Getting a problem with filtering packets with snort_inline
This is a discussion on Getting a problem with filtering packets with snort_inline within the Snort forums, part of the System Security and Security Related category; Hi Everybody, I am having a problem to use snort_inline as a filter. I have added iptables rules as follow ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
10-21-2004
|
|||
|
|||
Getting a problem with filtering packets with snort_inline
Hi Everybody,
I am having a problem to use snort_inline as a filter. I have added iptables rules as follow for incoming web traffic. iptables -t mangle -A INPUT -p tcp --syn --sport 80 -m state --state NEW -j MARK --set-mark 1 iptables -t mangle -A INPUT -p tcp --sport 80 -m state --state NEW -j MARK --set-mark 2 iptables -I INPUT -m mark --mark 1 -j QUEUE iptables -I INPUT -m mark --mark 2 -j QUEUE and I have added a simple snort_inline rule for changin the pattern "google" with "abcdef" pattern. alert tcp any 80 -> $HOME_NET any (msg:"GIF file removed"; content:"google"; nocase; replace:"abcdef";) But after starting snort_inline with QUEUE mode I am getting confused I found that when I want to visit "www.google.com" it's going to resolve "www.abcdef.com" Here I have added this rule for replace the incoming payload's pattern but it doing reverse. Please tell me where am I wrong? -- Yogdutt Sonivadia Apropos Infotech Pvt. Ltd. Bangalore INDIA 
|
Linear Mode
