|
|
|
|
Snort Forums Archive
Archive Home » Snort Newbies » snort-2.3 inline
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
snort-2.3 inline
Posted by christopherccv on March 08, 2005 18:29:56
i have just configure snort-2.3 with inline.
after compilation with the libnet and iptables-devel. i edit the snort.conf
config layer2resets: 00:05:8D:09:C2:07 (my bridge interface mac)
but how do i know weather the inline working or not? seem like the iptables doesn't have any chnges
thanks |
|
Posted by christopherccv on March 14, 2005 21:19:47
Dear all, probaly i make myself not clear here.
actaully i know snort_inline already in built to snort-2.3. after compile with the --enable-inline option.
when i start snort -c /etc/snort/rules/ -i br0
--== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface br0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/rules/
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
0 Snort rules read...
0 Option Chains linked into 0 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| none
+-----------------------[suppression]------------------------------------------
| none
+------------------------------------------------------------------------------
Rule application order: ->activation->dynamic->alert->pass->log
Log directory = /var/log/snort
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.3.0 (Build 10)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2004 Sourcefire Inc., et al.
i have output as above. seem like ok but i really not sure weather my iptable does drop the attack or not?
anyone can help out here?
thanks
|
|
Posted by bdinello on March 16, 2005 11:44:37
You'll need to make sure that your box allows IP forwarding (on linux, cat "1" > /proc/sys/net/ipv4/ip_forward) and then make sure that your iptables FORWARD table is set to DROP by default then add "iptables -A FORWARD -j QUEUE". Make sure that's the last rule to prevent any unauhtorized traffic from passing by the IPS. That'll stick all traffic that traverses the bridge into the iptables QUEUE where snort-inline will either approve or disapprove the packet.
Good luck! |
|
Posted by christopherccv on March 16, 2005 18:40:03
bdinello,
thanks for the reply.
i did follow the way you mention to configure the IPS - enable ip_forwarding,iptables configuration.
but as long as i modify the iptables (iptables -P FORWARD DROP and iptables -A FORWARD -j QUEUE) then my LAN are unable to go to internet any more.
my IPS physical setting is : eth0 and eth1 in bridging mode. eth2 is managment interface (with internet access and update snort rule).
i wonder do i make mistake on compiling the snort? what i mean is (./configure --with-mysql --enable-inline) that all?
|
|
Posted by christopherccv on March 17, 2005 17:43:23
i manage to compile and run snort + inline with no error. but i not not sure weather inline is running or not? i just follow the README.INLINE document but i do not use the honeynet script. but i do convert all the rules to drop rules and ptables -A OUTPUT -p tcp -m tcp --dport 80 -j QUEUE as in the README.
is that i way for me to monitor do the inline running? |
|
|
|
|
|
