<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:SimSun;
        panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
        {font-family:Mangal;
        panose-1:0 0 4 0 0 0 0 0 0 0;}
@font-face
        {font-family:Mangal;
        panose-1:0 0 4 0 0 0 0 0 0 0;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:"\@SimSun";
        panose-1:2 1 6 0 3 1 1 1 1 1;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
        {page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext="edit">
  <o:idmap v:ext="edit" data="1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=EN-US link=blue vlink=purple>

<div class=Section1>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Russ,<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I ran the following configure statement:<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'># ./configure --enable-inline<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>The output of this command is attached in the file : ‘config.logs’<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Then I ran the command:<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'># libtool --finish /usr/local/lib/snort_dynamicpreprocessor<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>The output of above command is attached in file : ‘libtool.logs’<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Then I ran the command:<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'># make<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>The output of above command is attached in file : ‘SnortMake.logs’<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Then I ran the command: <o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>#make install<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>The output of above command is attached in file : ‘SnortInstall.logs’<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>On running command:<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>#snort  -V<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I get:<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>   <span style='background:yellow;mso-highlight:yellow'>,,_    
-*> Snort! <*-<o:p></o:p></span></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'>  o" 
)~   Version 2.8.5.2 (Build 121)  <o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'>  
''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'>          
Copyright (C) 1998-2009 Sourcefire, Inc., et al.<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'>          
Using PCRE version: 7.8 2008-09-05</span><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>On running Command:<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>#</span> <span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>snort -V -k None -K None -A console -Q -c /etc/snortIDSMode/snort.conf
-i eth1 -l /var/log/snort<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I get:<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'>Enabling inline operation<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'>  
,,_     -*> Snort! <*-<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'>  o" 
)~   Version 2.8.5.2 (Build 121)  <o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'>  
''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'>          
Copyright (C) 1998-2009 Sourcefire, Inc., et al.<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'>          
Using PCRE version: 7.8 2008-09-05<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'>          
Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.11  <Build
17><o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'>          
Rules Object: web-misc  Version 1.0  <Build 1><o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'>          
Rules Object: web-client  Version 1.0  <Build 1><o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'>          
Rules Object: sql  Version 1.0  <Build 1><o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'>          
Rules Object: smtp  Version 1.0  <Build 1><o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'>          
Rules Object: p2p  Version 1.0  <Build 1><o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'>          
Rules Object: nntp  Version 1.0  <Build 1><o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'>          
Rules Object: netbios  Version 1.0  <Build 1><o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'>          
Rules Object: multimedia  Version 1.0  <Build 1><o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'>          
Rules Object: misc  Version 1.0  <Build 1><o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'>          
Rules Object: imap  Version 1.0  <Build 1><o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'>          
Rules Object: exploit  Version 1.0  <Build 1><o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'>          
Rules Object: dos  Version 1.0  <Build 1><o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'>          
Rules Object: chat  Version 1.0  <Build 1><o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'>          
Rules Object: bad-traffic  Version 1.0  <Build 1><o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'>          
Preprocessor Object: SF_SSLPP  Version 1.1  <Build 3><o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'>          
Preprocessor Object: SF_SSH  Version 1.1  <Build 2><o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'>          
Preprocessor Object: SF_SMTP  Version 1.1  <Build 8><o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'>          
Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 12><o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'>          
Preprocessor Object: SF_DNS  Version 1.1  <Build 3><o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D;background:yellow;mso-highlight:yellow'>          
Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 2></span><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>My latest ‘snort.conf’ is also attached.<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Please reply if you need any more information.<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Thanks in advance<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Ashish Sharma<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>

<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>

<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Russ Combs
[mailto:rcombs@...1935...] <br>
<b>Sent:</b> Wednesday, February 24, 2010 10:45 PM<br>
<b>To:</b> Sharma, Ashish<br>
<b>Cc:</b> Seth Art; Snort Users List<br>
<b>Subject:</b> Re: [Snort-users] Unable to run Snort in IPS mode<o:p></o:p></span></p>

</div>

<p class=MsoNormal><o:p> </o:p></p>

<p class=MsoNormal style='margin-bottom:12.0pt'>Hmmm ... if Snort isn't
starting with "reject" or "sdrop" rules then maybe it
wasn't actually built with --enable-inline.<br>
<br>
Can you post the configure statement at the top of your config.log and the
output from snort -V?<o:p></o:p></p>

<div>

<p class=MsoNormal>On Wed, Feb 24, 2010 at 10:16 AM, Sharma, Ashish <<a
href="mailto:ashish.sharma3@...6440...">ashish.sharma3@...6440...</a>> wrote:<o:p></o:p></p>

