[Snort-users] anyone using snort 2.9.03 on freebsd with --daq ipfw?

Michael Scheidell michael.scheidell at ...8144...
Tue Feb 8 10:11:59 EST 2011


I have been trying to get this to work, and either there is something 
wrong with the ipfw daq module, or I have something set up wrong.

I am using freebsd 7.3 amd64, IF_BRIDGE (yes, it works.. it used to work 
with snort 2.8.4 with inline patches.yes, freebsd fixed the problem with 
divert and if_bridge)

snort started:

  snort -dQv -c snort_test.conf --daq ipfw

snort_test.conf:

#config detection: search-method ac-bnfa
config detection: search-method ac-split
#config detection: search-method ac  max_queue_events 5

config policy_mode:inline

var HOME_NET [10.0.0.0/8]

alert icmp any any <> any any (msg: "ping testing";rev:1;sid:1)



ipfw:
00100     0       0 allow ip from any to any via lo0
00200 18464 2478940 allow ip from any to any via con0
09000  1352  113492 count ip from any to any
10000   850   71400 divert 8000 ip from any to any
65535  1224  102740 allow ip from any to any


what happens, is as soon as I put in the divert rule, traffic stops 
being passed.

it is in /var/log/snort/alert:

02/08-10:09:24.936282 172.70.2.56 -> 172.70.2.13
ICMP TTL:64 TOS:0x0 ID:41296 IpLen:20 DgmLen:84
Type:8  Code:0  ID:53529   Seq:3706  ECHO
4D 51 5C A4 00 0E 3C 03 08 09 0A 0B 0C 0D 0E 0F  MQ\...<.........
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F  ................
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F   !"#$%&'()*+,-./
30 31 32 33 34 35 36 37                          01234567


but no reply back, destination does not see it.






-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
 >*| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best in Email Security,2010: Network Products Guide
    * King of Spam Filters, SC Magazine 2008


______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110208/36117143/attachment.html>


More information about the Snort-users mailing list