[Snort-users] snort inline mode

eddie mrcyberfighter at ...11827...
Fri May 18 18:59:42 EDT 2012


Hello the snort users:
I want to get an ips who block attacks so i study a little bit snort and 
download it from the Ubuntu repository but wenn i set snort in inline 
mode, the only --daq-mode who works without fatal error is the dump mode 
with what i test a nmap scan and sea that snort allow it after pressing 
crtl+c...
So i compile the source with libnet, daq, and snort: the daq compile 
instructions don't work, i don't mind and used the daq from the 
repository. but i have the same problem with the --daq-mode who only 
work without fatal error with the dump mode who is not an really inline 
mode after the snort manual.

I have sea that the most actions from the snort rules are alert and i 
want to know how snort could work in inline mode with alert action 
instead of block.

extract from snort launching:
Rule application order: 
activation->dynamic->pass->drop->sdrop->reject->alert->log

If you want to answers me i have 2 questions:
-How patch the daq to bring it work in another mode ?
-Can i get snort rules who have inline actions like block or does the 
inline mode work otherwise with alert ?

Thank's for your answers.




More information about the Snort-users mailing list