Snort mailing list archives
Re: snort 2.8.4 and inline mode
From: Will Metcalf <william.metcalf () gmail com>
Date: Tue, 25 Aug 2009 08:17:31 -0500
What do your iptables rules look like? What traffic are you sending to the QUEUE target? Setting modifysid * "^alert" | "drop" is a bad idea, and will lead to drops without notifications for things like flowbits with no alert that are not intended to identify malicious traffic, only for protocol identification etc. I would run you IDS in passive mode for a while to weed out false positives before even considering implementing a drop rule set. Regards, Will On Tue, Aug 25, 2009 at 7:52 AM, justin joseph<justinjoseph007 () gmail com> wrote:
Hi I have compiled from source snort 2.8.4 with --enable-inline support. to get rules for inline mode I have downloaded ruleset using oinkmaster with the below config file: url = http://www.snort.org/pub-bin/oinkmaster.cgi/006d6ba065a1c0fe55e6e4a25d74518236a3da19/snortrules-snapshot-2.8.tar.gz path = /bin:/usr/bin:/usr/local/bin update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ skipfile local.rules skipfile deleted.rules skipfile snort.conf modifysid * "^alert" | "drop" As I understand the modifysid converts all the alert rules to drop rules. I am running this with the default config file in the etc/snort.conf file by changing only the paths to rules and library directories. When I test this setup with IDSwakeup-1.0, I don't see any drop of packets happening. I know this because i have commented code in inline.c with debug prints against drop and accept verdicts. Also there are no alerts in the logs. But if I ran the same setup with the same config (snort.conf) file without the -Q option in IDS mode with only difference in using rules with alert rules(downloaded with oinkmaster without modifysid) I see that there are lot of alerts when tested with IDSwakeup-1.0. What I am doing wrong, why isn't the inline mode dropping packets that are being alerted in the IDS mode? is there any configuration changes required in snort.conf between inline and IDS modes? thank you Justin ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort 2.8.4 and inline mode justin joseph (Aug 25)
- Re: snort 2.8.4 and inline mode Will Metcalf (Aug 25)
- Re: snort 2.8.4 and inline mode justin joseph (Aug 25)
- Re: snort 2.8.4 and inline mode Will Metcalf (Aug 25)