[Snort-users] snort inline mode is not working with iptables

netchild ccie netchildccie at ...125...
Fri Aug 6 14:41:50 EDT 2010


Dear list, 
I a new user to Snort and this is my first experience with. 
My issue is that; it seems the snort does not communicate correctly with iptables. I have a linux machine run SNORT 2.8.6 and connected to LAN with another linux machine. I am using the other machine to ping the snort server. every time I am running snort without iptables, the ping is working and once I am using the iptables then launch snort, the ping stopped and I received alert messages!!!! I can not understand why snort drop the packets?!  I'll try to summarized my issue in points 
1. I've built linux machine with CentOS 4.8 
2. I've downloaded snort 2.8.6 from snort website 
3. I've compiled the package after I installed successfully libipq and libnet 1.0.2a. I used the following commands 
./configure --enable-inlinemakemake install 
4. I've built a simple rule under /etc/snort/rules as the below and named "local.rule" 
alert icmp any any <> any any (msg: "ICMP DROPPED"; sid: 1000001;)
5. I loaded ip_queue model and verify it as below 
[root at ...14955... rules]# modprobe ip_queue[root at ...14955... rules]# lsmod | grep queueip_queue               44777  0 
5. I launched iptables before I started snort as below and verify
iptables -A OUTPUT -p icmp -j QUEUE
[root at ...14955... rules]# iptables -LChain INPUT (policy ACCEPT)target     prot opt source               destination         
Chain FORWARD (policy ACCEPT)target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)target     prot opt source               destination         QUEUE      icmp --  anywhere             anywhere  
6. I've run snort as below 
[root at ...14955... rules]# snort -k none -c /etc/snort/snort.conf.wael -l /var/log/snort/wael -Q -i eth1 Enabling inline operationRunning in IDS mode
        --== Initializing Snort ==--Initializing Output Plugins!Initializing Preprocessors!Initializing Plug-ins!Parsing Rules file "/etc/snort/snort.conf.wael"PortVar 'HTTP_PORTS' defined :  [ 80 2301 3128 7777 7779 8000 8008 8028 8080 8180 8888 9999 ]PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]PortVar 'ORACLE_PORTS' defined :  [ 1521 ]...        --== Initialization Complete ==--
   ,,_     -*> Snort! <*-  o"  )~   Version 2.8.6.1 (Build 39)     ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team           Copyright (C) 1998-2010 Sourcefire, Inc., et al.           Using PCRE version: 6.6 06-Feb-2006
           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.12  <Build 18>
7. Verify through the log 
Aug  6 21:38:45 xen1 snort: [1:1000001:0] ICMP DROPPED {ICMP} 10.6.211.155 -> 10.6.211.53Aug  6 21:39:16 xen1 last message repeated 31 timesAug  6 21:40:17 xen1 last message repeated 61 times

8. verify the ping from the ping's screen
[root at ...14956... ~]# ping 10.6.211.53PING 10.6.211.53 (10.6.211.53) 56(84) bytes of data.<nothing>

what I have missed?! 
Regards,Wael, 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100806/e0f4877f/attachment.html>


More information about the Snort-users mailing list