Snort mailing list archives
Re: Snort with inline
From: Will Metcalf <william.metcalf () gmail com>
Date: Wed, 10 Jun 2009 16:35:32 -0500
What do your firewall rules look like? You will need something like... iptables -I INPUT -i lo -j ACCEPT iptables -I INPUT -p tcp --dport 80 -j QUEUE iptables -I OUTPUT -p tcp --sport 80 -j QUEUE Regards, Will On Wed, Jun 10, 2009 at 2:23 PM, Didier Bortolin<didier.bortolin () gmail com> wrote:
Hello everybody, New with snort, i am trying to use it in IPS mode. Packets are controlled by Snort like this in my logs : 06/09-21:54:44.717206 XXXXXXXXX:2034 -> XXXXXXXXXXX:80 TCP TTL:58 TOS:0×0 ID:9926 IpLen:20 DgmLen:52 DF ******S* Seq: 0×7AFD82E0 Ack: 0×0 Win: 0xFFFF TcpLen: 32 TCP Options (6) => MSS: 1452 NOP WS: 3 NOP NOP SackOK =====================================+ I connect to my apache for get server info page, in IDS mode, i have the alert of Snort, but in IPS mode i have NO alert. I make a simple rule, and it is match: this rule match : alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"TEST"; sid:2;) this one doesnt match, like all other : alert tcp any any -> any any (msg:"WEB-MISC server-status access"; flow:to_server,established; uricontent:"/server-status"; metadata:service http; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:2; rev:7;) I tryied to change parameters in the http_inspect, but no result, Snort dont take of any packet.. only my rule. Somone can help me ? Thanks you, Best regards, Didier Bortolin ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort with inline Didier Bortolin (Jun 10)
- Re: Snort with inline Will Metcalf (Jun 10)