2
> > iptables -A FORWARD -s <xxxxxxx>  -j QUEUE
> >
> >
> > In the above rule ipt_state using ip_conntrack module.
> >
> > Is there any other way to modify the rule without ip_conntack?
> >
> >
> > Regards
> > Murugavel
> >
> >
> >
> >
> >
> > 
> Hi Murugavel,
> 
> You can just use:
> 
> iptables -A FORWARD -j QUEUE
> 
> This way you send all forwarded traffic to snort_inline, and you won't
> need ip_conntrack.
> 
> Hope this helps,
> 
> Regards,
> Victor
> 


-- 

Regards
Muruga>>----le>
 "Success comes to the person who does today"

Re: [Snort-inline-users] snort-inline with out ip_conntrack

From: Victor J. <vi...@nk...> - 2005-01-31 09:54:21

Murugavel Thiruvengadam wrote:
> Hi
> 
> My question  is  "Is it necessary to mark packet for snort-inline to process.?"
>  iptables -t mangle -A FORWARD -p tcp -s <xxxxxx> --syn -m state
>  --state NEW -j MARK --set-mark 1
> 
> regards
> murugavel
> 
> 
> 
> On Mon, 31 Jan 2005 09:22:06 +0000, Victor Julien <vi...@nk...> wrote:
> 
>>Murugavel Thiruvengadam wrote:
>>
>>>Hi,
>>>
>>>We have to implement snort-inline without ip_conntrack module.
>>>
>>>Is it possible?
>>>
>>>iptables -t mangle -A FORWARD -p tcp -s <xxxxxx> --syn -m state
>>>--state NEW -j MARK --set-mark 1
>>>iptables -t mangle -A FORWARD -p tcp -s <xxxxxxxxxx>  -m state --state
>>>ESTABLISHED -j MARK --set-mark 2
>>>iptables -A FORWARD -s <xxxxxxx>  -j QUEUE
>>>
>>>
>>>In the above rule ipt_state using ip_conntrack module.
>>>
>>>Is there any other way to modify the rule without ip_conntack?
>>>
>>>
>>>Regards
>>>Murugavel
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>Hi Murugavel,
>>
>>You can just use:
>>
>>iptables -A FORWARD -j QUEUE
>>
>>This way you send all forwarded traffic to snort_inline, and you won't
>>need ip_conntrack.
>>
>>Hope this helps,
>>
>>Regards,
>>Victor
>>
> 
> 
> 
  No it's not. The marking was add as a way to help the stream4 
preprocessor. But it's not needed.

BTW: 2.3 won't even have this function anymore...

Regards,
Victor