Snort mailing list archives
Re: How to test snort inline
From: vikrant <vikrant () saysnetsoft com>
Date: Fri, 30 Sep 2005 14:22:45 +0530
hi, Thanks for the information. Vikrant Dino Dragovic wrote:
hi, don't forget to QUEUE the return traffic as well iptables -I OUTPUT -p tcp --sport 80 -j QUEUE Regards, ~~~ Dino Dragovic On Thu, 29 Sep 2005 vikrant () saysnetsoft com wrote:hiI have successfully installed snort_inline 2.3.0 on my machine.But,when iam trying to test the snort_inline with the following rule, it could not work (means could not drop the request to connect at port 80) .i am adding the following rule just below the comment lines but above thealert rules in the "web-attacks.rules" file (Path of file is /etc/snort_inline/rules/) to drop the request.-------------------------------------------------------------------------------------------------drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80 connection initiated";)-------------------------------------------------------------------------------------------------I have changed the snort_inline.conf and snort_conf as follows:- changes i did in snort_inline.conf file (Path /etc/snort_inline/) are:- 1. Set "var RULE_PATH /etc/snort_inline/rules" 2. Enable the web-attacks.rules changes i did in snort.conf file (Path /etc/snort_inline) are:- 1. Set "var RULE_PATH /etc/snort_inline/rules" 2. Enable the web-attacks.rules 3. Set the "var HOME_NET 10.0.1.0/24" Now,the commands i am executing are:- 1.modprobe ip_queue 2.lsmod | grep ip_queue ---------------------------- output ip_queue 9945 0 ------------------------- 3.iptables -I INPUT -p tcp --dport 80 -j QUEUE 4.snort_inline -c /etc/snort_inline/snort_inline.conf -Q -N -l /var/log/snort_inline/ \ -t /var/log/snort_inline/ -v ------------------------------------------------- output __== Initialisation Complete ==__ ------------------------------------------------- snort_inline start successfully,but the above drop rule could not work. i have installed snort_inline with the following packages:- ---------------------------------- kernel version 2.6.9-11EL iptable version 1.3.2 libnet-1.0.2a pcre-6.4 ---------------------------------So,please know me if i am doing something wrong in above process actuallyi am new to snort_inline.Also,please tell me how do i test the snort_inline if above rule not works.Thanks Vikrant ------------------------------------------------------- This SF.Net email is sponsored by:Power Architecture Resource Center: Free content, downloads, discussions,and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How to test snort inline vikrant (Sep 29)
- Re: How to test snort inline Dino Dragovic (Sep 29)
- Re: How to test snort inline vikrant (Sep 30)
- Re: How to test snort inline Dino Dragovic (Sep 29)