Snort mailing list archives
Snort running inline but not functioning as IPS
From: Robin Kipp <mlists () robin-kipp net>
Date: Thu, 21 Jan 2016 17:59:22 +0100
Hi all, I’ve just installed Snort 2.9.8.0 on a Debian 8 server. The server has 4 network interfaces, which are all combined as a bridge interface named br0. The server bridges traffic between the internal network and the internet and I’d like to use Snort for intrusion protection. As far as I understand, the DAQ NFQ module can be used to run Snort in inline mode and block bad traffic, even on a bridged interface. So, in order to set this up I first added netfilter queues and redirected traffic to them using those commands: iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1 iptables -I FORWARD -j NFQUEUE --queue-num 1 iptables -I INPUT -j NFQUEUE --queue-num 1 iptables -I OUTPUT -j NFQUEUE --queue-num 1 I did exactly the same for IPv6, only using ip6tables instead of iptables for each command. Afterwards, I launched Snort with the following commands: snort -u snort -g snort -q -Q --daq nfq --daq-var device=br0 --daq-var queue=1 -c /etc/snort/snort.conf Snort then starts up without any problems and also generates alerts for rule violations. However, I feel like it’s not dropping or rejecting traffic that triggers any of the rules, it rather seems to work only as an IDS. For instance, I tried pinging some blacklisted IPs, the rules were triggered and generated alerts but the ping and ping response would go through nevertheless. So, could anybody kindly tell me what I’m missing here? Thank you very much for any hints! Best regards, Robin
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort running inline but not functioning as IPS Robin Kipp (Jan 21)
- Re: Snort running inline but not functioning as IPS James Lay (Jan 21)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 21)
- Re: Snort running inline but not functioning as IPS James Lay (Jan 21)
- Re: Snort running inline but not functioning as IPS mlists (Jan 22)
- Re: Snort running inline but not functioning as IPS Joel Esler (jesler) (Jan 22)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 22)
- Re: Snort running inline but not functioning as IPS Joel Esler (jesler) (Jan 22)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 23)
- Re: Snort running inline but not functioning as IPS Joel Esler (jesler) (Jan 23)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 24)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 21)
- Re: Snort running inline but not functioning as IPS James Lay (Jan 21)