Re: snort inline doesn't seem to drop malicious traffic

[Stephan Scholz <sscholz () astaro com>]

Hi Alexander,

are you sure you are using the right ruleset ? The rules need to
be converted from target "alert" to "drop".

Stephan

> i set up a gen2 honeynet following the instructions on the honeynet
> website. so far everything seems to work fine except that i was able to
> successfully attack my outside-of-the-honeynet testbox (with that latest
> samba buffer overflow exploit called sambal.c). from inside the
> honeynet. the inline snort detects and logs the attack but it isn't
> blocked. first i was suspecting that iptables wasn't queueing at all but
> killing the snort_inline process proved that wrong. also fiddling with
> the snort_inline startup script (i.e. changing the interface to listen
> on) didn't help. could anyone point me to what i might have missed?
>
> thanks in advance,
>
> alexander.


--
Stephan Scholz <sscholz () astaro com> | Development
Astaro AG | www.astaro.com | Phone +49-721-490069-0 | Fax -55

Visit Astaro at:
- LinuxWorld Expo, booth 1091, San Francisco, Aug. 5-7, 2003
- CeBIT asia, German Pavilion, Pudong, Shanghai, Sep. 18-23, 2003
- Infosecurity Scandinavia, booth C02:38, Stockholm, Sep. 23-25, 2003
- GITEX, German Pavilion, Dubai, Oct. 19-23, 2003
- Systems 2003, hall B2, booth 326, Munich, Oct. 20-24, 2003