Honeypots mailing list archives
Re: snort inline doesn't seem to drop malicious traffic
From: Stephan Scholz <sscholz () astaro com>
Date: Tue, 29 Jul 2003 09:29:07 +0200
Hi Alexander, are you sure you are using the right ruleset ? The rules need to be converted from target "alert" to "drop". Stephan
i set up a gen2 honeynet following the instructions on the honeynet website. so far everything seems to work fine except that i was able to successfully attack my outside-of-the-honeynet testbox (with that latest samba buffer overflow exploit called sambal.c). from inside the honeynet. the inline snort detects and logs the attack but it isn't blocked. first i was suspecting that iptables wasn't queueing at all but killing the snort_inline process proved that wrong. also fiddling with the snort_inline startup script (i.e. changing the interface to listen on) didn't help. could anyone point me to what i might have missed? thanks in advance, alexander.
-- Stephan Scholz <sscholz () astaro com> | Development Astaro AG | www.astaro.com | Phone +49-721-490069-0 | Fax -55 Visit Astaro at: - LinuxWorld Expo, booth 1091, San Francisco, Aug. 5-7, 2003 - CeBIT asia, German Pavilion, Pudong, Shanghai, Sep. 18-23, 2003 - Infosecurity Scandinavia, booth C02:38, Stockholm, Sep. 23-25, 2003 - GITEX, German Pavilion, Dubai, Oct. 19-23, 2003 - Systems 2003, hall B2, booth 326, Munich, Oct. 20-24, 2003
Current thread:
- snort inline doesn't seem to drop malicious traffic Alexander Meyer (spot-media AG) (Jul 28)
- Re: snort inline doesn't seem to drop malicious traffic Stephan Scholz (Jul 29)
- Re: snort inline doesn't seem to drop malicious traffic Alexander Meyer (spot-media AG) (Jul 29)
- Re: snort inline doesn't seem to drop malicious traffic Stephan Scholz (Jul 29)
- Re: snort inline doesn't seem to drop malicious traffic Alexander Meyer (spot-media AG) (Jul 29)
- Re: snort inline doesn't seem to drop malicious traffic Stephan Scholz (Jul 29)