[Snort-users] snort 2.8.4 and inline mode
justinjoseph007 at ...11827...
Tue Aug 25 09:43:06 EDT 2009
On Tue, Aug 25, 2009 at 6:47 PM, Will Metcalf<william.metcalf at ...11827...> wrote:
> What do your iptables rules look like? What traffic are you sending
> to the QUEUE target?
I am queuing all incomming traffic to my wan interface. relevant
section of iptables --list:
Chain wan2fw (11 references)
target prot opt source destination
QUEUE all -- anywhere anywhere state ESTABLISHED
ACCEPT all -- anywhere anywhere state
QUEUE all -- anywhere anywhere
I use shorewall to do this, by specifying rules to QUEUE all wan to fw
ESTABLISHED and NEW states.
> Setting modifysid * "^alert" | "drop" is a bad idea, and will lead to
> drops without notifications for things like flowbits with no alert
> that are not intended to identify malicious traffic, only for protocol
> identification etc. I would run you IDS in passive mode for a while
> to weed out false positives before even considering implementing a
> drop rule set.
Does "without notifications" mean that there will be no alerts in the log file
or does it mean ( at the source code level) that there's no verdict
required (ipq verdict)
for dropping or accepting the mentioned types of packets?
Is the process you have mentioned of running first in IDS (passive mode)
to weed out false positives a manual process. i.e manually figure out the
false alerts( by looking at alert.log) and then keep the rules associated with
these alerts with "alert action" only and not drop? or it it an automatic one
which involved running scripts or something like that.
Also is there any method to configure/run snort in inline mode without
intervention(example: rule set support for inline mode)
> On Tue, Aug 25, 2009 at 7:52 AM, justin joseph<justinjoseph007 at ...14542....> wrote:
>> I have compiled from source snort 2.8.4 with --enable-inline support.
>> to get rules for inline mode I have downloaded ruleset using oinkmaster
>> with the below config file:
>> url = http://www.snort.org/pub-bin/oinkmaster.cgi/006d6ba065a1c0fe55e6e4a25d74518236a3da19/snortrules-snapshot-2.8.tar.gz
>> path = /bin:/usr/bin:/usr/local/bin
>> update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
>> skipfile local.rules
>> skipfile deleted.rules
>> skipfile snort.conf
>> modifysid * "^alert" | "drop"
>> As I understand the modifysid converts all the alert rules to drop rules.
>> I am running this with the default config file in the etc/snort.conf
>> file by changing
>> only the paths to rules and library directories.
>> When I test this setup with IDSwakeup-1.0, I don't see any drop of packets
>> happening. I know this because i have commented code in inline.c with
>> debug prints
>> against drop and accept verdicts. Also there are no alerts in the logs.
>> But if I ran the same setup with the same config (snort.conf) file
>> without the -Q option in IDS mode
>> with only difference in using rules with alert rules(downloaded with
>> oinkmaster without modifysid)
>> I see that there are lot of alerts when tested with IDSwakeup-1.0.
>> What I am doing wrong, why isn't the inline mode dropping packets that
>> are being alerted
>> in the IDS mode? is there any configuration changes required in
>> snort.conf between
>> inline and IDS modes?
>> thank you
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
>> trial. Simplify your report design, integration and deployment - and focus on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> Snort-users list archive:
More information about the Snort-users