Snort mailing list archives
Re: snort inline behavior
From: "/dev/null" <dev.null () BeginThread com>
Date: Wed, 26 Nov 2003 08:42:05 -0600
If you add a QUEUE rule to iptables, you have to make sure that a process is actually listening to the ip_queue. Otherwise netfilter actually waits until a process picks up the packets.
Woah. What happens when snort_inline dies or maybe when we need to stop/start snort_inline? Ooops. I'm guessing there is a "dummy" app that you can set up to always listen to the queue so this problem doesn't happen? If not I need to write one.
There is another issue. As soon as snort_inline has decided whether to
drop
or accept a packet, the following iptables rules are not being used
anymore.
The decision whether to accept or drop a packet is solely made in snort
then.
This way you can have the problem that your packet filter ruleset becomes
ineffective. Yeah, well by the time I've decided to ACCEPT, it's passed through all the rules it's going to pass through and it really needs to be accepted (minus the scrutiny of snort_inline). So I take it if whatever apps are listening to QUEUE don't DROP it, it's ACCEPTed, eh? Thanks! ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort inline && current rules., (continued)
- snort inline && current rules. /dev/null (Nov 25)
- Re: snort inline && current rules. Matt Kettler (Nov 25)
- Re: snort inline && current rules. /dev/null (Nov 25)
- Re: snort inline && current rules. Jeff Nathan (Nov 25)
- Re: snort inline && current rules. Matt Kettler (Nov 25)
- Re: snort inline && current rules. /dev/null (Nov 25)
- snort inline && current rules. /dev/null (Nov 25)
- Re: snort inline && current rules. Josh Berry (Nov 25)
- snort inline behavior /dev/null (Nov 25)
- Re: snort inline behavior /dev/null (Nov 26)
- Re: snort inline behavior Stephan Scholz (Nov 26)
- Re: snort inline behavior /dev/null (Nov 26)
- Re: snort inline behavior Stephan Scholz (Nov 26)
- Re: snort inline behavior Josh Berry (Nov 26)