[Snort-users] Snort IDS Not Working

waldo kitty wkitty42 at ...14940...
Sat Sep 4 02:48:02 EDT 2010


On 9/3/2010 17:39, Bradlee Landis wrote:
> I am running Devil-Linux (Linux From Scratch distribution), and I'm
> having trouble getting it working correctly. It is possible that it's
> been built incorrectly, but I thought I would just see if you could
> tell me if I'm doing something wrong.
>
> I'm running these commands:
>
> iptables -A INPUT -j QUEUE
> snort -Qc /etc/snort/snort.conf -A console
>
> But, when I have a QUEUE target in iptables, it blocks all traffic,
> and starting snort does not make a difference.

umm well should it? you're sending everything to the QUEUE table but do you have 
a rule in the QUEUE table telling anything to move on past the QUEUE table?


> Snort is detecting packets, even if I don't have a QUEUE target in iptables, so it
> doesn't seem to be actually running in IDS mode.

ughhhh... actually it does to me... i don't use any kind of inline or iptables 
rules for snort in my installs and it detects traffic and alerts on it quite 
well... perhaps you are confusing methods of operation? or perhaps there's some 
specific confusion being thrown into the equation somehow from somewhere?

my snort installs read the rules and sit and alert... they do not attempt to run 
in iptables more or use the iptables blocking methods... my snorts simply read 
the packets and sound alerts in their alert files... i think the KISS principle 
plays a large part in this aspect ;)




More information about the Snort-users mailing list