Snort mailing list archives
Re: snort-inline and iptables INPUT chain
From: Laurent Haond <lhaond () bearstech com>
Date: Thu, 03 Mar 2005 00:30:32 +0100
Big Thanks for your help Will ! Will Metcalf a écrit :
Nothing is showing up in your alert logs? Is it just ssh or does this happen with all connections? Try the following....
No alert, no dump. It happen for all TCP connections ( tested http as well) It work for udp/icmp (dns queries / ping works )With advanced firewall rules, forwarded tcp/udp/icmp/whatever connections were OK. but nothing works from lan to the snort box ... (didn't try from internet to the snort box)
iptables -F INPUT iptables -F OUPUT iptables -F FORWARD iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -j QUEUEiptables -A FORWARD -j QUEUE iptables -A OUPUT -j QUEUEin your snort.conf set checksum mode to none. config checksum_mode: none Regards, Will
Adding "config checksum_mode: none" did the job, now it works. (BTW with or without the iptables -A INPUT -i lo -j ACCEPT rule ) I relauched my complete set of firewall rules/ internet connections and it's still working ;-) ( I've some alert about lo / 127.0.01 but they will be easy to avoid bypassing the queue..)
"Googling" on this config directive, i think i could have found it by my self (there is some threads on this list about ssh/tcp issue and this directive),
so i'm sorry if i've mafe you lose your time... Let me, please, ask you some more questions : why are forwarded checksum ok, but some ssh replies corrupted ? Is this an issue from kernel / iptables / snort ?(i'm using 2.4.27 kernel / iptables 1.2.11 ... going to upgrade to 1.3.x soon)
Thanks Regards Laurent ps:sorry for my bad english... ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort-inline and iptables INPUT chain Laurent Haond (Feb 28)
- Re: snort-inline and iptables INPUT chain Victor Julien (Feb 28)
- Re: snort-inline and iptables INPUT chain Laurent Haond (Mar 01)
- Re: snort-inline and iptables INPUT chain Will Metcalf (Mar 02)
- Re: snort-inline and iptables INPUT chain Laurent Haond (Mar 02)
- Re: snort-inline and iptables INPUT chain Laurent Haond (Mar 02)
- Re: snort-inline and iptables INPUT chain Will Metcalf (Mar 02)
- Re: snort-inline and iptables INPUT chain Laurent Haond (Mar 02)
- Re: snort-inline and iptables INPUT chain Will Metcalf (Mar 02)
- Re: snort-inline and iptables INPUT chain Laurent Haond (Mar 02)
- Re: snort-inline and iptables INPUT chain Laurent Haond (Mar 01)
- Re: snort-inline and iptables INPUT chain Victor Julien (Feb 28)
- Re: snort-inline and iptables INPUT chain Laurent Haond (Mar 02)