Re: snort does not sent reset in freebsd/ipfw inline mode

[Russ Combs <rcombs () sourcefire com>]

On Fri, Feb 4, 2011 at 5:57 PM, Michael Scheidell <
michael.scheidell () secnap com> wrote:

>  On 1/19/11 1:00 PM, Rajkumar S wrote:
>
> Hello,
>
> I am testing snort 2.9.0.3 with inline  under FreeBSD 6.2-RELEASE-p12
> and IPFW. Every thing seems working except that no packet gets dropped
> or reset is being sent.
>
>
>  I have a (test ports) version of 2.9.0.3  and am trying to make sure
> ipfw/daq works.
> <http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/154514><http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/154514>
>
> I have never gotten this to work in the past, and am still confused.
>
>
>  I am using snort Version 2.9.0.3 (Build 98) FreeBSD which is compiled
> with following options:
> ./configure  --enable-flexresp3 --enable-react  --enable-active-response
>
>
>
> did you find you needed the -Q in the command line?
> (man page seems to say this is for iptables only)

Oops - the man page is out of date wrt -Q and possibly elsewhere.  Refer to
READMEs and snort_manual for now.

As for -Q and policy_mode, the best reference is section 1.9.5 of the manual
which breaks it out in table form.

I've bugged the man page.  Thanks for reporting the issue.


> did you find you needed this in snort.conf?
> config policy_mode:inline
>
> what sysctl's did you need to add to turn on ipfw filtering?
>
> (sysctl -a | egrep 'fw|bridge')
>
> this in a router mode? with an ip on each interface? or bridged? (with
> if_bridge?)?
> what ifconfig options did you use to create the bridge?
>
>
> --
> Michael Scheidell, CTO
> o: 561-999-5000
> d: 561-948-2259
> ISN: 1259*1300
> > *| *SECNAP Network Security Corporation
>
>    - Certified SNORT Integrator
>    - 2008-9 Hot Company Award Winner, World Executive Alliance
>    - Five-Star Partner Program 2009, VARBusiness
>    - Best in Email Security,2010: Network Products Guide
>    - King of Spam Filters, SC Magazine 2008
>
>
> ------------------------------
>
> This email has been scanned and certified safe by SpammerTrap®.
> For Information please see http://www.secnap.com/products/spammertrap/
> ------------------------------
>
>
>
> ------------------------------------------------------------------------------
> The modern datacenter depends on network connectivity to access resources
> and provide services. The best practices for maximizing a physical server's
> connectivity to a physical network are well understood - see how these
> rules translate into the virtual world?
> http://p.sf.net/sfu/oracle-sfdevnlfb
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users