[Snort-users] Newbie question: reject rule for IPv6

K b urbestfriend at ...11827...
Mon Dec 12 01:54:25 EST 2011


Just to add some more info.

I tried ipq too without any success. But If I run my web server on an
IPv4 address and run snort in ip4 mode, I see that request gets
blocked.
I am wondering whether I have missed some step for Ipv6 or do I need
to change the rule for IPv6?




On Sun, Dec 11, 2011 at 4:09 PM, K b <urbestfriend at ...11827...> wrote:
> JJ,
>
> I am using following command to start snort.
>
> snort -c  /etc/snort.conf -N -D
>
> Also I have set following parameters in snort.conf.
>
> config daq: nfq
> config daq_mode: inline
> config daq_var: proto=ip6
> config daq_dir:<dir>
>
> Note that I have built both daq and snort with --ipv6-enabled option.
>
> My ip6table:
>
> -A INPUT -d <ip_address>/128 -p tcp -m tcp --dport 80 -j NFQUEUE --queue-num 0
>
> The setup  works fine as I am seeing alerts getting logged when I send
> a http request with URI contains "snort-test", but unfortunately the
> request is not getting rejected ( No ICMP6 unreachable ) as it
> should've been and request is going through.
>
> In fact I tried 'drop' too , without any success. Can someone point
> out the code where ICMP unreachable is sent ? I tried to debug daq and
> always verdict to NFQUEUE is set as NF_ACCEPT.
>
> Thanks for the response.
>
> Regards,
> Kumar
>
>
> On Sat, Dec 10, 2011 at 9:16 PM, JJ Cummings <cummingsj at ...11827...> wrote:
>> What does your iptables look like and what is your snort startup command line? Also, use drop, not reject.
>>
>> Sent from the iRoad
>>
>> On Dec 9, 2011, at 5:48, K b <urbestfriend at ...11827...> wrote:
>>
>>> Hello,
>>>
>>> A newbie here and I was trying to setup snort inline with NFQ for IPv6
>>> services.  Just for testing I have added the following reject rule.
>>>
>>> reject tcp any any -> any 80 (classtype:attempted-user;
>>> msg:"Snort_test"; content:"snort-test"; sid:9000001; rev:1;)
>>>
>>> Now If I send a traffic with the above content, I see that alerts are
>>> getting generated but this requests is not being reset as expected.
>>>
>>> I am running snort 2.9.1.2, my snort.conf is unchanged. What am I doing wrong?
>>>
>>> Have a good day.
>>>
>>> Thanks and regards,
>>> Kumar
>>>
>>> ------------------------------------------------------------------------------
>>> Learn Windows Azure Live!  Tuesday, Dec 13, 2011
>>> Microsoft is holding a special Learn Windows Azure training event for
>>> developers. It will provide a great way to learn Windows Azure and what it
>>> provides. You can attend the event by watching it streamed LIVE online.
>>> Learn more at http://p.sf.net/sfu/ms-windowsazure
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list