RE: [Snort-users] Snort Inline

["Bob McDowell" <bmcdowell@xxxxxxxxxxxxxxxxxx>]

Title: Snort Inline

I think I answered my own question:

 

To enable ipq you must not only do the 'make install-devel' (as is thoroughly documented) but also enable 'Userspace queuing (experimental)' during kernel compile.  The trick is, you have to go into 'Code Maturity...' and enable experimental items before this option will show up.  This was non-obvious to me.  I am learning though...

 

Now 'snort -Q' will start.  I now have the same question as Amit:  how does the packet dropping work?

 

Also, it does not seem to log packets to syslog any longer, unless I omit the '-Q'.

-----Original Message-----
From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-admin@lists.sourceforge.net]On Behalf Of Bob McDowell
Sent: Tuesday, December 31, 2002 2:23 PM
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] Snort Inline

Has anyone on the list successfully installed/configured snort in inline mode?  I've been wrestling with it for days, and I think I'm getting close.  My biggest gripe about it is that I can't seem to find any help with it.  It took a lot of head scratching to get as far as I have...

When I'm done I'll write up the steps it took me to get it snorting.  In the mean time, can anyone out there help me?  Any documentation, tips, warnings, etc would be greatly appreciated.

Specifically, I'm now stuck with a message that reads 'InlineInit:  :  Failed to send netlink message:  Connection refused'

Thanks in advance.

Bob McDowell
IS Specialist
Cox HealthPlans, LLC
417.269.2848