snort-users June 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] snort inline Test

Re: [Snort-users] snort inline Test

From: Joel Esler <jesler_at_nospam>
Date: Mon Jun 29 2009 - 13:49:44 GMT
To: Zeinab Zali <zeinabzali@gmail.com>


You have to instruct Snort on what to drop. The easiest way to do this is to change the rule you want to drop the traffic from "alert" to "drop" in the first word of the rule within the individual rule files. For portscan traffic you would have to use the preprocessor rules.

J

On Sat, Jun 27, 2009 at 7:29 AM, Zeinab Zali <zeinabzali@gmail.com> wrote:

> Hi,
> I have compiled snort with --enable-inline mode successfully. I configure
> iptables with below commands:
> "
> modprobe ip_queue
> export QUEUE="yes"
> iptables -F FORWARD
> iptables -F INPUT
> iptables -F OUTPUT
> iptables -A OUTPUT -j QUEUE
> iptables -A INPUT -j QUEUE
> iptables -A FORWARD -j QUEUE
> "
> Then I changed all the snort alert rules to drop rules.
> for testing I run snort with below command:
> "snort -c ./etc/snort_inline.conf -Q -l /var/log/snort_inline/ -v"
> then I try to portscan my computer from another computer with nmap. Snort
> generated portscan alert, but I the portscanning procedure with nmap was
> done successfully too. I expect snort inline not to allow nmap portscan.
> What is the problem?
> Thanks in advance,
>
> --
> Zeynab Zali
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-- joel esler | Sourcefire | AIM: eslerjoel | 302-223-5974

------------------------------------------------------------------------------

_______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users