[Snort-users] Snort Inline

Will Metcalf william.metcalf at ...11827...
Mon Jun 6 14:52:12 EDT 2005


Xavier,

Darn checksums, try setting this in your snort.conf

config checksum_mode: none

Regards,

Will
On 6/6/05, Xavier Cabrera <xavierc at ...12882...> wrote:
> I put your line on my iptables.. and don't work...  icmp works good for
> me there some other reasons do you have?
> 
> Thanks...
> 
> Xavier C.
> 
> Victor Julien wrote:
> 
> >On Monday 06 June 2005 21:14, Xavier Cabrera wrote:
> >
> >
> >>Hello:
> >>
> >>Anyone have a rule to stop a DoS attack to apache whit snort inline?
> >>
> >>i Have this rule:
> >>
> >>drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"XavierC  Try
> >>to stop http DOS Attack";  flags:S; threshold: type both, track by_src,
> >>count 5, seconds 1; classtype:misc-activity; sid:3000000; rev:1;)
> >>
> >>and this on iptables table INPUT:
> >>
> >>QUEUE      tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
> >>
> >>
> >>
> >
> >Snort_inline needs to see the outgoing traffic as well, so add the following
> >iptables rule:
> >'iptables -A OUTPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --sport 80 -j QUEUE'
> >
> >Now it should work!
> >
> >Regards,
> >Victor
> >
> >
> >
> >
> >>is seem stop some connections:
> >>
> >>[**] [1:3000000:1] XavierC  Try to stop http DOS Attack [**]
> >>[Classification: Misc activity] [Priority: 3]
> >>06/06-15:09:05.789134 213.168.19.34:3440 -> 207.58.187.4:80
> >>TCP TTL:118 TOS:0x0 ID:34857 IpLen:20 DgmLen:48 DF
> >>******S* Seq: 0x590907AD  Ack: 0x0  Win: 0xFAF0  TcpLen: 28
> >>TCP Options (4) => MSS: 1460 NOP NOP SackOK
> >>
> >>[**] [1:3000000:1] XavierC  Try to stop http DOS Attack [**]
> >>[Classification: Misc activity] [Priority: 3]
> >>06/06-15:09:05.926906 61.211.140.68:32966 -> 207.58.187.4:80
> >>TCP TTL:117 TOS:0x0 ID:256 IpLen:20 DgmLen:44
> >>******S* Seq: 0x17B00000  Ack: 0x0  Win: 0x4000  TcpLen: 24
> >>TCP Options (1) => MSS: 1400
> >>
> >>
> >>but when i want to make a real connection for a good ip i can't see the
> >>website....... and no log appears for the good ip!!!
> >>
> >>What can be happend?
> >>
> >>thanks every one.
> >>
> >>Xavier C.
> >>
> >>
> >>
> >>-------------------------------------------------------
> >>This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you
> >>shotput a projector? How fast can you ride your desk chair down the office
> >>luge track? If you want to score the big prize, get to know the little guy.
> >>Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20
> >>_______________________________________________
> >>Snort-users mailing list
> >>Snort-users at lists.sourceforge.net
> >>Go to this URL to change user options or unsubscribe:
> >>https://lists.sourceforge.net/lists/listinfo/snort-users
> >>Snort-users list archive:
> >>http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >>
> >
> >
> >-------------------------------------------------------
> >This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you shotput
> >a projector? How fast can you ride your desk chair down the office luge track?
> >If you want to score the big prize, get to know the little guy.
> >Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you shotput
> a projector? How fast can you ride your desk chair down the office luge track?
> If you want to score the big prize, get to know the little guy.
> Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list