<p class=MsoNormal>Seth,<br>
<br>
Since I am testing on a Single machine on LAN, I replicated my Snort setup on a
non virtual machine of Fedora 10, there too the problem persists.<br>
<br>
Packets are not getting dropped just 'console' outputs are generated.<br>
<br>
Also snort doesn't start with local rules of 'reject' or 'sdrop' kind.<br>
<br>
I have followed this for reference:<br>
<br>
'<a href="http://openmaniak.com/inline_final.php" target="_blank">http://openmaniak.com/inline_final.php</a>'<br>
<br>
Please help!!!!<br>
<span style='color:#888888'><br>
Ashish Sharma</span><o:p></o:p></p>

<div>

<p class=MsoNormal><br>
-----Original Message-----<br>
From: Seth Art [mailto:<a href="mailto:sethsec@...11827...">sethsec@...5119...827...</a>]<br>
Sent: Tuesday, February 23, 2010 8:45 PM<br>
To: Sharma, Ashish<o:p></o:p></p>

</div>

<div>

<div>

<p class=MsoNormal>Cc: Nigel Houghton; Snort Users List<br>
Subject: Re: [Snort-users] Unable to run Snort in IPS mode<br>
<br>
Is the virtual snort actually inline, or is it dropping a COPY of the<br>
traffic?  You can test this with some iptables rules.  Block the<br>
traffic with some FW rules on the snort box and see if the traffic<br>
STILL gets to the destination.<br>
<br>
-Seth<br>
<br>
On Tue, Feb 23, 2010 at 9:29 AM, Sharma, Ashish <<a
href="mailto:ashish.sharma3@...6440...">ashish.sharma3@...6440...</a>> wrote:<br>
> Nigel,<br>
><br>
> No success :(<br>
><br>
> My machine is Fedora Core 10 virtual machine, running on sun virtual Box.<br>
><br>
> My rules in 'local.rules' are as:<br>
><br>
> 'drop tcp any any -> 16.150.17.4 80 (msg: "Test web
activity";sid:1000001;)<br>
> drop icmp any any -> 16.150.17.4 any (msg: "Test ping activity";sid:1000002;)'<br>
><br>
> I am running 'snort' by this command:<br>
><br>
> 'snort -k none -A console -Q -c /etc/snortIDSMode/snort.conf -i eth1 -l
/var/log/snort'<br>
><br>
> Console output is as:<br>
><br>
> ' 02/23-19:57:13.288720  [Drop] [**] [1:1000001:0] Test web activity
[**] [Priority: 0] {TCP} <a href="http://16.213.0.37:13530" target="_blank">16.213.0.37:13530</a>
-> <a href="http://16.150.17.4:80" target="_blank">16.150.17.4:80</a><br>
> 02/23-19:57:13.288812  [Drop] [**] [1:1000001:0] Test web activity
[**] [Priority: 0] {TCP} <a href="http://16.213.0.37:13402" target="_blank">16.213.0.37:13402</a>
-> <a href="http://16.150.17.4:80" target="_blank">16.150.17.4:80</a><br>
> 02/23-19:57:47.034571  [Drop] [**] [1:1000002:0] Test ping activity
[**] [Priority: 0] {ICMP} 16.150.18.130 -> 16.150.17.4'<br>
><br>
> Put packets are not getting dropped and replies to above request are being
received successfully. This should not happen :( right.<br>
><br>
> With regards<br>
> Ashish Sharma<br>
><br>
><br>
> -----Original Message-----<br>
> From: Nigel Houghton [mailto:<a href="mailto:nhoughton@...1935...">nhoughton@...1935...</a>]<br>
> Sent: Tuesday, February 23, 2010 7:00 PM<br>
> To: Sharma, Ashish<br>
> Cc: Snort Users List<br>
> Subject: Re: [Snort-users] Unable to run Snort in IPS mode<br>
><br>
> On Tue, Feb 23, 2010 at 2:15 AM, Sharma, Ashish <<a
href="mailto:ashish.sharma3@...6440...">ashish.sharma3@...6440...</a>> wrote:<br>
>> Nigel,<br>
>><br>
>> No success with your suggested idea.<br>
>><br>
>> Attached is my 'local.rules' file.<br>
>><br>
>> My uncommented rule is as:<br>
>> 'drop tcp any any -> 16.150.17.4 80 (msg: "Test web
activity";sid:1000001;)'<br>
>><br>
>> I launch my 'snort' with the following command:<br>
>><br>
>> 'snort -A console -Q -c /etc/snortIDSMode/snort.conf -i eth1 -l
/var/log/snort'<br>
>><br>
>> Now whenever I try to access a web page hosted on a web server on the
same machine (on which snort is hosted), I get following kind of console
