Re: [Snort-users] snort inline behavior
This is a discussion on Re: [Snort-users] snort inline behavior within the Snort forums, part of the System Security and Security Related category; Yes, when you shutdown Snort-Inline on the interfaces that connections are coming in and out of then IPTables sends ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-26-2003
|
|||
|
|||
Re: [Snort-users] snort inline behavior
Yes, when you shutdown Snort-Inline on the interfaces that connections are
coming in and out of then IPTables sends packets to the QUEUE but there is nothing to inspect them and pass them on. I suggest having another NIC for managment of the box and not running snort-inline on that NIC. > First, thanks to all for the help on getting the right inline version > running. > > I went through my firewall script and every '-j ACCEPT' I had, I changed > to > '-j QUEUE' and re-built my iptable chains. Did `insmod ip_queue`, loaded > fine. Started up snort_inline with '-DQ -l ... -c ...'. Everything > looked > fine. After a couple of minutes I decided instead of -D (daemon) I'd > rather > see a little output to make sure it was seeing packets as expected. I was > ssh'ed into the box so I figured my iptables "ESTABLISHED,RELATED -j > QUEUE" > entry should show a lot of ssh packets. I do a `kill` on the snort_inline > pid and suddenly my ssh connection goes dead - I'm waiting for it to > timeout > now. In the mean time I've tried to re-ssh back into the box, but they > just > time out. > > I'm wondering if this is some weird deal that if you don't have someone > running on QUEUE that the packets never get ACCEPTed and by shutting snort > down I just shot myself in the foot. > > I'm going to go ahead and set up another box (that one is 1hr away, and > the > tech guy will arive in the morning and I'll walk him through changing > QUEUE > back to ACCEPT and restart the firewall...) and getting it tested locally > where if it breaks I can fix it easily. > > In the mean time I was wondering if you guys could lend your experience > here. Does killing snort_inline while it's watching the QUEUE break any > connections that are getting -j QUEUEed? What happened here? > > Thanks! > > > > ------------------------------------------------------- > This SF.net email is sponsored by: SF.net Giveback Program. > Does SourceForge.net help you be more productive? Does it > help you create better code? SHARE THE LOVE, and help us help > YOU! Click Here: http://sourceforge.net/donate/ > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...st=snort-users > Thanks, Josh Berry, CTO LinkNet-Solutions 469-831-8543 josh.berry@linknet-solutions.com ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
