[Snort-users] snort 2.8.4 and inline mode
justinjoseph007 at ...11827...
Tue Aug 25 08:52:25 EDT 2009
I have compiled from source snort 2.8.4 with --enable-inline support.
to get rules for inline mode I have downloaded ruleset using oinkmaster
with the below config file:
url = http://www.snort.org/pub-bin/oinkmaster.cgi/006d6ba065a1c0fe55e6e4a25d74518236a3da19/snortrules-snapshot-2.8.tar.gz
path = /bin:/usr/bin:/usr/local/bin
update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
modifysid * "^alert" | "drop"
As I understand the modifysid converts all the alert rules to drop rules.
I am running this with the default config file in the etc/snort.conf
file by changing
only the paths to rules and library directories.
When I test this setup with IDSwakeup-1.0, I don't see any drop of packets
happening. I know this because i have commented code in inline.c with
against drop and accept verdicts. Also there are no alerts in the logs.
But if I ran the same setup with the same config (snort.conf) file
without the -Q option in IDS mode
with only difference in using rules with alert rules(downloaded with
oinkmaster without modifysid)
I see that there are lot of alerts when tested with IDSwakeup-1.0.
What I am doing wrong, why isn't the inline mode dropping packets that
are being alerted
in the IDS mode? is there any configuration changes required in
inline and IDS modes?
More information about the Snort-users