output:<br>
>><br>
>> ' 02/23-12:28:04.537751  [Drop] [**] [1:1000001:0] Test web
activity [**] [Priority: 0] {TCP} <a href="http://16.213.0.37:5763"
target="_blank">16.213.0.37:5763</a> -> <a href="http://16.150.17.4:80"
target="_blank">16.150.17.4:80</a><br>
>> 02/23-12:28:04.538713  [Drop] [**] [1:1000001:0] Test web
activity [**] [Priority: 0] {TCP} <a href="http://16.213.0.37:5763"
target="_blank">16.213.0.37:5763</a> -> <a href="http://16.150.17.4:80"
target="_blank">16.150.17.4:80</a><br>
>> 02/23-12:28:04.935699  [Drop] [**] [1:1000001:0] Test web
activity [**] [Priority: 0] {TCP} <a href="http://16.213.0.37:5763"
target="_blank">16.213.0.37:5763</a> -> <a href="http://16.150.17.4:80"
target="_blank">16.150.17.4:80</a><br>
>> 02/23-12:28:05.263633  [Drop] [**] [1:1000001:0] Test web
activity [**] [Priority: 0] {TCP} <a href="http://16.213.0.37:5763"
target="_blank">16.213.0.37:5763</a> -> <a href="http://16.150.17.4:80"
target="_blank">16.150.17.4:80</a>'<br>
>><br>
>> Here I am able to access my web page from any other foreign machine,
but this should not happen with 'Drop' rule of this kind , I should not be able
to access my web page in first place when snort is running in 'inline' mode.<br>
>><br>
>> Moreover I had to comment other 'reject' and 'sdrop' rules since
'snort' fails to identify them (Please look into my first message for console
output for this error).<br>
>><br>
>> Thanks<br>
>> Ashish Sharma<br>
>><br>
>><br>
>> -----Original Message-----<br>
>> From: Nigel Houghton [mailto:<a href="mailto:nhoughton@...14281....">nhoughton@...1935...</a>]<br>
>> Sent: Monday, February 22, 2010 9:16 PM<br>
>> To: Sharma, Ashish<br>
>> Cc: Snort Users List<br>
>> Subject: Re: [Snort-users] Unable to run Snort in IPS mode<br>
>><br>
>> On Mon, Feb 22, 2010 at 9:22 AM, Sharma, Ashish <<a
href="mailto:ashish.sharma3@...6440...">ashish.sharma3@...6440...</a>> wrote:<br>
>>> Nigel,<br>
>>><br>
>>> One of my drop rules in 'local.rules' is of following type:<br>
>>> 'drop icmp any any -> xxx.xxx.xxx.xxx any (msg: "Test ping
activity";sid:1000002;)'<br>
>>><br>
>>> Here my intention is to drop any packet that is received for ICMP
ping activity, but actually when I run my 'snort',<br>
>>> And 'Ping' on the destination machine only alerts are logged and I
receive the response of my 'Ping' command too.<br>
>>><br>
>>> But I expect this should not happen with 'drop' rule, no response
should be received for this case.<br>
>>><br>
>>> Thanks<br>
>>> Ashish Sharma<br>
>>><br>
>>> -----Original Message-----<br>
>>> From: Nigel Houghton [mailto:<a
href="mailto:nhoughton@...1935...">nhoughton@...1935...</a>]<br>
>>> Sent: Monday, February 22, 2010 7:42 PM<br>
>>> To: Sharma, Ashish<br>
>>> Cc: Snort Users List<br>
>>> Subject: Re: [Snort-users] Unable to run Snort in IPS mode<br>
>>><br>
>>> On Mon, Feb 22, 2010 at 8:37 AM, Sharma, Ashish <<a
href="mailto:ashish.sharma3@...6440...">ashish.sharma3@...6440...</a>> wrote:<br>
>>>> Rmkml,<br>
>>>><br>
>>>> Please find attached my 'local.rules' file.<br>
>>>><br>
>>>> Thanks<br>
>>>> Ashish Sharma<br>
>>>><br>
>>>> -----Original Message-----<br>
>>>> From: rmkml [mailto:<a href="mailto:rmkml@...953...">rmkml@...953...</a>]<br>
>>>> Sent: Monday, February 22, 2010 6:49 PM<br>
>>>> To: Sharma, Ashish<br>
>>>> Cc: <a href="mailto:rmkml@...953...">rmkml@...953...</a><br>
>>>> Subject: RE: [Snort-users] Unable to run Snort in IPS mode<br>
>>>><br>
>>>> ok thx you Sharma,<br>
>>>> could you send local.rules please?<br>
>>>> Regards<br>
>>>> Rmkml<br>
>>>><br>
>>>><br>
>>>> On Mon, 22 Feb 2010, Sharma, Ashish wrote:<br>
>>>><br>
>>>>> Rmkml,<br>
>>>>><br>
>>>>> First of all thanks for helping.<br>
>>>>><br>
