Re: [Honeywall] Re: Does snort_inline in roo 1.2 work?

Sat, 15 Mar 2008 12:06:48 -0700 

Rob,
  I dont see any errors in var/log/messages.
  i see only 1 warning though for snort-inline -
  /etc/snort_inline/snort_inline.conf(223) => flush_behavior set in config 
file, using old static flushpoints (0)

  Is anything happening bcoz of the warning which prevents snort_inline from 
working correctly?  I'm sure it is triggering the rule but not showing any 
logs..
   
  I wanted few clarifications- 
   
  1) is  snort-inline meant only for outbound connections? 
  2) do i need to have same set of rules for snort and snort_inline (as "alert" 
in snort and "drop" or "replace" in snort_inline.
   
  Thanks in advance,
   
  Nandhini
Robert Mcmillen <[EMAIL PROTECTED]> wrote:
  Did you look in /var/log/messages to see what the error was?  

  Rob
  
    On Mar 13, 2008, at 2:24 PM, Nandhini Thiagarajan wrote:

    Thanks for those who all replied to my previous posts on snort inline.
   
  Rob & Will, in the snort_inline config file, i have the following-
   
  preprocessor stream4: disable_evation_alerts
  preprocessor stream4_reassemble: both
   
  I tried adding the below rule to telnet.rules in snort_inline.
   
  drop tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg: "Dropping HOME_NET ->  
EXTERNAL_NET traffic";)
   
  And after a reboot (restart of snort_inline), snort_inline says FAILED.
  I'm not able to add any rule as snort_inline fails to start. 
  What is the reason for that?If i remove the rule, it starts fine.
   
  What i would like to know, is with roo1.2 have u been able to get 
snort_inline logs such as dropping/replacing packets? From your previous post, 
i'm not sure if there is any bug as a whole on snort_inline in roo 1.2 or if u 
were talking about some enhancement features.
   
  I'm trying to see if there is a bug with snort_inline in roo 1.2 or is there 
an error with my set up.
   
  I would appreciate if u can let me know the above detail which will be useful 
for my debugs.
   
  Thanks
  Nandhini

  

  
---------------------------------
  Never miss a thing. Make Yahoo your homepage. 


_______________________________________________
Honeywall mailing list
[email protected]
https://public.honeynet.org/mailman/listinfo/honeywall


       
---------------------------------
Be a better friend, newshound, and know-it-all with Yahoo! Mobile.  Try it now.
_______________________________________________
Honeywall mailing list
[email protected]
https://public.honeynet.org/mailman/listinfo/honeywall

Reply via email to