Snort mailing list archives

Re: snort inline Test

From: Will Metcalf <william.metcalf () gmail com>
Date: Mon, 29 Jun 2009 09:48:13 -0500

last time I looked there was no way to do this with snort
--enable-inline,  You can do this with snort_inline (thanx to Dave
Remien @nitro for updating trunk) using sticky-drop options in the
portscan preprocs.  Although we added the option, doing something like
this in a production environment is probably a bad idea SYN scans can
be spoofed etc.

svn co https://snort-inline.svn.sourceforge.net/svnroot/snort-inline/trunk

Regards,

Will
On Sat, Jun 27, 2009 at 6:29 AM, Zeinab Zali<zeinabzali () gmail com> wrote:

Hi,
I have compiled snort with --enable-inline mode successfully. I configure
iptables with below commands:
"
modprobe ip_queue
export QUEUE="yes"
iptables -F FORWARD
iptables -F INPUT
iptables -F OUTPUT
iptables -A OUTPUT -j QUEUE
iptables -A INPUT -j QUEUE
iptables -A FORWARD -j QUEUE
"
Then I changed all the snort alert rules to drop rules.
for testing I run snort with below command:
"snort -c ./etc/snort_inline.conf  -Q  -l /var/log/snort_inline/ -v"
then I try to portscan my computer from another computer with nmap. Snort
generated portscan alert, but I the portscanning procedure with nmap was
done successfully too. I expect snort inline not to allow nmap portscan.
What is the problem?
Thanks in advance,

--
Zeynab Zali

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort inline Test Zeinab Zali (Jun 27)
- Re: snort inline Test Joel Esler (Jun 29)
  - Re: snort inline Test Keith Konecnik (Jun 29)
    - Re: snort inline Test Zeinab Zali (Jun 29)
  - Re: snort inline Test Zeinab Zali (Jun 29)
    - Re: snort inline Test Joel Esler (Jun 29)
    - Re: snort inline Test Zeinab Zali (Jun 29)
    - Re: snort inline Test Björn Meier (Jun 29)
    - Re: snort inline Test Joel Esler (Jun 30)
    - Re: snort inline Test Keith Konecnik (Jun 30)
- Re: snort inline Test Will Metcalf (Jun 29)
  - Re: snort inline Test Joel Esler (Jun 29)
    - Re: snort inline Test Will Metcalf (Jun 29)