>>>>> I don't think there is any problem with command formatting
or 'RULE_PATH' variable error.<br>
>>>>><br>
>>>>> Reason being that when I comment out the 'reject' and
'sdrop' rules from 'local.rules' file and only 'drop' rules are there, then
'Snort' is able to run fine and alerts are generated and logged.<br>
>>>>><br>
>>>>> For your reference my 'Snort.conf' is attached.<br>
>>>>><br>
>>>>> Thanks for helping again.<br>
>>>>><br>
>>>>> Ashish Sharma<br>
>>>>><br>
>>>>> -----Original Message-----<br>
>>>>> From: rmkml [mailto:<a href="mailto:rmkml@...953...">rmkml@...953...</a>]<br>
>>>>> Sent: Monday, February 22, 2010 5:15 PM<br>
>>>>> To: Sharma, Ashish<br>
>>>>> Cc: <a href="mailto:rmkml@...953...">rmkml@...953...</a><br>
>>>>> Subject: Re: [Snort-users] Unable to run Snort in IPS mode<br>
>>>>><br>
>>>>> Hi Sharma,<br>
>>>>> you start snort with cmd line:<br>
>>>>>  'snort -A console -Q -c /etc/snort /snort.conf -i
eth1 -l /var/log/snort'<br>
>>>>> please remove space like ... -c /etc/snort/snort.conf ...<br>
>>>>> on your snort.conf, what is RULE_PATH variable contains
please? or send<br>
>>>>> snort.conf...<br>
>>>>> Regards<br>
>>>>> Rmkml<br>
>>>>><br>
>>>>><br>
>>>>> On Mon, 22 Feb 2010, Sharma, Ashish wrote:<br>
>>>>><br>
>>>>>> Hi,<br>
>>>>>><br>
>>>>>> I have a fedora core 10 virtual machine running on a
sun virtual box.<br>
>>>>>><br>
>>>>>> I am trying to run Snort on this machine in IPS mode.<br>
>>>>>><br>
>>>>>> I followed the following steps (I had already
installed the prerequisites for Snort IPS):<br>
>>>>>><br>
>>>>>> 1. Downloaded 'snort-2.8.5.2.tar.gz'<br>
>>>>>> 2. Extracted the binaries.<br>
>>>>>> 3. did './configure --enable-inline'<br>
>>>>>> 4. did 'make'<br>
>>>>>> 5. did 'make install'<br>
>>>>>> 6. copied snort rules and snort conf at appropriate
location.<br>
>>>>>> 7. executed the following command :<br>
>>>>>> 'snort -A console -Q -c /etc/snort /snort.conf -i eth1
-l /var/log/snort'<br>
>>>>>> 8. Snort launches with the traces :<br>
>>>>>><br>
>>>>>> Enabling inline operation<br>
>>>>>> Running in IDS mode<br>
>>>>>><br>
>>>>>> --== Initializing Snort ==--<br>
>>>>>> Initializing Output Plugins!<br>
>>>>>> Initializing Preprocessors!<br>
>>>>>> ..................................<br>
>>>>>><br>
>>>>>> Initializing rule chains...<br>
>>>>>> ERROR: /etc/snortIDSMode/rules /local.rules(10 )
Unknown rule type: reject.<br>
>>>>>> Fatal Error, Quitting..<br>
>>>>>><br>
>>>>>> 8. As you can see I have a test rule in local.rule
that have a 'reject' rule in it but snort is not accepting it, same is the case
for 'sdrop' rule also.<br>
>>>>>><br>
>>>>>> 9. What is the problem , please help!!!!!<br>
>>>>>><br>
>>>>>> What should I do in all to let my Snort run in IPS
mode<br>
>>>>>><br>
>>>>>> Thanks in advance<br>
>>>>>><br>
>>>>>> Ashish Sharma<br>
>>>>>><br>
>>>>><br>
>>>><br>
>>>>
------------------------------------------------------------------------------<br>
>>>> Download Intel&#174; Parallel Studio Eval<br>
>>>> Try the new software tools for yourself. Speed compiling, find
bugs<br>
>>>> proactively, and fine-tune applications for parallel
performance.<br>
>>>> See why Intel Parallel Studio got high marks during beta.<br>
>>>> <a href="http://p.sf.net/sfu/intel-sw-dev" target="_blank">http://p.sf.net/sfu/intel-sw-dev</a><br>
>>>> _______________________________________________<br>
>>>> Snort-users mailing list<br>
>>>> <a href="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</a><br>
>>>> Go to this URL to change user options or unsubscribe:<br>
>>>> <a
href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
>>>> Snort-users list archive:<br>
>>>> <a
href="http://www.geocrawler.com/redir-sf.php3?list=snort-users" target="_blank">http://www.geocrawler.com/redir-sf.php3?list=snort-users</a><br>
