Re: [Snort-users] snort-inline and iptables INPUT chain
This is a discussion on Re: [Snort-users] snort-inline and iptables INPUT chain within the Snort forums, part of the System Security and Security Related category; Big Thanks for your help Will ! Will Metcalf a écrit : >Nothing is showing up in your alert logs? Is ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-03-2005
|
|||
|
|||
Re: [Snort-users] snort-inline and iptables INPUT chain
Big Thanks for your help Will !
Will Metcalf a écrit : >Nothing is showing up in your alert logs? Is it just ssh or does this >happen with all connections? Try the following.... > > > No alert, no dump. It happen for all TCP connections ( tested http as well) It work for udp/icmp (dns queries / ping works ) With advanced firewall rules, forwarded tcp/udp/icmp/whatever connections were OK. but nothing works from lan to the snort box ... (didn't try from internet to the snort box) >iptables -F INPUT >iptables -F OUPUT >iptables -F FORWARD >iptables -A INPUT -i lo -j ACCEPT >iptables -A INPUT -j QUEUE >iptables -A FORWARD -j QUEUE >iptables -A OUPUT -j QUEUE > >in your snort.conf set checksum mode to none. > >config checksum_mode: none > >Regards, > >Will > > Adding "config checksum_mode: none" did the job, now it works. (BTW with or without the iptables -A INPUT -i lo -j ACCEPT rule ) I relauched my complete set of firewall rules/ internet connections and it's still working ;-) ( I've some alert about lo / 127.0.01 but they will be easy to avoid bypassing the queue..) "Googling" on this config directive, i think i could have found it by my self (there is some threads on this list about ssh/tcp issue and this directive), so i'm sorry if i've mafe you lose your time... Let me, please, ask you some more questions : why are forwarded checksum ok, but some ssh replies corrupted ? Is this an issue from kernel / iptables / snort ? (i'm using 2.4.27 kernel / iptables 1.2.11 ... going to upgrade to 1.3.x soon) Thanks Regards Laurent ps:sorry for my bad english... ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
