Re: snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop

[Y M <snort () outlook com>]

If I understand your question correctly, this is where -i eth0:eth1 comes into play. This tells snort that traffic is 
flowing from eth0 to eth1 and back. In my case, its up to the implementer to assign which interface to receive the 
network feed based on home and external net, and the placement of the sensor within the network. For example, assume my 
$HOME_NET is 192.168.10.10 and my $EXTERNAL_NET is any and I want to assign the eth0 to my actual home net feed and 
eth1 to my feed leaving the network. In this case, using an ICMP rule I would be able to drop any ping request from my 
home net going out. 
Did I address your question? I am not sure what do you mean by OP's, lack of acronyms knowledge :)
> Date: Fri, 16 Aug 2013 20:21:42 -0400
> From: wkitty42 () windstream net
> To: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE 
> is set to drop
>
> On 8/16/2013 14:53, Y M wrote:
> > If I recall, --enable-inline is deprecated since a while now, not sure which
> > Snort version; A warning should have been shown during compilation. But I do not
> > think that this would affect operating in inline mode now.
>
> doesn't inline mode require an input interface and an output interface where 
> snort sits between then and passes the traffic from one to the other? what does 
> the OP's snort.conf show in this regard?
>
> -- 
> NOTE: No off-list assistance is given without prior approval.
>        Please keep mailing list traffic on the list unless
>        private contact is specifically requested and granted.
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite!
> It's a free troubleshooting tool designed for production.
> Get down to code-level detail for bottlenecks, with <2% overhead. 
> Download for free and get started troubleshooting in minutes. 
> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!