[Snort-users] Snort does not drop packets in inline mode in FreeBSD

mali dorn mailleest14 at ...11827...
Mon Apr 25 02:13:51 EDT 2016


http://seclists.org/snort/2012/q4/465

I have the same problem here and no luck to run Snort in inline mode with
IPFW and FreeBSD. Snort does not drop packets. I only get alerts in log
files.

Here is my system

FreeBSD 9.2-RELEASE amd64
Version 2.9.4.6 GRE (Build 73) FreeBSD

Here is my config:

IPFW rule:
ipfw add 75 divert 8000 ip from any to any

Snort.conf
config daq: ipfw
config daq_mode: inline
config policy_mode: inline
include droprules.rule

droprules.rule
drop icmp any any -> any any (msg:"ICMP test drop"; GID:1; sid:10000001;
rev:001; classtype:icmp-event;)


Run Snort in inline mode:
snort -c /usr/local/etc/snort/snort.conf -A fast -Q --daq ipfw

And just got alert messages instead of dropping.
02/15-19:33:38.952784  [Drop] [**] [1:10000001:1] ICMP test drop [**]
[Classification: Generic ICMP event] [Priority: 3] {ICMP} 10.0.0.116 ->
10.0.0.1


Is this a bug in Snort or am I wrong in some steps?
Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160425/b8f7c45b/attachment.html>


More information about the Snort-users mailing list