Snort mailing list archives
Re: snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop
From: waldo kitty <wkitty42 () windstream net>
Date: Sun, 18 Aug 2013 17:34:22 -0400
On 8/18/2013 15:08, Y M wrote:
If I understand your question correctly, this is where -i eth0:eth1 comes into play. This tells snort that traffic is flowing from eth0 to eth1 and back. In my case, its up to the implementer to assign which interface to receive the network feed based on home and external net, and the placement of the sensor within the network. For example, assume my $HOME_NET is 192.168.10.10 and my $EXTERNAL_NET is any and I want to assign the eth0 to my actual home net feed and eth1 to my feed leaving the network. In this case, using an ICMP rule I would be able to drop any ping request from my home net going out.
ahhh... right, right, right... i had missed that earlier...
Did I address your question? I am not sure what do you mean by OP's, lack of acronyms knowledge :)
yes you answered correctly... OP means "original poster" or "original post" depending on the context ;) thanks for the clarification!
> Date: Fri, 16 Aug 2013 20:21:42 -0400 > From: wkitty42 () windstream net > To: snort-users () lists sourceforge net > Subject: Re: [Snort-users] snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop > > On 8/16/2013 14:53, Y M wrote: > > If I recall, --enable-inline is deprecated since a while now, not sure which > > Snort version; A warning should have been shown during compilation. But I do not > > think that this would affect operating in inline mode now. > > doesn't inline mode require an input interface and an output interface where > snort sits between then and passes the traffic from one to the other? what does > the OP's snort.conf show in this regard?
-- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop Y M (Aug 15)
- Re: snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop Y M (Aug 15)
- Message not available
- Message not available
- Message not available
- Re: snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop Y M (Aug 16)
- Re: snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop Robert Greenhouse (Aug 16)
- Re: snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop Y M (Aug 16)
- Re: snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop waldo kitty (Aug 16)
- Re: snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop Y M (Aug 18)
- Re: snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop waldo kitty (Aug 18)
- Message not available
- Re: snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop Y M (Aug 15)