Re: snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop

[Y M <snort () outlook com>]

Sorry I missed that --> you also need to add the -Q to your command.
To: rgreenhouse413 () gmail com; snort-users () lists sourceforge net
From: snort () outlook com
Date: Fri, 16 Aug 2013 00:08:55 +0300
Subject: Re: [Snort-users] snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even      when 
RULE is set to drop







Does adding --daq-mode inline to your command and config policy_mode:inline to your snort configuration file change the 
behavior?





From:
Robert Greenhouse

Sent:
‎8/‎15/‎2013 11:45 PM

To:
snort-users () lists sourceforge net

Subject:
[Snort-users] snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop







Hi,
snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop?
We have our system setup to inline mode using afpacket (./snort --daq afpacket -i eth0:eth1).
 
Also have iptables configured to: 
 
iptables -I FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -I FORWARD -i eth1 -o eth0 -j ACCEPT
 
echo 1 > /proc/sys/net/ipv4/ip_forward
 
Why doesn’t snort drop the packet when the rule fires?
 
This is a major problem
 
Thanks,
Richard
 






------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!                                        

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!