Re: Snort IDS Not Working

[waldo kitty <wkitty42 () windstream net>]

On 9/3/2010 17:39, Bradlee Landis wrote:
> I am running Devil-Linux (Linux From Scratch distribution), and I'm
> having trouble getting it working correctly. It is possible that it's
> been built incorrectly, but I thought I would just see if you could
> tell me if I'm doing something wrong.
>
> I'm running these commands:
>
> iptables -A INPUT -j QUEUE
> snort -Qc /etc/snort/snort.conf -A console
>
> But, when I have a QUEUE target in iptables, it blocks all traffic,
> and starting snort does not make a difference.

umm well should it? you're sending everything to the QUEUE table but do you have 
a rule in the QUEUE table telling anything to move on past the QUEUE table?


> Snort is detecting packets, even if I don't have a QUEUE target in iptables, so it
> doesn't seem to be actually running in IDS mode.

ughhhh... actually it does to me... i don't use any kind of inline or iptables 
rules for snort in my installs and it detects traffic and alerts on it quite 
well... perhaps you are confusing methods of operation? or perhaps there's some 
specific confusion being thrown into the equation somehow from somewhere?

my snort installs read the rules and sit and alert... they do not attempt to run 
in iptables more or use the iptables blocking methods... my snorts simply read 
the packets and sound alerts in their alert files... i think the KISS principle 
plays a large part in this aspect ;)

------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users