Re: [Snort-users] snort inline behavior

> If you add a QUEUE rule to iptables, you have to make sure that a process
> is actually listening to the ip_queue. Otherwise netfilter actually waits
> until a process picks up the packets.

Woah. What happens when snort_inline dies or maybe when we need to
stop/start snort_inline? Ooops.

I'm guessing there is a "dummy" app that you can set up to always listen to
the queue so this problem doesn't happen? If not I need to write one.

> There is another issue. As soon as snort_inline has decided whether to
drop
> or accept a packet, the following iptables rules are not being used
anymore.
> The decision whether to accept or drop a packet is solely made in snort
then.
> This way you can have the problem that your packet filter ruleset becomes
ineffective.

Yeah, well by the time I've decided to ACCEPT, it's passed through all the
rules it's going to pass through and it really needs to be accepted (minus
the scrutiny of snort_inline).

So I take it if whatever apps are listening to QUEUE don't DROP it, it's
ACCEPTed, eh?

Thanks!



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users