Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort Version 3.0.0-a4 doesn’t work in inline mode.

From: Hamid Rezaei <hamid.rezaei04 () gmail com>
Date: Mon, 9 May 2016 10:41:04 +0430
Hi guys.

I have been trying run snort in inline mode on FreeBSD with IPFW, but it
doesn’t work and never printing alert or message. Snort3 correctly run in
IDS mode and show alert. I just have a simple rule:

    drop icmp any any -> any any ( msg:"ICMP Packet Dropped"; sid:19769;
rev:1; )


I changed and inserted below lines in my config file:

    HOME_NET = 'any'
    EXTERNAL_NET = 'any'
    daq =
    {
        type = 'ipfw',
        mode = 'inline',
    }
    ips =
    {
        mode = 'inline',
    }



And uncomment normalizer.

    normalizer = { }


then I ran snort with below options (inline mode):

    snort -c snort.lua -R sample.rules -A cmg -i em0 -Q


When I ran snort with -T option for test on the current configuration,
everything is OK.

    --------------------------------------------------
    rule counts
           total rules loaded: 1
                   text rules: 1
                option chains: 1
                chain headers: 1
    --------------------------------------------------
    port rule counts
                 tcp     udp    icmp      ip
         any       0       0       1       0
        slow       0       0       1       0
       total       0       0       2       0
    --------------------------------------------------
    ipfw DAQ configured to inline.

    Snort successfully validated the configuration.
    o")~   Snort exiting

Any help is appreciated.

Thanks.​

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: