[Honeywall] Not able to get snort_inline working

Tue, 11 Mar 2008 19:46:32 -0700 

Rob,
   
  Based on your comments, i have pasted the rules i'm using and i ran the cmd - 
iptables -L -n -v | grep QUEUE
   
  It provided the below output - 

  170 10199 QUEUE      all   --    *    *      0.0.0.0./0            0.0.0.0/0
         PHYSDEV match --physdev-in eth1 state RELATED,ESTABLISHED
  0     0       QUEUE      all   --    *    *      0.0.0.0./0            
0.0.0.0/0
  0     0       QUEUE      all   --    *    *      0.0.0.0./0            
0.0.0.0/0
  2     96     QUEUE      all   --    *    *      0.0.0.0./0            
0.0.0.0/0  
  0     0       QUEUE      all   --    *    *      0.0.0.0./0            
0.0.0.0/0
   
  I have this rule in /etc/snort/rules/telnet.rules 
     
  alert tcp $EXTERNAL_NET 23 -> $HOME_NET nay (msg;"TELNET client ENV OPT 
USERVAR information disclosure"; flow:to_client,established; content:"|FF FA|' 
|01 03|"; rawbytes; reference:bugtraq,13940; reference:cve,2005-1205; 
reference:url,www.microsoft.com/technet/Security/bulletin/ms05-033.mspx; 
classtype:attepmted-recon; sid:3687; rev:3;)
   
   So in order to test snort_inline i went ahead and made the above rule as a 
drop rule in /etc/snort_inline/rules/telnet.rules 
   
  In /etc/snort_inline/rules/telnet.rules I have this rule now- 
   
  drop tcp $EXTERNAL_NET 23 -> $HOME_NET nay (msg;"TELNET client ENV OPT 
USERVAR information disclosure"; flow:to_client,established; content:"|FF FA|' 
|01 03|"; rawbytes; reference:bugtraq,13940; reference:cve,2005-1205; 
reference:url,www.microsoft.com/technet/Security/bulletin/ms05-033.mspx; 
classtype:attepmted-recon; sid:3687; rev:3;)
   
     
  But i dont see any snort_inline alerts in Walleye for the above connection. 
Since i made it a drop rule in snort-inline, it should be dropping packets 
rite? Also not sure why making this as a drop rule in snort_inline is 
preventing me to login via telnet to honeypot systems. I was thinking that 
snort-inline is only dedicated to outbound connections from honeypots rite? and 
changing anything in snort_inline should not affect any inbound connections to 
Honeypot.
   
   I'm kind of suck here. Does anyone have any suggestions?
  
  Thanks for your help in advance,
  Nandhini


       
---------------------------------
Never miss a thing.   Make Yahoo your homepage.
_______________________________________________
Honeywall mailing list
[email protected]
https://public.honeynet.org/mailman/listinfo/honeywall

Reply via email to