[Snort-users] HELP with Snort Inline!! Can't auto-convert "alert" to "drop" (i.e., for snort-inline rules).

Snort User peabody007 at ...131...
Mon Sep 22 20:09:42 EDT 2008



To Any Snort_inline Guru:

I
am an EXTREMELY  BAFFLED snort user.  I am using snort 2.8 in inline mode
and updating with oinkmaster 2.0.  If I update via oinkmaster WITHOUT
specifying {modifysid * “^alert” | “drop”} within the oinkmaster.conf
file,  the rules get updated and everything works.  If I  insert some
simple drop rules for testing after the oinkmaster update, my “test”
drop rules correctly drop and log dropped packets.  If I test the
updated alerts by restarting in non-inline mode, they work as well.

STRANGELY, if I
update via oinkmaster and DO specify {modifysid * “^alert” | “drop”}
within the .conf file, oinkmaster “seems” to work (i.e., updates appear
to have been made correctly, “alert” rules are all converted to “drop”
rules, snort inline starts without errors,  snort output lists rules as
being correctly read, etc.), however, when I insert some simple drop
rules for testing, my “test” drop rules do not work, nor do any of the
converted drop rules that had worked prior as alerts.  At least the
“test” drop rules SHOULD work (but do not), since they work when I
update without converting alerts to drops.  This would seem impossible,
but it IS occurring.  I always restart snort after rules modifications
to flush rules from memory and am only using dowloaded snort rules
(i.e. other than some extremely simple "test" drop rules that DO work
when I haven't converted "alert" rules to "drop").  

I understand
that if I had "alert" rules similar to my test "drop" rules, then my
test "drop" rules might not get triggered and logged (i.e., as a
consequence of already being dropped by other rules that were prior
only "alerts").  However, in that scenario, even though the test
"drops" wouldn't show as triggered in the logs, the packets would still
get dropped, due to other "drop" rules.  This isn't what is happening,
since none of my packets are getting dropped once I convert "alerts" to
"drops".  Again, extremely baffling!

There must be a way to run snort-inline with automatic alert/drop conversions on updates, but I have not been able to to it.

Any feedback would be GREATLY APPRECIATED!

Peabody



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080922/78ceefeb/attachment.html>
-------------- next part --------------
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-------------- next part --------------
_______________________________________________
Snort-inline-users mailing list
Snort-inline-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-inline-users


More information about the Snort-users mailing list