[Snort-users] snort inline behavior
josh.berry at ...10221...
Wed Nov 26 06:40:10 EST 2003
Yes, when you shutdown Snort-Inline on the interfaces that connections are
coming in and out of then IPTables sends packets to the QUEUE but there is
nothing to inspect them and pass them on. I suggest having another NIC
for managment of the box and not running snort-inline on that NIC.
> First, thanks to all for the help on getting the right inline version
> I went through my firewall script and every '-j ACCEPT' I had, I changed
> '-j QUEUE' and re-built my iptable chains. Did `insmod ip_queue`, loaded
> fine. Started up snort_inline with '-DQ -l ... -c ...'. Everything
> fine. After a couple of minutes I decided instead of -D (daemon) I'd
> see a little output to make sure it was seeing packets as expected. I was
> ssh'ed into the box so I figured my iptables "ESTABLISHED,RELATED -j
> entry should show a lot of ssh packets. I do a `kill` on the snort_inline
> pid and suddenly my ssh connection goes dead - I'm waiting for it to
> now. In the mean time I've tried to re-ssh back into the box, but they
> time out.
> I'm wondering if this is some weird deal that if you don't have someone
> running on QUEUE that the packets never get ACCEPTed and by shutting snort
> down I just shot myself in the foot.
> I'm going to go ahead and set up another box (that one is 1hr away, and
> tech guy will arive in the morning and I'll walk him through changing
> back to ACCEPT and restart the firewall...) and getting it tested locally
> where if it breaks I can fix it easily.
> In the mean time I was wondering if you guys could lend your experience
> here. Does killing snort_inline while it's watching the QUEUE break any
> connections that are getting -j QUEUEed? What happened here?
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you be more productive? Does it
> help you create better code? SHARE THE LOVE, and help us help
> YOU! Click Here: http://sourceforge.net/donate/
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Josh Berry, CTO
josh.berry at ...10268...
More information about the Snort-users