Menu
▾
▴
snort-inline-users
|
From: vishal_nitr <vis...@re...> - 2008-05-21 05:44:18
|
yeh sure...my iptable rules areiptables -p tcp -A OUTPUT --sport 80 -j NFQUEUE --queue-num 100iptables -p tcp -A INPUT --dport 80 -j NFQUEUE --queue-num 100snort rule ispass tcp any any <> 172.30.11.120/32 80stream4 settings arepreprocessor stream4: disable_evasion_alerts, \ stream4inline, \ enforce_state pass, \ memcap 100000000, \ timeout 3600, \ truncate, \ window_size 3000preprocessor stream4_reassemble: both, ports "default", favor_newmy HTTP configs arepreprocessor http_inspect: global \ iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500Actually I tried disabling all stream4 configs and HTTP configs but it wasn't working.On Tue, 20 May 2008 12:26:20 +0200 Victor Julien wroteI suspect there is some state issue here. Could you show us the iptablesrules, relevant snort rules and your stream4/5 settings?Regards,Victorvishal_nitr wrote:> Hi ALL,> I am running snort in inline mode on a HTTP server by using> NFQUEUE. I have two queues for HTTP traffic destined to this server> one for incoming requests and another for responses given by this> server to client.> when I am sending HTTP request from a client with both the queues> present; TCP connection is getting established, GET request is coming> to server and acknowledgement is also reaching to client but 200 OK> packets are not reaching to client. Packets are dropped by snort as> it's a pass rule.>> I suspect it as a some configuration issue.>> Please help me resolve this issue.>> Thanks> vishal>> Thanks and Regards,> Vishal Kotalwar,> Software Engineer,> Aricent,> Chennai-35.> 09884074047.> IPL> >>> ------------------------------------------------------------------------>> -------------------------------------------------------------------------> This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/> ------------------------------------------------------------------------>> _______________________________________________> Snort-inline-users mailing list> Sno...@li...> https://lists.sourceforge.net/lists/listinfo/snort-inline-users> -------------------------------------------------------------------------This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________Snort-inline-users mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/snort-inline-users
Thanks and Regards,
Vishal Kotalwar,
Software Engineer,
Aricent,
Chennai-35.
09884074047. |
|
From: Will M. <wil...@gm...> - 2008-05-21 06:04:19
|
is this the only rule you have in your rule set?
On Wed, May 21, 2008 at 12:45 AM, vishal_nitr
<vis...@re...> wrote:
> yeh sure...
>
> my iptable rules are
>
> iptables -p tcp -A OUTPUT --sport 80 -j NFQUEUE --queue-num 100
> iptables -p tcp -A INPUT --dport 80 -j NFQUEUE --queue-num 100
>
> snort rule is
>
> pass tcp any any <> 172.30.11.120/32 80
>
> stream4 settings are
>
> preprocessor stream4: disable_evasion_alerts,
> stream4inline,
> enforce_state pass,
> memcap 100000000,
> timeout 3600,
> truncate,
> window_size 3000
>
> preprocessor stream4_reassemble: both, ports "default", favor_new
>
> my HTTP configs are
>
> preprocessor http_inspect: global
> iis_unicode_map unicode.map 1252
>
> preprocessor http_inspect_server: server default
> profile all ports { 80 8080 8180 } oversize_dir_length 500
>
> Actually I tried disabling all stream4 configs and HTTP configs but it
> wasn't working.
>
>
> On Tue, 20 May 2008 12:26:20 +0200 Victor Julien wrote
>
> I suspect there is some state issue here. Could you show us the iptables
> rules, relevant snort rules and your stream4/5 settings?
>
> Regards,
> Victor
>
> vishal_nitr wrote:
>> Hi ALL,
>> I am running snort in inline mode on a HTTP server by using
>> NFQUEUE. I have two queues for HTTP traffic destined to this server
>> one for incoming requests and another for responses given by this
>> server to client.
>> when I am sending HTTP request from a client with both the queues
>> present; TCP connection is getting established, GET request is coming
>> to server and acknowledgement is also reaching to client but 200 OK
>> packets are not reaching to client. Packets are dropped by snort as
>> it's a pass rule.
>>
>> I suspect it as a some configuration issue.
>>
>> Please help me resolve this issue.
>>
>> Thanks
>> vishal
>>
>> Thanks and Regards,
>> Vishal Kotalwar,
>> Software Engineer,
>> Aricent,
>> Chennai-35.
>> 09884074047.
>> IPL
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Microsoft
>> Defy all challenges. Microsoft(R) Visual Studio 2008.
>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Snort-inline-users mailing list
>> Sno...@li...
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
> Thanks and Regards,
> Vishal Kotalwar,
> Software Engineer,
> Aricent,
> Chennai-35.
> 09884074047.
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X