[Snort-users] Newbie question: reject rule for IPv6
urbestfriend at ...11827...
Sun Dec 11 05:39:15 EST 2011
I am using following command to start snort.
snort -c /etc/snort.conf -N -D
Also I have set following parameters in snort.conf.
config daq: nfq
config daq_mode: inline
config daq_var: proto=ip6
Note that I have built both daq and snort with --ipv6-enabled option.
-A INPUT -d <ip_address>/128 -p tcp -m tcp --dport 80 -j NFQUEUE --queue-num 0
The setup works fine as I am seeing alerts getting logged when I send
a http request with URI contains "snort-test", but unfortunately the
request is not getting rejected ( No ICMP6 unreachable ) as it
should've been and request is going through.
In fact I tried 'drop' too , without any success. Can someone point
out the code where ICMP unreachable is sent ? I tried to debug daq and
always verdict to NFQUEUE is set as NF_ACCEPT.
Thanks for the response.
On Sat, Dec 10, 2011 at 9:16 PM, JJ Cummings <cummingsj at ...11827...> wrote:
> What does your iptables look like and what is your snort startup command line? Also, use drop, not reject.
> Sent from the iRoad
> On Dec 9, 2011, at 5:48, K b <urbestfriend at ...11827...> wrote:
>> A newbie here and I was trying to setup snort inline with NFQ for IPv6
>> services. Just for testing I have added the following reject rule.
>> reject tcp any any -> any 80 (classtype:attempted-user;
>> msg:"Snort_test"; content:"snort-test"; sid:9000001; rev:1;)
>> Now If I send a traffic with the above content, I see that alerts are
>> getting generated but this requests is not being reset as expected.
>> I am running snort 126.96.36.199, my snort.conf is unchanged. What am I doing wrong?
>> Have a good day.
>> Thanks and regards,
>> Learn Windows Azure Live! Tuesday, Dec 13, 2011
>> Microsoft is holding a special Learn Windows Azure training event for
>> developers. It will provide a great way to learn Windows Azure and what it
>> provides. You can attend the event by watching it streamed LIVE online.
>> Learn more at http://p.sf.net/sfu/ms-windowsazure
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> Snort-users list archive:
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
More information about the Snort-users