>>>><br>
>>><br>
>>><br>
>>> You have compiled Snort with --enable-inline. Your snort.conf
looks<br>
>>> fine. The rules you have need to use the "drop" keyword
instead of<br>
>>> "alert" so that they will drop the traffic in inline
mode.<br>
>>><br>
>>> So your two rules would become:<br>
>>><br>
>>> drop tcp any any -> 16.150.17.4 25 (msg: "Test
activity"; sid:1000003;)<br>
>>> drop tcp any any -> 16.150.17.4 3310 (msg: "Test
activity"; sid:1000004;)<br>
>>><br>
>>> --<br>
>>> Nigel Houghton<br>
>>> Head Mentalist<br>
>>> SF VRT<br>
>>> <a href="http://vrt-sourcefire.blogspot.com" target="_blank">http://vrt-sourcefire.blogspot.com</a>
&& <a href="http://labs.snort.org/" target="_blank">http://labs.snort.org/</a><br>
>>><br>
>><br>
>><br>
>> Your drop rule is commented out, so it is not active. Please try what<br>
>> I told you to try and report back. Thanks.<br>
>><br>
>> --<br>
>> Nigel Houghton<br>
>> Head Mentalist<br>
>> SF VRT<br>
>> <a href="http://vrt-sourcefire.blogspot.com" target="_blank">http://vrt-sourcefire.blogspot.com</a>
&& <a href="http://labs.snort.org/" target="_blank">http://labs.snort.org/</a><br>
>><br>
><br>
><br>
> Now we are getting somewhere. Since your snort installation is on the<br>
> same machine you are sending packets to, try adding the "-k
none"<br>
> option to the command line. See if that fixes your problem and report<br>
> back.<br>
><br>
> --<br>
> Nigel Houghton<br>
> Head Mentalist<br>
> SF VRT<br>
> <a href="http://vrt-sourcefire.blogspot.com" target="_blank">http://vrt-sourcefire.blogspot.com</a>
&& <a href="http://labs.snort.org/" target="_blank">http://labs.snort.org/</a><br>
><br>
>
------------------------------------------------------------------------------<br>
> Download Intel&#174; Parallel Studio Eval<br>
> Try the new software tools for yourself. Speed compiling, find bugs<br>
> proactively, and fine-tune applications for parallel performance.<br>
> See why Intel Parallel Studio got high marks during beta.<br>
> <a href="http://p.sf.net/sfu/intel-sw-dev" target="_blank">http://p.sf.net/sfu/intel-sw-dev</a><br>
> _______________________________________________<br>
> Snort-users mailing list<br>
> <a href="mailto:Snort-users@lists.sourceforge.net">Snort-users@...7287....sourceforge.net</a><br>
> Go to this URL to change user options or unsubscribe:<br>
> <a href="https://lists.sourceforge.net/lists/listinfo/snort-users"
target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
> Snort-users list archive:<br>
> <a href="http://www.geocrawler.com/redir-sf.php3?list=snort-users"
target="_blank">http://www.geocrawler.com/redir-sf.php3?list=snort-users</a><br>
><br>
<br>
------------------------------------------------------------------------------<br>
Download Intel&#174; Parallel Studio Eval<br>
Try the new software tools for yourself. Speed compiling, find bugs<br>
proactively, and fine-tune applications for parallel performance.<br>
See why Intel Parallel Studio got high marks during beta.<br>
<a href="http://p.sf.net/sfu/intel-sw-dev" target="_blank">http://p.sf.net/sfu/intel-sw-dev</a><br>
_______________________________________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.sourceforge.net">Snort-users@...4626...ceforge.net</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users"
target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users<br>
Snort-users</a> list archive:<br>
<a href="http://www.geocrawler.com/redir-sf.php3?list=snort-users"
target="_blank">http://www.geocrawler.com/redir-sf.php3?list=snort-users</a><o:p></o:p></p>

</div>

</div>

</div>

<p class=MsoNormal><o:p> </o:p></p>

</div>

</body>

</html>