[Snort-users] snort-inline and iptables INPUT chain
lhaond at ...13100...
Wed Mar 2 15:32:21 EST 2005
Big Thanks for your help Will !
Will Metcalf a écrit :
>Nothing is showing up in your alert logs? Is it just ssh or does this
>happen with all connections? Try the following....
No alert, no dump.
It happen for all TCP connections ( tested http as well)
It work for udp/icmp (dns queries / ping works )
With advanced firewall rules, forwarded tcp/udp/icmp/whatever
connections were OK.
but nothing works from lan to the snort box ... (didn't try from
internet to the snort box)
>iptables -F INPUT
>iptables -F OUPUT
>iptables -F FORWARD
>iptables -A INPUT -i lo -j ACCEPT
>iptables -A INPUT -j QUEUE
>iptables -A FORWARD -j QUEUE
>iptables -A OUPUT -j QUEUE
>in your snort.conf set checksum mode to none.
>config checksum_mode: none
Adding "config checksum_mode: none" did the job, now it works. (BTW with
or without the iptables -A INPUT -i lo -j ACCEPT rule )
I relauched my complete set of firewall rules/ internet connections and
it's still working ;-)
( I've some alert about lo / 127.0.01 but they will be easy to avoid
bypassing the queue..)
"Googling" on this config directive, i think i could have found it by my
self (there is some threads on this list about ssh/tcp issue and this
so i'm sorry if i've mafe you lose your time...
Let me, please, ask you some more questions :
why are forwarded checksum ok, but some ssh replies corrupted ?
Is this an issue from kernel / iptables / snort ?
(i'm using 2.4.27 kernel / iptables 1.2.11 ... going to upgrade to 1.3.x
ps:sorry for my bad english...
More information about the Snort-users