[Snort-users] Snort does not drop packets in inline mode in FreeBSD

mali dorn mailleest14 at ...11827...
Mon Apr 25 02:13:51 EDT 2016


I have the same problem here and no luck to run Snort in inline mode with
IPFW and FreeBSD. Snort does not drop packets. I only get alerts in log

Here is my system

FreeBSD 9.2-RELEASE amd64
Version GRE (Build 73) FreeBSD

Here is my config:

IPFW rule:
ipfw add 75 divert 8000 ip from any to any

config daq: ipfw
config daq_mode: inline
config policy_mode: inline
include droprules.rule

drop icmp any any -> any any (msg:"ICMP test drop"; GID:1; sid:10000001;
rev:001; classtype:icmp-event;)

Run Snort in inline mode:
snort -c /usr/local/etc/snort/snort.conf -A fast -Q --daq ipfw

And just got alert messages instead of dropping.
02/15-19:33:38.952784  [Drop] [**] [1:10000001:1] ICMP test drop [**]
[Classification: Generic ICMP event] [Priority: 3] {ICMP} ->

Is this a bug in Snort or am I wrong in some steps?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160425/b8f7c45b/attachment.html>

More information about the Snort-users mailing list