[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freebsd-questions
Subject:    Using snort in inline mode with IPFW
From:       Jack Mc Lauren <jack.mclauren () yahoo ! com>
Date:       2013-06-27 9:17:51
Message-ID: 1372324671.3493.YahooMailNeo () web160102 ! mail ! bf1 ! yahoo ! com
[Download RAW message or body]

Hi all
Have you guys ever tried this combination? Using snort in inline mode and IPFW as \
daq.  I have added the following lines to the default /usr/local/etc/snort/snort.conf \
file :

config daq: ipfw
config daq_mode: inline
config policy_mode: inline

And I use the following script to run snort:

#!/bin/sh
ipfw -q delete set 10 >/dev/null 1>/dev/null 2>/dev/null
ipfw -q delete 401 >/dev/null 1>/dev/null 2>/dev/null
ipfw -q delete 402 >/dev/null 1>/dev/null 2>/dev/null
ipfw -q delete 403 >/dev/null 1>/dev/null 2>/dev/null
ipfw -q add 401 allow all from 224.0.0.0/24 to any >/dev/null 1>/dev/null 2>/dev/null
ipfw -q add 402 allow all from any to 224.0.0.0/24 >/dev/null 1>/dev/null 2>/dev/null
ipfw -q add 403 allow all from me to me >/dev/null 1>/dev/null 2>/dev/null
/bin/snort --daq ipfw --daq-var port=1500 -N -A full -l /var/log/snort/ -c \
/usr/local/etc/snort/snort.conf >/dev/null 1>/dev/null 2>/dev/null -q & ipfw -q add \
451 set 10 divert 1500 all from any to any >/dev/null 1>/dev/null 2>/dev/null

But it does not drop the packets.
Any suggestions or experiences ?

Thanks in advance 
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"


[prev in list] [next in list] [prev in thread] [next in thread]