[Snort-users] snort inline behavior

/dev/null dev.null at ...9081...
Wed Nov 26 06:41:06 EST 2003


> If you add a QUEUE rule to iptables, you have to make sure that a process
> is actually listening to the ip_queue. Otherwise netfilter actually waits
> until a process picks up the packets.

Woah.  What happens when snort_inline dies or maybe when we need to
stop/start snort_inline?  Ooops.

I'm guessing there is a "dummy" app that you can set up to always listen to
the queue so this problem doesn't happen?  If not I need to write one.

> There is another issue. As soon as snort_inline has decided whether to
drop
> or accept a packet, the following iptables rules are not being used
anymore.
> The decision whether to accept or drop a packet is solely made in snort
then.
> This way you can have the problem that your packet filter ruleset becomes
ineffective.

Yeah, well by the time I've decided to ACCEPT, it's passed through all the
rules it's going to pass through and it really needs to be accepted (minus
the scrutiny of snort_inline).

So I take it if whatever apps are listening to QUEUE don't DROP it, it's
ACCEPTed, eh?

Thanks!





More information about the Snort-users mailing list