[Snort-users] Snort/ipfw daq doesn't drop packets under OpenBSD
dritonbelushi at ...11491...
Mon Apr 22 03:14:09 EDT 2013
Can we say that dropping packets feature of Snort under OpenBSD with inline ipfw daq is unsupported or buggy?
----- Original Message -----
From: Driton Belushi
Sent: 04/19/13 08:07 PM
To: snort-users at lists.sourceforge.net
Subject: Snort/ipfw daq doesn't drop packets under OpenBSD
I'm trying to run snort as an IPS under OpenBSD 5.3-current.
I see packets which are diverted by PF on snort and also at alert file.
But snort doesn't drop packets although it matches with rules; only logs to alert file.
I supply my config files and logs. Also i can send anything releated with this issue.
# cat /etc/rc.d/snort
# $OpenBSD: snort.rc,v 1.1 2012/10/11 02:40:48 lteo Exp $
daemon="/usr/local/bin/snort -D -Q -k none"
daemon_flags="-c /etc/snort/snort.conf -u root -g wheel -t /var/snort -l /var/snort/log"
# cat /etc/snort/rules/custom.rules
drop icmp any any -> any any (msg:"ICMP Testing Rule"; sid:1000001; rev:1;)
drop tcp any any -> any 80 (msg:"TCP Testing Rule"; sid:1000002; rev:1;)
# uname -a
OpenBSD snort.test.com 5.3 GENERIC.MP#127 i386
# snort --daq-dir /usr/local/lib/daq/ --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v2): live inline multi unpriv
dump(v1): readback live inline multi unpriv
# snort -V
,,_ -*> Snort! <*-
o" )~ Version 126.96.36.199 GRE (Build 69)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using OpenBSD libpcap
Using PCRE version: 8.32 2012-11-30
Using ZLIB version: 1.2.3
Can anyone help with this issue please?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users