[Snort-users] Snort IDS Not Working
wkitty42 at ...14940...
Sat Sep 4 02:48:02 EDT 2010
On 9/3/2010 17:39, Bradlee Landis wrote:
> I am running Devil-Linux (Linux From Scratch distribution), and I'm
> having trouble getting it working correctly. It is possible that it's
> been built incorrectly, but I thought I would just see if you could
> tell me if I'm doing something wrong.
> I'm running these commands:
> iptables -A INPUT -j QUEUE
> snort -Qc /etc/snort/snort.conf -A console
> But, when I have a QUEUE target in iptables, it blocks all traffic,
> and starting snort does not make a difference.
umm well should it? you're sending everything to the QUEUE table but do you have
a rule in the QUEUE table telling anything to move on past the QUEUE table?
> Snort is detecting packets, even if I don't have a QUEUE target in iptables, so it
> doesn't seem to be actually running in IDS mode.
ughhhh... actually it does to me... i don't use any kind of inline or iptables
rules for snort in my installs and it detects traffic and alerts on it quite
well... perhaps you are confusing methods of operation? or perhaps there's some
specific confusion being thrown into the equation somehow from somewhere?
my snort installs read the rules and sit and alert... they do not attempt to run
in iptables more or use the iptables blocking methods... my snorts simply read
the packets and sound alerts in their alert files... i think the KISS principle
plays a large part in this aspect ;)
More information about the Snort-users