Snort Inline

Hello,

I am new to this snort version and this is behaving unusual.I configured snort and daq from source.

Below some information about my setup:

snort -V

Version 2.9.6.0 GRE (Build 47)

Using libpcap version 1.1.1

Using PCRE version: 8.12 2011-01-15

Using ZLIB version: 1.2.3.4

=========================================

snort --daq-list

Available DAQ modules:

pcap(v3): readback live multi unpriv

ipfw(v3): live inline multi unpriv

dump(v2): readback live inline multi unpriv

afpacket(v5): live inline multi unpriv

=========================================

When I built daq-modules :

Build AFPacket DAQ module.. : yes

Build Dump DAQ module...... : yes

Build IPFW DAQ module...... : yes

Build IPQ DAQ module....... : yes

Build NFQ DAQ module....... : yes

Build PCAP DAQ module...... : yes

=========================================

I start snort using this command :

snort -c /etc/snort/snort.conf -Q -i eth0:eth1

snort -c /etc/snort/snort.conf -Q -i eth0:eth1

Enabling inline operation

Running in IDS mode

--== Initializing Snort ==--

Initializing Output Plugins!

Initializing Preprocessors!

Initializing Plug-ins!

Parsing Rules file "/etc/snort/snort.conf”

.

.

. Few lines between

.

afpacket DAQ configured to inline.

Acquiring network traffic from "eth0:eth1".

Reload thread starting...

=========================================

I don’t see any errors while the command is execute in inline mode using afpacket daq.Then why it says “Running in IDS mode”, then after that it says "afpacket DAQ configured to inline”.

So,I don’t get whether my snort is running in IDS mode or IPS.

I tried to test it.

My rule file:

drop tcp any any -> any 23 (msg: "Drop telnet packets"; sid: 1000001)

pass ip any any -> any any

I am able to telnet when snort is running which shouldn’t happen.

Can anyone please help me out in this regard as to what I am doing wrong here.I am clueless as what is going wrong here !!!!

Plz help!!!

Continue reading...