Snort mailing list archives
Re: snort inline behavior
From: "Josh Berry" <josh.berry () netschematics com>
Date: Wed, 26 Nov 2003 08:40:17 -0600 (CST)
Yes, when you shutdown Snort-Inline on the interfaces that connections are coming in and out of then IPTables sends packets to the QUEUE but there is nothing to inspect them and pass them on. I suggest having another NIC for managment of the box and not running snort-inline on that NIC.
First, thanks to all for the help on getting the right inline version running. I went through my firewall script and every '-j ACCEPT' I had, I changed to '-j QUEUE' and re-built my iptable chains. Did `insmod ip_queue`, loaded fine. Started up snort_inline with '-DQ -l ... -c ...'. Everything looked fine. After a couple of minutes I decided instead of -D (daemon) I'd rather see a little output to make sure it was seeing packets as expected. I was ssh'ed into the box so I figured my iptables "ESTABLISHED,RELATED -j QUEUE" entry should show a lot of ssh packets. I do a `kill` on the snort_inline pid and suddenly my ssh connection goes dead - I'm waiting for it to timeout now. In the mean time I've tried to re-ssh back into the box, but they just time out. I'm wondering if this is some weird deal that if you don't have someone running on QUEUE that the packets never get ACCEPTed and by shutting snort down I just shot myself in the foot. I'm going to go ahead and set up another box (that one is 1hr away, and the tech guy will arive in the morning and I'll walk him through changing QUEUE back to ACCEPT and restart the firewall...) and getting it tested locally where if it breaks I can fix it easily. In the mean time I was wondering if you guys could lend your experience here. Does killing snort_inline while it's watching the QUEUE break any connections that are getting -j QUEUEed? What happened here? Thanks! ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Thanks, Josh Berry, CTO LinkNet-Solutions 469-831-8543 josh.berry () linknet-solutions com ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: snort inline && current rules., (continued)
- Re: snort inline && current rules. /dev/null (Nov 25)
- Re: snort inline && current rules. Jeff Nathan (Nov 25)
- Re: snort inline && current rules. Matt Kettler (Nov 25)
- Re: snort inline && current rules. /dev/null (Nov 25)
- Re: snort inline && current rules. Josh Berry (Nov 25)
- snort inline behavior /dev/null (Nov 25)
- Re: snort inline behavior /dev/null (Nov 26)
- Re: snort inline behavior Stephan Scholz (Nov 26)
- Re: snort inline behavior /dev/null (Nov 26)
- Re: snort inline behavior Stephan Scholz (Nov 26)
- Re: snort inline behavior Josh Berry (Nov 26)