[Snort-users] Snort Inline
jhchung at ...2025...
Fri Jan 3 08:41:02 EST 2003
Don't you have to put something like below to get all the packets?
iptables -t filter -A FORWARD -j QUEUE
Last time I used snort-inline (was very long ago..), I put the above
line and it worked nicely..
On Thu, Jan 02, 2003 at 10:52:28AM -0600, Bob McDowell wrote:
> I have no 'official' documentation as of yet. I'm still feeling around in
> the dark, searching for answers. I can, however, share with you the (mostly
> undocumented) steps you'll need to take. Maybe someone from the list can
> correct my mistakes.
> 1) Get the iptables source and re-compile it into the kernel src, with ipq
> enabled: make install-devel KERNEL_DIR=(your kernel source dir)
> 2) Then compile your new kernel with that option. You will have to enable
> 'Experimental code' as well as 'Userspace queuing' in your 'make menuconfig'
> 3) Get and install libpcap
> 4) Get and compile snort-inline - './configure --enable-inline'
> 5) Change one of the included rules from 'alert xyz' to 'drop xyz'
> 6) Run snort with the -Q option
> If you get no errors, you are now as far as I am...
> As I've stated, I'm have issues with logging. With the -Q option passed to
> snort, it does not log anything at all. I suppose it may not even be
> working at all, but at least I've quieted all the errors.
More information about the Snort-users