Snort mailing list archives

RE: Snort Inline

From: "Bob McDowell" <bmcdowell () coxhealthplans com>
Date: Thu, 2 Jan 2003 09:21:28 -0600

Are you using syslog with it?  I'd be happy to hear that it is just me...

Forgive me if I'm wrong, but from the looks of the source code, only drop is
implemented at this time.  All of the other options are either 'drop' or
'accept':

"else /* for now we will just drop... TODO: correct actions for each
ruletype */"

In general, however, you should be able to change an 'alert' rule to a
'drop' rule and see it work.  I'm assuming you've done this already...
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Amit Kumar
Gupta
Sent: Tuesday, December 31, 2002 10:53 PM
To: bmcdowell () coxhealthplans com; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort Inline


HI,

I have tested the Logging. The logging works with -Q option . But I don't
know how to use drop and sdrop.

For logging I tried simple ping on local network. It seems it logs every 5th
echo and echo-reply packets. You can see these packets in /var/log/snort/
directory.


Regards,
Amit



-----Original Message-----
From: Bob McDowell [mailto:bmcdowell () coxhealthplans com]
Sent: Wednesday, January 01, 2003 3:53 AM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort Inline

I think I answered my own question:

To enable ipq you must not only do the 'make install-devel' (as is
thoroughly documented) but also enable 'Userspace queuing (experimental)'
during kernel compile.  The trick is, you have to go into 'Code Maturity...'
and enable experimental items before this option will show up.  This was
non-obvious to me.  I am learning though...

Now 'snort -Q' will start.  I now have the same question as Amit:  how does
the packet dropping work?

Also, it does not seem to log packets to syslog any longer, unless I omit
the '-Q'.
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Bob McDowell
Sent: Tuesday, December 31, 2002 2:23 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort Inline

Has anyone on the list successfully installed/configured snort in inline
mode?  I've been wrestling with it for days, and I think I'm getting close.
My biggest gripe about it is that I can't seem to find any help with it.  It
took a lot of head scratching to get as far as I have...
When I'm done I'll write up the steps it took me to get it snorting.  In the
mean time, can anyone out there help me?  Any documentation, tips, warnings,
etc would be greatly appreciated.
Specifically, I'm now stuck with a message that reads 'InlineInit:  :
Failed to send netlink message:  Connection refused'
Thanks in advance.

Bob McDowell
IS Specialist
Cox HealthPlans, LLC
417.269.2848

Current thread:

RE: Snort Inline Amit Kumar Gupta (Dec 31)
- <Possible follow-ups>
- RE: Snort Inline Amit Kumar Gupta (Dec 31)
- RE: Snort Inline Bob McDowell (Jan 02)
- RE: Snort Inline Bob McDowell (Jan 02)
  - Re: Snort Inline Jihoon Chung (Jan 03)
- RE: Snort Inline Kevin Pietersma (Jan 02)
- RE: Snort Inline Bob McDowell (Jan 03)
  - RE: Snort Inline Bob McDowell (Jan 03)
- Snort Inline Joe Giles (Feb 27)
- Snort Inline Joe Giles (Feb 28)
- RE: Snort Inline Slighter, Tim (Feb 28)
  - RE: Snort Inline Joe Giles (Feb 28)
    - Snort Inline Bridge webcatalog (Mar 01)

(Thread continues...)