[Snort-users] snort inline mode is not working with iptables

Joel Esler jesler at ...1935...
Mon Aug 9 08:25:46 EDT 2010


On Aug 9, 2010, at 3:26 AM, Hatim Alghamdi wrote:

> I ran snort as following
>  snort -c snort.empty -TQ and snort -c snort.empty -TQ --disable-inline-initialization
> The output was the same! I was expecting a different behavior. 
> 
> One thing I noticed is that the manual state that the rule application order is
> activation->dynamic->pass->drop->sdrop->reject->alert->log
> but snort in our case return this
> activation->dynamic->pass->drop->alert->log
> 
> How can I tell if snort read/initialize IPTables?

-T is just test mode though.  Exchange -T with -D, then try and send traffic through the IPS.  It should go normally. 

After you send traffic through it, run a kill with the -USR1 tag:

kill -USR1 <pid of snort>

Then examine your logs (/var/log/messages, or whatever) for the statistics that Snort will print out.  If you see the counts incrementing, that means that Snort is receiving traffic through the engine.

Joel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100809/7ecb8d00/attachment.html>


More information about the Snort-users mailing list