Honeypots mailing list archives
Re: snort-inline
From: Rob McMillen <rvmcmil () cablespeed com>
Date: Tue, 18 Mar 2003 19:34:47 -0500 (EST)
On Tue, 18 Mar 2003, Ales Stibal wrote:
Hello list, I have big problem to run snort-inline on single host. I wanted my box to be protected by snort-inline, but I failed to do so.
what version of snort_inline do you have? Make sure you get the latest from http://project.honeynet.org/papers/honeynet/tools/si/ make sure you get the snort_inline-1.9.1-1.
I tried to run various kernels, only one that seems to allow snort do it's job
Can you state what kinds of errors you were getting with the others? And how you figured out that you had the right one?
on QUEUE is vanilla 2.4.20 ( recently I tried same versions, but gentoo patches, including P-O-M of netfilter) I am running iptables commands: iptables -A INPUT -d $ETH0_IP -m state --state ESTABLISHED,RELATED -j QUEUE //FIXME: the line bellow seems obsolete to me ... (unreachable) iptables -A INPUT -d $ETH0_IP -m state --state ESTABLISHED,RELATED -j ACCEPT With this rule packet successfully fall to QUEUE, is detected by snort_inline (it's shown when using -v flag), but nothing is passed trough.
What rules are you using? What does the rest of your firewall configuration look like? Rob
Current thread:
- snort-inline Ales Stibal (Mar 18)
- Re: snort-inline Rob McMillen (Mar 18)