Snort mailing list archives
snort inline behavior
From: "/dev/null" <dev.null () BeginThread com>
Date: Wed, 26 Nov 2003 00:41:12 -0600
First, thanks to all for the help on getting the right inline version running. I went through my firewall script and every '-j ACCEPT' I had, I changed to '-j QUEUE' and re-built my iptable chains. Did `insmod ip_queue`, loaded fine. Started up snort_inline with '-DQ -l ... -c ...'. Everything looked fine. After a couple of minutes I decided instead of -D (daemon) I'd rather see a little output to make sure it was seeing packets as expected. I was ssh'ed into the box so I figured my iptables "ESTABLISHED,RELATED -j QUEUE" entry should show a lot of ssh packets. I do a `kill` on the snort_inline pid and suddenly my ssh connection goes dead - I'm waiting for it to timeout now. In the mean time I've tried to re-ssh back into the box, but they just time out. I'm wondering if this is some weird deal that if you don't have someone running on QUEUE that the packets never get ACCEPTed and by shutting snort down I just shot myself in the foot. I'm going to go ahead and set up another box (that one is 1hr away, and the tech guy will arive in the morning and I'll walk him through changing QUEUE back to ACCEPT and restart the firewall...) and getting it tested locally where if it breaks I can fix it easily. In the mean time I was wondering if you guys could lend your experience here. Does killing snort_inline while it's watching the QUEUE break any connections that are getting -j QUEUEed? What happened here? Thanks! ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- bad frag bits Samuel C. Adams (Nov 25)
- Re: bad frag bits Brian (Nov 25)
- snort inline && current rules. /dev/null (Nov 25)
- Re: snort inline && current rules. Matt Kettler (Nov 25)
- Re: snort inline && current rules. /dev/null (Nov 25)
- Re: snort inline && current rules. Jeff Nathan (Nov 25)
- Re: snort inline && current rules. Matt Kettler (Nov 25)
- Re: snort inline && current rules. /dev/null (Nov 25)
- snort inline && current rules. /dev/null (Nov 25)
- Re: bad frag bits Brian (Nov 25)
- Re: snort inline && current rules. Josh Berry (Nov 25)
- snort inline behavior /dev/null (Nov 25)
- Re: snort inline behavior /dev/null (Nov 26)
- Re: snort inline behavior Stephan Scholz (Nov 26)
- Re: snort inline behavior /dev/null (Nov 26)
- Re: snort inline behavior Stephan Scholz (Nov 26)
- Re: snort inline behavior Josh Berry (Nov 26)