[Snort-users] How to test snort inline

Dino Dragovic dragovic at ...12785...
Thu Sep 29 05:20:41 EDT 2005


hi,

don't forget to QUEUE the return traffic as well

iptables -I OUTPUT -p tcp --sport 80 -j QUEUE

Regards,
~~~
Dino Dragovic

On Thu, 29 Sep 2005 vikrant at ...13540... wrote:

> hi
>
> I have successfully installed snort_inline 2.3.0 on my machine.But,when i
> am trying to test the snort_inline with the following rule, it could not
> work (means could not drop the request to connect at port 80) .
>
> i am adding the following rule just below the comment lines but above the
> alert rules in the "web-attacks.rules" file (Path of file is
> /etc/snort_inline/rules/) to drop the request.
> -------------------------------------------------------------------------------------------------
> drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80
> connection initiated";)
> -------------------------------------------------------------------------------------------------
>
> I have changed the snort_inline.conf and snort_conf as follows:-
>
> changes i did in snort_inline.conf file (Path /etc/snort_inline/) are:-
> 1. Set "var RULE_PATH /etc/snort_inline/rules"
> 2. Enable the web-attacks.rules
>
> changes i did in snort.conf file (Path /etc/snort_inline) are:-
> 1. Set "var RULE_PATH /etc/snort_inline/rules"
> 2. Enable the web-attacks.rules
> 3. Set the "var HOME_NET 10.0.1.0/24"
>
> Now,the commands i am executing are:-
>
> 1.modprobe ip_queue
> 2.lsmod | grep ip_queue
> ----------------------------
> output
> ip_queue 9945 0
> -------------------------
>
> 3.iptables -I INPUT -p tcp --dport 80 -j QUEUE
>
> 4.snort_inline -c /etc/snort_inline/snort_inline.conf -Q -N -l
> /var/log/snort_inline/ \
>     -t /var/log/snort_inline/ -v
> -------------------------------------------------
> output
> __== Initialisation Complete ==__
> -------------------------------------------------
>
> snort_inline start successfully,but the above drop rule could not work.
>
> i have installed snort_inline with the following packages:-
> ----------------------------------
> kernel version 2.6.9-11EL
> iptable version 1.3.2
> libnet-1.0.2a
> pcre-6.4
> ---------------------------------
>
> So,please know me if i am doing something wrong in above process actually
> i am new to snort_inline.
>
> Also,please tell me how do i test the snort_inline if above rule not works.
>
> Thanks
>
> Vikrant
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list