[Snort-users] InlineDrop() issues with snort_inline

Devdutt Patnaik xendevid at ...11827...
Sun Apr 19 00:16:50 EDT 2009


Hi All,

i also verified that snort is receiving packets from iptables (from
ip_queue). I start snort as

snort_inline -k none -Q

My iptables rules are as follows:

iptables -A INPUT -p udp -j QUEUE

I confirmed that snort is receiving the incoming packets. I wish to drop
certain packets based on content by calling InlineDrop().

I have further verified that snort is calling ipq_set_verdict(ipqh,
m->packet_id, NF_DROP, 0, NULL); function.

I also checked its return value to be non negative.

Is there anything that I am missing? Do I need to add any additional rules
to iptables?
My undersanding is that I can just use InlineDrop to dynamically drop
packets.

Thanks in advance!

-Devdutt


On Sat, Apr 18, 2009 at 10:18 PM, Devdutt Patnaik <xendevid at ...11827...>wrote:

> Hi All,
>
> I am using InlineDrop() in my own custom preprocessor code.
> I need to drop certain packets using code in my preprocessor to implement
> an IPS like functionality.
>
> I setup snort_inline and it looks ok when I start it - it says "running in
> inline mode" etc.
> However, even after calls to InlineDrop(), the application still sees the
> packet.
> We verified that the function is being called for each packet.
>
> Am i missing something in the setup or the usage of the function ? Please
> let us know.
>
> Thanks,
> Devdutt.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090419/6a5356d9/attachment.html>


More information about the Snort-users mailing list