Snort mailing list archives

Re: Snort running inline but not functioning as IPS

From: Y M <snort () outlook com>
Date: Sun, 24 Jan 2016 21:26:12 +0000

If you run tcpdump on the same box where snort is installed, do you see the traffic on the the same NIC snort is
listening to? Also, since you are using NFQ, could iptables got misconfigured somehow? Just thinking out loud.

Try also to disable NIC offloading stuff, or run snort with the -k none for testing purposes and see if that helps.

Sent from Mobile

On Sun, Jan 24, 2016 at 12:47 PM -0800, "Robin Kipp" <mlists () robin-kipp net<mailto:mlists () robin-kipp net>> wrote:

Hi,

Am 24.01.2016 um 14:46 schrieb Y M <snort () outlook com<mailto:snort () outlook com>>:

If you are using snort.rules generated by PulledPork, then make sure the rule (gid:136, sid:1) exists in the file and
that snort.rules is included in snort.conf.

Yeah, all this is in place and used to work fine… However, I feel that somehow I must have managed to screw up my Snort
setup, as I’m not getting any console alerts whatsoever (not even from a locally defined ping alert rule which I used
to test Snort right after the first installation).
So, what I’ll probably end up doing is to completely wipe Snort, Barnyard2 and Pulledpork from my machine and then
reinstall them one by one. I’m really not sure how else I could track down this problem, especially since I’m still a
Snort newbie and have barely scratched the surface.
However, thanks to the advice gathered in this conversation I at least have some important considerations in mind now,
hopefully things will work out the second time around! :-)
Robin

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Snort running inline but not functioning as IPS, (continued)
- - - Re: Snort running inline but not functioning as IPS James Lay (Jan 21)
    - Re: Snort running inline but not functioning as IPS mlists (Jan 22)
    - Re: Snort running inline but not functioning as IPS Joel Esler (jesler) (Jan 22)
    - Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 22)
    - Re: Snort running inline but not functioning as IPS Joel Esler (jesler) (Jan 22)
    - Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 23)
    - Re: Snort running inline but not functioning as IPS Joel Esler (jesler) (Jan 23)
    - Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 24)
    - Re: Snort running inline but not functioning as IPS Y M (Jan 24)
    - Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 24)
    - Re: Snort running inline but not functioning as IPS Y M (Jan 24)
    - Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 26)
    - Re: Snort running inline but not functioning as IPS Y M (Jan 27)
    - Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 27)
    - Re: Snort running inline but not functioning as IPS Y M (Jan 27)
    - Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 27)