[Snort-users] How to test snort inline

vikrant at ...13540... vikrant at ...13540...
Thu Sep 29 04:26:22 EDT 2005


hi

I have successfully installed snort_inline 2.3.0 on my machine.But,when i
am trying to test the snort_inline with the following rule, it could not
work (means could not drop the request to connect at port 80) .

i am adding the following rule just below the comment lines but above the
alert rules in the "web-attacks.rules" file (Path of file is
/etc/snort_inline/rules/) to drop the request.
-------------------------------------------------------------------------------------------------
drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80
connection initiated";)
-------------------------------------------------------------------------------------------------

I have changed the snort_inline.conf and snort_conf as follows:-

changes i did in snort_inline.conf file (Path /etc/snort_inline/) are:-
1. Set "var RULE_PATH /etc/snort_inline/rules"
2. Enable the web-attacks.rules

changes i did in snort.conf file (Path /etc/snort_inline) are:-
1. Set "var RULE_PATH /etc/snort_inline/rules"
2. Enable the web-attacks.rules
3. Set the "var HOME_NET 10.0.1.0/24"

Now,the commands i am executing are:-

1.modprobe ip_queue
2.lsmod | grep ip_queue
----------------------------
output
ip_queue 9945 0
-------------------------

3.iptables -I INPUT -p tcp --dport 80 -j QUEUE

4.snort_inline -c /etc/snort_inline/snort_inline.conf -Q -N -l
/var/log/snort_inline/ \
     -t /var/log/snort_inline/ -v
-------------------------------------------------
output
__== Initialisation Complete ==__
-------------------------------------------------

snort_inline start successfully,but the above drop rule could not work.

i have installed snort_inline with the following packages:-
----------------------------------
kernel version 2.6.9-11EL
iptable version 1.3.2
libnet-1.0.2a
pcre-6.4
---------------------------------

So,please know me if i am doing something wrong in above process actually
i am new to snort_inline.

Also,please tell me how do i test the snort_inline if above rule not works.

Thanks

Vikrant




More information about the Snort-users mailing list