[Snort-users] snort-inline and iptables INPUT chain

Laurent Haond lhaond at ...13100...
Wed Mar 2 15:32:21 EST 2005


Big Thanks for your help Will !

Will Metcalf a écrit :

>Nothing is showing up in your alert logs? Is it just ssh or does this
>happen with all connections?  Try the following....
>
>  
>
No alert, no dump.
It happen for all TCP connections ( tested http as well)
It work for udp/icmp (dns queries / ping works )
With advanced  firewall rules, forwarded tcp/udp/icmp/whatever 
connections were OK.
but nothing works from lan to the snort box ... (didn't try from 
internet to the snort box)

>iptables -F INPUT
>iptables -F OUPUT
>iptables -F FORWARD
>iptables -A INPUT -i lo -j ACCEPT
>iptables -A INPUT  -j QUEUE
>iptables -A FORWARD -j QUEUE 
>iptables -A OUPUT -j QUEUE
>
>in your snort.conf set checksum mode to none.
>
>config checksum_mode: none
>
>Regards,
>
>Will
>  
>

Adding "config checksum_mode: none" did the job, now it works. (BTW with 
or without the iptables -A INPUT -i lo -j ACCEPT rule )
I relauched my complete set of firewall rules/ internet connections and 
it's still working ;-)
( I've some alert about lo / 127.0.01 but they will be easy to avoid 
bypassing the queue..)

"Googling" on this config directive, i think i could have found it by my 
self (there is some threads on this list about ssh/tcp issue and this 
directive),
so i'm sorry if  i've mafe you lose your time...

Let me, please, ask you some more questions :
why are forwarded checksum ok, but some ssh replies corrupted ?
Is this an issue from kernel / iptables / snort ?
(i'm using 2.4.27 kernel / iptables 1.2.11 ... going to upgrade to 1.3.x 
soon)

Thanks

Regards

Laurent

ps:sorry for my bad english...




More information about the Snort-users mailing list