Re: snort inline mode is not working with iptables

[Joel Esler <jesler () sourcefire com>]

On Aug 9, 2010, at 3:26 AM, Hatim Alghamdi wrote:

> I ran snort as following
>  snort -c snort.empty -TQ and snort -c snort.empty -TQ --disable-inline-initialization
> The output was the same! I was expecting a different behavior. 
>
> One thing I noticed is that the manual state that the rule application order is
> activation->dynamic->pass->drop->sdrop->reject->alert->log
> but snort in our case return this
> activation->dynamic->pass->drop->alert->log
>
> How can I tell if snort read/initialize IPTables?

-T is just test mode though.  Exchange -T with -D, then try and send traffic through the IPS.  It should go normally. 

After you send traffic through it, run a kill with the -USR1 tag:

kill -USR1 <pid of snort>

Then examine your logs (/var/log/messages, or whatever) for the statistics that Snort will print out.  If you see the 
counts incrementing, that means that Snort is receiving traffic through the engine.

Joel

------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users