[Snort-users] How to test snort inline

vikrant vikrant at ...13540...
Fri Sep 30 01:55:42 EDT 2005


hi,
Thanks for the information.
Vikrant

Dino Dragovic wrote:

> hi,
>
> don't forget to QUEUE the return traffic as well
>
> iptables -I OUTPUT -p tcp --sport 80 -j QUEUE
>
> Regards,
> ~~~
> Dino Dragovic
>
> On Thu, 29 Sep 2005 vikrant at ...13540... wrote:
>
>> hi
>>
>> I have successfully installed snort_inline 2.3.0 on my 
>> machine.But,when i
>> am trying to test the snort_inline with the following rule, it could not
>> work (means could not drop the request to connect at port 80) .
>>
>> i am adding the following rule just below the comment lines but above 
>> the
>> alert rules in the "web-attacks.rules" file (Path of file is
>> /etc/snort_inline/rules/) to drop the request.
>> ------------------------------------------------------------------------------------------------- 
>>
>> drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80
>> connection initiated";)
>> ------------------------------------------------------------------------------------------------- 
>>
>>
>> I have changed the snort_inline.conf and snort_conf as follows:-
>>
>> changes i did in snort_inline.conf file (Path /etc/snort_inline/) are:-
>> 1. Set "var RULE_PATH /etc/snort_inline/rules"
>> 2. Enable the web-attacks.rules
>>
>> changes i did in snort.conf file (Path /etc/snort_inline) are:-
>> 1. Set "var RULE_PATH /etc/snort_inline/rules"
>> 2. Enable the web-attacks.rules
>> 3. Set the "var HOME_NET 10.0.1.0/24"
>>
>> Now,the commands i am executing are:-
>>
>> 1.modprobe ip_queue
>> 2.lsmod | grep ip_queue
>> ----------------------------
>> output
>> ip_queue 9945 0
>> -------------------------
>>
>> 3.iptables -I INPUT -p tcp --dport 80 -j QUEUE
>>
>> 4.snort_inline -c /etc/snort_inline/snort_inline.conf -Q -N -l
>> /var/log/snort_inline/ \
>>     -t /var/log/snort_inline/ -v
>> -------------------------------------------------
>> output
>> __== Initialisation Complete ==__
>> -------------------------------------------------
>>
>> snort_inline start successfully,but the above drop rule could not work.
>>
>> i have installed snort_inline with the following packages:-
>> ----------------------------------
>> kernel version 2.6.9-11EL
>> iptable version 1.3.2
>> libnet-1.0.2a
>> pcre-6.4
>> ---------------------------------
>>
>> So,please know me if i am doing something wrong in above process 
>> actually
>> i am new to snort_inline.
>>
>> Also,please tell me how do i test the snort_inline if above rule not 
>> works.
>>
>> Thanks
>>
>> Vikrant
>>
>>
>> -------------------------------------------------------
>> This SF.Net email is sponsored by:
>> Power Architecture Resource Center: Free content, downloads, 
>> discussions,
>> and more. http://solutions.newsforge.com/ibmarch.tmpl
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
>





More information about the Snort-users mailing list