Snort mailing list archives

Re: Snort with inline

From: Will Metcalf <william.metcalf () gmail com>
Date: Wed, 10 Jun 2009 16:35:32 -0500

What do your firewall rules look like? You will need something like...

iptables -I INPUT -i lo -j ACCEPT
iptables -I INPUT -p tcp --dport 80 -j QUEUE
iptables -I OUTPUT -p tcp --sport 80 -j QUEUE

Regards,

Will
On Wed, Jun 10, 2009 at 2:23 PM, Didier
Bortolin<didier.bortolin () gmail com> wrote:

Hello everybody,

New with snort, i am trying to use it in IPS mode.
Packets are controlled by Snort like this in my logs :

06/09-21:54:44.717206 XXXXXXXXX:2034 -> XXXXXXXXXXX:80
TCP TTL:58 TOS:0×0 ID:9926 IpLen:20 DgmLen:52 DF
******S* Seq: 0×7AFD82E0 Ack: 0×0 Win: 0xFFFF TcpLen: 32
TCP Options (6) => MSS: 1452 NOP WS: 3 NOP NOP SackOK
=====================================+

I connect to my apache for get server info page, in IDS mode, i have the
alert of Snort, but in IPS mode i have NO alert.
I make a simple rule, and it is match:

this rule match :

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TEST"; sid:2;)

this one doesnt match, like all other :

alert tcp any any -> any any (msg:"WEB-MISC server-status access";
flow:to_server,established; uricontent:"/server-status"; metadata:service
http; reference:url,httpd.apache.org/docs/mod/mod_info.html;
classtype:web-application-activity; sid:2; rev:7;)

I tryied to change parameters in the http_inspect, but no result, Snort dont
take of any packet.. only my rule.

Somone can help me ?

Thanks you,
Best regards,

Didier Bortolin

------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort with inline Didier Bortolin (Jun 10)
- Re: Snort with inline Will Metcalf (Jun 10)