Hi.<br><br>I am quite familiar with running snort in inline mode.<br><br>I have setup bridging mode on Ubuntu Lucid = eth0+eth1 = br0<br><br>, I have added emerging and VRS rules.<br><br>It is running ok - but ignoring my test (drop) rule<br>
<br>I want suricata to examine all traffic (including to the Suricata server)<br><br>I have used a startup script:-<br><br>/sbin/iptables -A INPUT -j NFQUEUE --queue-num 0<br>/sbin/iptables -A FORWARD -j NFQUEUE --queue-num 0<br>
/sbin/iptables -A OUTPUT -j NFQUEUE --queue-num 0<br>sleep 1<br>/usr/local/bin/suricata -c /etc/suricata/suricata.yaml -q 0 -D --pidfile=/var/run/suricata.pid<br><br>For my test rule I just want it to drop all attempts to go to port 80 (for the Bridge + the Suricata server)<br>
<br>Previously I have used<br><br><br>drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80 connection initiated";)<br><br>But it errors:-<br><br>[1296] 26/7/2010 -- 14:53:01 - (detect.c:301) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "drop tcp any any -> any 80 (msg:"Snort_Inline is blocking the http link";) " from file /etc/suricata/rules/emerging-malware.rules at line 1314<br>
<br>- somehow the syntax isn't working.<br><br><br><br>If I use:-<br><br>drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80 connection initiated";)<br><br>I get no errors (in the log) but can still access port 80 on the Suricate server - i.e :- <br>
<br><a href="http://ipaddressofsuricataserver.com:80">http://ipaddressofsuricataserver.com:80</a><br><br>And I get nothing in the logs, no alert + no drop - so my test rule isn't working.<br><br><br>Lastly I have tried (from the blog)<br>
<br>drop tcp any any -> any 80 (msg:"testing drop"; content:"*"; http_header; sid:123321;)<br><br>This does trigger an 'alert' when I go to <br><br><a href="http://ipaddressofsuricataserver.com:80">http://ipaddressofsuricataserver.com:80</a><br>
<br>in fast.log :-<br><br>07/26/10-14:01:54.377706 [**] [1:123321:0] testing drop [**] [Classification: (null)] [Priority: 3] {6} (clientIP):49769 -> (serverip):80<br><br>The issue is is that it is NOT blocking - I can still access it.<br>
<br>Can anyone suggest how to make it drop correctly ?<br><br>Cheers<br><br><br><br><br><br><br><br>