Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: InlineDrop() issues with snort_inline

From: Devdutt Patnaik <xendevid () gmail com>
Date: Sun, 19 Apr 2009 00:16:50 -0400
Hi All,

i also verified that snort is receiving packets from iptables (from
ip_queue). I start snort as

snort_inline -k none -Q

My iptables rules are as follows:

iptables -A INPUT -p udp -j QUEUE

I confirmed that snort is receiving the incoming packets. I wish to drop
certain packets based on content by calling InlineDrop().

I have further verified that snort is calling ipq_set_verdict(ipqh,
m->packet_id, NF_DROP, 0, NULL); function.

I also checked its return value to be non negative.

Is there anything that I am missing? Do I need to add any additional rules
to iptables?
My undersanding is that I can just use InlineDrop to dynamically drop
packets.

Thanks in advance!

-Devdutt


On Sat, Apr 18, 2009 at 10:18 PM, Devdutt Patnaik <xendevid () gmail com>wrote:


Hi All,

I am using InlineDrop() in my own custom preprocessor code.
I need to drop certain packets using code in my preprocessor to implement
an IPS like functionality.

I setup snort_inline and it looks ok when I start it - it says "running in
inline mode" etc.
However, even after calls to InlineDrop(), the application still sees the
packet.
We verified that the function is being called for each packet.

Am i missing something in the setup or the usage of the function ? Please
let us know.

Thanks,
Devdutt.



------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: