Snort mailing list archives

Re: snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop

From: waldo kitty <wkitty42 () windstream net>
Date: Sun, 18 Aug 2013 17:34:22 -0400

On 8/18/2013 15:08, Y M wrote:

If I understand your question correctly, this is where -i eth0:eth1 comes into
play. This tells snort that traffic is flowing from eth0 to eth1 and back. In my
case, its up to the implementer to assign which interface to receive the network
feed based on home and external net, and the placement of the sensor within the
network. For example, assume my $HOME_NET is 192.168.10.10 and my $EXTERNAL_NET
is any and I want to assign the eth0 to my actual home net feed and eth1 to my
feed leaving the network. In this case, using an ICMP rule I would be able to
drop any ping request from my home net going out.


ahhh... right, right, right... i had missed that earlier...

Did I address your question? I am not sure what do you mean by OP's, lack of
acronyms knowledge :)


yes you answered correctly...

OP means "original poster" or "original post" depending on the context ;)

thanks for the clarification!

 > Date: Fri, 16 Aug 2013 20:21:42 -0400
 > From: wkitty42 () windstream net
 > To: snort-users () lists sourceforge net
 > Subject: Re: [Snort-users] snort-2.9.4, daq 2.0.1 afpacket in inline mode
snort fails to drop packets even when RULE is set to drop
 >
 > On 8/16/2013 14:53, Y M wrote:
 > > If I recall, --enable-inline is deprecated since a while now, not sure which
 > > Snort version; A warning should have been shown during compilation. But I
do not
 > > think that this would affect operating in inline mode now.
 >
 > doesn't inline mode require an input interface and an output interface where
 > snort sits between then and passes the traffic from one to the other? what does
 > the OP's snort.conf show in this regard?




-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop Y M (Aug 15)
- Re: snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop Y M (Aug 15)
  - Message not available
    - Message not available
    - Message not available
    - Re: snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop Y M (Aug 16)
    - Re: snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop Robert Greenhouse (Aug 16)
    - Re: snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop Y M (Aug 16)
    - Re: snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop waldo kitty (Aug 16)
    - Re: snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop Y M (Aug 18)
    - Re: snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop waldo kitty (Aug 18)