[Snort-users] snort inline mode is not working with iptables

Hatim Alghamdi hat_gh at ...131...
Mon Aug 9 03:26:21 EDT 2010

I ran snort as following
 snort -c snort.empty -TQ and snort -c snort.empty -TQ 
The output was the same! I was expecting a different behavior. 

One thing I noticed is that the manual state that the rule application order is
but snort in our case return this

How can I tell if snort read/initialize IPTables?


From: Russ Combs <rcombs at ...1935...>
To: Jason Brvenik <jason.brvenik at ...1935...>
Cc: Wael <netchildccie at ...125...>; snort-users at lists.sourceforge.net; Jason 
Brvenik <jasonb at ...1935...>; hat_gh at ...131...; Will Metcalf 
<william.metcalf at ...11827...>
Sent: Sun, August 8, 2010 3:48:32 AM
Subject: Re: [Snort-users] snort inline mode is not working with iptables

On Sat, Aug 7, 2010 at 4:52 PM, Jason Brvenik <jason.brvenik at ...1935...> 

Comment out all of the include lines in snort.conf, startup should indicate 0 
rules loaded.
In fact, try creating an empty conf and using that.  Then add just the alert.
Referring to your original setup, examine the packet log and ensure that you 
have all the echo responses (you were in the output chain).
If that looks good run tcpdump on your ping machine and see what, if anything, 
is coming back.
On Aug 7, 2010 5:21 PM, "Wael" <netchildccie at ...125...> wrote:
>>Hello Jason, 
>>If I did not use iptables -j QUEUE; the ping is working. 
>>How Can I run snort with _NO_rule ?! 
>>On 8/7/10 9:32 PM, "Jason Brvenik" <jasonb at ...1935...> wrote:
>>>I would suggest a ground up app... 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100809/4f40c979/attachment.html>

More information about the Snort-users mailing list