Hello all, Has anyone used the Snort inline functionality with Shorewall? I'm currently in the process of rebuilding my router and whilst looking through some Snort docs I noticed that you can use Snort inline to drop packets that match rules in Snort based on rules that analyse traffic streams. An example I saw was to drop packets from any IP address that attempts to access http://<some_address>/php.exe. I can see how this could be a nice feature as part of an intrusion prevention system. I can also see how it could be a real pain if a Snort rule gets triggered by innocuous behaviour and blocks access to services for valid users. I'd be interested to hear any real world experiences, opinions, etc.
If anyone has used the Snort inline functionality how did they configure Shorewall? There's an entry in the Shorewall 3.0 FAQ but the blog it links to no longer exists (http://www.shorewall.net/3.0/FAQ.htm#id2533169). I've found a message in the shorewall-users mailing list from Michael W Cocke dated 2006-09-08 03:08 (subject Shorewall & snort-inline) which states that setting the destination to QUEUE is all that's needed. I have a webserver on my DMZ so I have a HTTP/DNAT rule to forward packets to the webserver: HTTP/DNAT net dmz:10.100.0.4 TCP 80 - <one_of_my_ip_addresses> How do I modify that rule to pass the packets to Snort inline for inspection prior to being passed on to the webserver? Do I need two rules? One to send to Snort inline and then another subsequent rule to forward to the webserver? I'm not clear on how packets are sent to Snort inline for inspection and then passed back to Shorewall in order (in my example) to be forwarded on to a webserver. Kind regards, Steve. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
