Snort mailing list archives
Re: snort inline Test
From: Keith Konecnik <kkonecnik () sourcefire com>
Date: Mon, 29 Jun 2009 11:18:17 -0400
Do do as Joel says make sure you enable preprocessor rules while configuring. --enable-decoder-preprocessor-rules Enable rule actions for decoder and preprocessor events On Mon, Jun 29, 2009 at 9:49 AM, Joel Esler <jesler () sourcefire com> wrote:
You have to instruct Snort on what to drop. The easiest way to do this is to change the rule you want to drop the traffic from "alert" to "drop" in the first word of the rule within the individual rule files. For portscan traffic you would have to use the preprocessor rules. J On Sat, Jun 27, 2009 at 7:29 AM, Zeinab Zali <zeinabzali () gmail com> wrote:Hi, I have compiled snort with --enable-inline mode successfully. I configure iptables with below commands: " modprobe ip_queue export QUEUE="yes" iptables -F FORWARD iptables -F INPUT iptables -F OUTPUT iptables -A OUTPUT -j QUEUE iptables -A INPUT -j QUEUE iptables -A FORWARD -j QUEUE " Then I changed all the snort alert rules to drop rules. for testing I run snort with below command: "snort -c ./etc/snort_inline.conf -Q -l /var/log/snort_inline/ -v" then I try to portscan my computer from another computer with nmap. Snort generated portscan alert, but I the portscanning procedure with nmap was done successfully too. I expect snort inline not to allow nmap portscan. What is the problem? Thanks in advance, -- Zeynab Zali ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- joel esler | Sourcefire | AIM: eslerjoel | 302-223-5974 ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort inline Test Zeinab Zali (Jun 27)
- Re: snort inline Test Joel Esler (Jun 29)
- Re: snort inline Test Keith Konecnik (Jun 29)
- Re: snort inline Test Zeinab Zali (Jun 29)
- Re: snort inline Test Zeinab Zali (Jun 29)
- Re: snort inline Test Joel Esler (Jun 29)
- Re: snort inline Test Zeinab Zali (Jun 29)
- Re: snort inline Test Björn Meier (Jun 29)
- Re: snort inline Test Joel Esler (Jun 30)
- Re: snort inline Test Keith Konecnik (Jun 30)
- Re: snort inline Test Keith Konecnik (Jun 29)
- Re: snort inline Test Joel Esler (Jun 29)
- Re: snort inline Test Joel Esler (Jun 29)
- Re: snort inline Test Will Metcalf (Jun 29)