Snort mailing list archives

snort inline behavior

From: "/dev/null" <dev.null () BeginThread com>
Date: Wed, 26 Nov 2003 00:41:12 -0600

First, thanks to all for the help on getting the right inline version
running.

I went through my firewall script and every '-j ACCEPT' I had, I changed to
'-j QUEUE' and re-built my iptable chains.  Did `insmod ip_queue`, loaded
fine.  Started up snort_inline with '-DQ -l ... -c ...'.  Everything looked
fine.  After a couple of minutes I decided instead of -D (daemon) I'd rather
see a little output to make sure it was seeing packets as expected.  I was
ssh'ed into the box so I figured my iptables "ESTABLISHED,RELATED -j QUEUE"
entry should show a lot of ssh packets.  I do a `kill` on the snort_inline
pid and suddenly my ssh connection goes dead - I'm waiting for it to timeout
now.  In the mean time I've tried to re-ssh back into the box, but they just
time out.

I'm wondering if this is some weird deal that if you don't have someone
running on QUEUE that the packets never get ACCEPTed and by shutting snort
down I just shot myself in the foot.

I'm going to go ahead and set up another box (that one is 1hr away, and the
tech guy will arive in the morning and I'll walk him through changing QUEUE
back to ACCEPT and restart the firewall...) and getting it tested locally
where if it breaks I can fix it easily.

In the mean time I was wondering if you guys could lend your experience
here.  Does killing snort_inline while it's watching the QUEUE break any
connections that are getting -j QUEUEed?  What happened here?

Thanks!



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

bad frag bits Samuel C. Adams (Nov 25)
- Re: bad frag bits Brian (Nov 25)
  - snort inline && current rules. /dev/null (Nov 25)
    - Re: snort inline && current rules. Matt Kettler (Nov 25)
    - Re: snort inline && current rules. /dev/null (Nov 25)
    - Re: snort inline && current rules. Jeff Nathan (Nov 25)
    - Re: snort inline && current rules. Matt Kettler (Nov 25)
    - Re: snort inline && current rules. /dev/null (Nov 25)
    - Re: snort inline && current rules. Josh Berry (Nov 25)
    - snort inline behavior /dev/null (Nov 25)
    - Re: snort inline behavior /dev/null (Nov 26)
    - Re: snort inline behavior Stephan Scholz (Nov 26)
    - Re: snort inline behavior /dev/null (Nov 26)
    - Re: snort inline behavior Stephan Scholz (Nov 26)
    - Re: snort inline behavior Josh Berry (Nov 26)
- Re: bad frag bits Matt Kettler (Nov 25)