Snort mailing list archives
Re: How to test snort inline
From: Dino Dragovic <dragovic () gfos hr>
Date: Thu, 29 Sep 2005 14:18:47 +0200 (CEST)
hi, don't forget to QUEUE the return traffic as well iptables -I OUTPUT -p tcp --sport 80 -j QUEUE Regards, ~~~ Dino Dragovic On Thu, 29 Sep 2005 vikrant () saysnetsoft com wrote:
hi I have successfully installed snort_inline 2.3.0 on my machine.But,when i am trying to test the snort_inline with the following rule, it could not work (means could not drop the request to connect at port 80) . i am adding the following rule just below the comment lines but above the alert rules in the "web-attacks.rules" file (Path of file is /etc/snort_inline/rules/) to drop the request. ------------------------------------------------------------------------------------------------- drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80 connection initiated";) ------------------------------------------------------------------------------------------------- I have changed the snort_inline.conf and snort_conf as follows:- changes i did in snort_inline.conf file (Path /etc/snort_inline/) are:- 1. Set "var RULE_PATH /etc/snort_inline/rules" 2. Enable the web-attacks.rules changes i did in snort.conf file (Path /etc/snort_inline) are:- 1. Set "var RULE_PATH /etc/snort_inline/rules" 2. Enable the web-attacks.rules 3. Set the "var HOME_NET 10.0.1.0/24" Now,the commands i am executing are:- 1.modprobe ip_queue 2.lsmod | grep ip_queue ---------------------------- output ip_queue 9945 0 ------------------------- 3.iptables -I INPUT -p tcp --dport 80 -j QUEUE 4.snort_inline -c /etc/snort_inline/snort_inline.conf -Q -N -l /var/log/snort_inline/ \ -t /var/log/snort_inline/ -v ------------------------------------------------- output __== Initialisation Complete ==__ ------------------------------------------------- snort_inline start successfully,but the above drop rule could not work. i have installed snort_inline with the following packages:- ---------------------------------- kernel version 2.6.9-11EL iptable version 1.3.2 libnet-1.0.2a pcre-6.4 --------------------------------- So,please know me if i am doing something wrong in above process actually i am new to snort_inline. Also,please tell me how do i test the snort_inline if above rule not works. Thanks Vikrant ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How to test snort inline vikrant (Sep 29)
- Re: How to test snort inline Dino Dragovic (Sep 29)
- Re: How to test snort inline vikrant (Sep 30)
- Re: How to test snort inline Dino Dragovic (Sep 29)