[Snort-users] Snort Inline

Jihoon Chung jhchung at ...2025...
Fri Jan 3 08:41:02 EST 2003


Don't you have to put something like below to get all the packets?

iptables -t filter -A FORWARD -j QUEUE

Last time I used snort-inline (was very long ago..), I put the above
line and it worked nicely..

On Thu, Jan 02, 2003 at 10:52:28AM -0600, Bob McDowell wrote:
> I have no 'official' documentation as of yet.  I'm still feeling around in
> the dark, searching for answers.  I can, however, share with you the (mostly
> undocumented) steps you'll need to take.  Maybe someone from the list can
> correct my mistakes.
> 
> 1)  Get the iptables source and re-compile it into the kernel src, with ipq
> enabled:  make install-devel KERNEL_DIR=(your kernel source dir)
> 2)  Then compile your new kernel with that option.  You will have to enable
> 'Experimental code' as well as 'Userspace queuing' in your 'make menuconfig'
> step.
> 3)  Get and install libpcap
> 4)  Get and compile snort-inline - './configure --enable-inline'
> 5)  Change one of the included rules from 'alert xyz' to 'drop xyz'
> 6)  Run snort with the -Q option
> 
> If you get no errors, you are now as far as I am...
> 
> As I've stated, I'm have issues with logging.  With the -Q option passed to
> snort, it does not log anything at all.  I suppose it may not even be
> working at all, but at least I've quieted all the errors.
> 
> 




More information about the Snort-users mailing list