snort-users November 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: [Snort-users] problem with snort inline and iptable

[Snort-users] problem with snort inline and iptables

From: Adam Szabo <adamx001_at_nospam>
Date: Fri Nov 27 2009 - 19:16:29 GMT
To: snort-users@lists.sourceforge.net


Dear all,

I configured Snort 2.8.5.1 with --with-mysql --enable-inline on Ubuntu Linux 9.04.
I made an iptables entry to pass all outgoing ICMP packets to ip_queue: "iptables -A OUTPUT -p icmp -j QUEUE".
I started the ip_queue service using "modprobe ip_queue". Then i started Snort using "snort -Qc *configfilelocation*". My Snort rule is very simple: "drop icmp *myip* any -> *other_ip* any (sid: *my_rule_id*;)"

The problem is that it seems like it ignores my Snort rule and drops all ICMP packets, not just the ones targeted to *other_ip*. Even if i stop running Snort, i cannot ping any ip's. Why is this happening? Should i make a rule inside the QUEUE chain to pass back the packets to another chain? It looks like the packets are stuck in QUEUE.

Any help appreciated,
Adam Szabo



Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july



Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users