Using snort in inline mode with IPFW
Jack Mc Lauren
jack.mclauren at yahoo.com
Thu Jun 27 09:17:59 UTC 2013
Hi all
Have you guys ever tried this combination? Using snort in inline mode and IPFW as daq.
I have added the following lines to the default /usr/local/etc/snort/snort.conf file :
config daq: ipfw
config daq_mode: inline
config policy_mode: inline
And I use the following script to run snort:
#!/bin/sh
ipfw -q delete set 10 >/dev/null 1>/dev/null 2>/dev/null
ipfw -q delete 401 >/dev/null 1>/dev/null 2>/dev/null
ipfw -q delete 402 >/dev/null 1>/dev/null 2>/dev/null
ipfw -q delete 403 >/dev/null 1>/dev/null 2>/dev/null
ipfw -q add 401 allow all from 224.0.0.0/24 to any >/dev/null 1>/dev/null 2>/dev/null
ipfw -q add 402 allow all from any to 224.0.0.0/24 >/dev/null 1>/dev/null 2>/dev/null
ipfw -q add 403 allow all from me to me >/dev/null 1>/dev/null 2>/dev/null
/bin/snort --daq ipfw --daq-var port=1500 -N -A full -l /var/log/snort/ -c /usr/local/etc/snort/snort.conf >/dev/null 1>/dev/null 2>/dev/null -q &
ipfw -q add 451 set 10 divert 1500 all from any to any >/dev/null 1>/dev/null 2>/dev/null
But it does not drop the packets.
Any suggestions or experiences ?
Thanks in advance
More information about the freebsd-questions
mailing list