Re: snort-inline

[Rob McMillen <rvmcmil () cablespeed com>]

On Tue, 18 Mar 2003, Ales Stibal wrote:

> Hello list,
> I have big problem to run snort-inline on single host. I wanted my box to be
> protected by snort-inline, but I failed to do so.

what version of snort_inline do you have?  Make sure you get the latest 
from 

http://project.honeynet.org/papers/honeynet/tools/si/

make sure you get the snort_inline-1.9.1-1.

> I tried to run various kernels, only one that seems to allow snort do
> it's job

Can you state what kinds of errors you were getting with the others?  And 
how you figured out that you had the right one?

> on QUEUE is vanilla 2.4.20 ( recently I tried same versions, but gentoo
> patches,
> including P-O-M of netfilter)
>
> I am running iptables commands:
>
> iptables -A INPUT -d $ETH0_IP -m state --state ESTABLISHED,RELATED -j QUEUE
> //FIXME: the line bellow seems obsolete to me ... (unreachable)
> iptables -A INPUT -d $ETH0_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> With this rule packet successfully fall to QUEUE, is detected by
> snort_inline
> (it's shown when using -v flag), but nothing is passed trough.

What rules are you using?  What does the rest of your firewall 
configuration look like?

Rob