[Snort-users] Snort inline setup issues (SOLUTION)

The Adept adept at ...13938...
Thu Sep 28 16:27:34 EDT 2006



The Adept wrote:
> I am setting up a snort IPS on a Gentoo 2.6 box and I've run into a wall 
> getting Snort to pass the packets out of the iptables queue.
>
> For testing I have the snort box which sits on a 10.x.x.x address, it 
> has a dual ethernet card to use for the inline bridge.  I have two 
> different boxes connected to the dual ethernet card, one with 
> 192.168.100.1 as its address and one with 192.168.100.2.  The bridge 
> (br0) works perfectly with -P FORWARD ACCEPT set and no snort.  When I 
> change policy to DROP packets are correctly dropped (all protocols).  
> When I enable snort, it sees the packets and ICMP works (pings) but tcp 
> does not.  (log attached below)
>
> I'm not sure what I'm doing wrong.  Everything appears to be set up 
> correctly but no tcp sessions are being properly set up.  Any suggestions?
>
> Thanks in advance for any advice.
>
> Cheers,
>
>  Dan
>   
<SNIP>

After two days of hammering on this I recompiled with optimizations 
turned off, this solved everything.  Responding back to here to let 
people know how to resolve since I received no responses off list.

Regards,

  Dan




More information about the Snort-users mailing list