Snort does not drop packets in inline mode in FreeBSD

[mali dorn <mailleest14 () gmail com>]

http://seclists.org/snort/2012/q4/465

I have the same problem here and no luck to run Snort in inline mode with
IPFW and FreeBSD. Snort does not drop packets. I only get alerts in log
files.

Here is my system

FreeBSD 9.2-RELEASE amd64
Version 2.9.4.6 GRE (Build 73) FreeBSD

Here is my config:

IPFW rule:
ipfw add 75 divert 8000 ip from any to any

Snort.conf
config daq: ipfw
config daq_mode: inline
config policy_mode: inline
include droprules.rule

droprules.rule
drop icmp any any -> any any (msg:"ICMP test drop"; GID:1; sid:10000001;
rev:001; classtype:icmp-event;)


Run Snort in inline mode:
snort -c /usr/local/etc/snort/snort.conf -A fast -Q --daq ipfw

And just got alert messages instead of dropping.
02/15-19:33:38.952784  [Drop] [**] [1:10000001:1] ICMP test drop [**]
[Classification: Generic ICMP event] [Priority: 3] {ICMP} 10.0.0.116 ->
10.0.0.1


Is this a bug in Snort or am I wrong in some steps?
Thanks.

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!