Snort mailing list archives

Previous By Date Next
Previous By Thread Next

How to test snort inline

From: vikrant () saysnetsoft com
Date: Thu, 29 Sep 2005 06:25:15 -0500 (CDT)
hi

I have successfully installed snort_inline 2.3.0 on my machine.But,when i
am trying to test the snort_inline with the following rule, it could not
work (means could not drop the request to connect at port 80) .

i am adding the following rule just below the comment lines but above the
alert rules in the "web-attacks.rules" file (Path of file is
/etc/snort_inline/rules/) to drop the request.
-------------------------------------------------------------------------------------------------
drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80
connection initiated";)
-------------------------------------------------------------------------------------------------

I have changed the snort_inline.conf and snort_conf as follows:-

changes i did in snort_inline.conf file (Path /etc/snort_inline/) are:-
1. Set "var RULE_PATH /etc/snort_inline/rules"
2. Enable the web-attacks.rules

changes i did in snort.conf file (Path /etc/snort_inline) are:-
1. Set "var RULE_PATH /etc/snort_inline/rules"
2. Enable the web-attacks.rules
3. Set the "var HOME_NET 10.0.1.0/24"

Now,the commands i am executing are:-

1.modprobe ip_queue
2.lsmod | grep ip_queue
----------------------------
output
ip_queue 9945 0
-------------------------

3.iptables -I INPUT -p tcp --dport 80 -j QUEUE

4.snort_inline -c /etc/snort_inline/snort_inline.conf -Q -N -l
/var/log/snort_inline/ \
     -t /var/log/snort_inline/ -v
-------------------------------------------------
output
__== Initialisation Complete ==__
-------------------------------------------------

snort_inline start successfully,but the above drop rule could not work.

i have installed snort_inline with the following packages:-
----------------------------------
kernel version 2.6.9-11EL
iptable version 1.3.2
libnet-1.0.2a
pcre-6.4
---------------------------------

So,please know me if i am doing something wrong in above process actually
i am new to snort_inline.

Also,please tell me how do i test the snort_inline if above rule not works.

Thanks

Vikrant


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: