[Snort-users] snort 2.8.4 and inline mode

Will Metcalf william.metcalf at ...11827...
Tue Aug 25 09:17:31 EDT 2009


What do your iptables rules look like?  What traffic are you sending
to the QUEUE target?

Setting modifysid * "^alert" | "drop" is a bad idea, and will lead to
drops without notifications for things like flowbits with no alert
that are not intended to identify malicious traffic, only for protocol
identification etc.  I would run you IDS in passive mode for a while
to weed out false positives before even considering implementing a
drop rule set.

Regards,

Will

On Tue, Aug 25, 2009 at 7:52 AM, justin joseph<justinjoseph007 at ...11827...> wrote:
> Hi
>
> I have compiled from source snort 2.8.4 with --enable-inline support.
>
> to get rules for inline mode I have downloaded ruleset using oinkmaster
> with the below config file:
>
> url = http://www.snort.org/pub-bin/oinkmaster.cgi/006d6ba065a1c0fe55e6e4a25d74518236a3da19/snortrules-snapshot-2.8.tar.gz
> path = /bin:/usr/bin:/usr/local/bin
> update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
> skipfile local.rules
> skipfile deleted.rules
> skipfile snort.conf
> modifysid * "^alert" | "drop"
>
>
> As I understand the modifysid converts all the alert rules to drop rules.
>
> I am running this with the default config file in the etc/snort.conf
> file by changing
> only the paths to rules and library directories.
>
> When I test this setup with  IDSwakeup-1.0, I don't see any drop of packets
> happening.  I know this because i have commented code in inline.c with
> debug prints
> against drop and accept verdicts.  Also there are no alerts in the logs.
>
> But if I ran the same setup with the same config (snort.conf) file
> without the -Q option in IDS mode
> with only difference in using rules with alert rules(downloaded with
> oinkmaster without modifysid)
> I see that there are lot of alerts when tested with IDSwakeup-1.0.
>
> What I am doing wrong, why isn't the inline mode dropping packets that
> are being alerted
> in the IDS mode?  is there any configuration changes required in
> snort.conf between
> inline and IDS modes?
>
> thank you
> Justin
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list