1. First of all, I use the snort-2.9.9.0 version. The mirrored data on the switch is used to communicate with the outside world to eth0,eth1. You can make sure that the data has been mirrored to eth0;
2.iptables and put the PREROUTING and INPUT,FORWORD of eth0 port nat into NFQUEUE. HOME_NET any
4. Set in
3.snort.conf The problem I encounter now is: when I set up local.rules, enter the command snort-Q-- daq nfq-- daq-var device=eth0-- daq-var queue=1-c etc/snort.conf, if it is any < > any, you can see that there is log input in alert, but there is no IP record related to my communication test program (IP is non-native). When I execute snort-v, you can see my test IP record, and tcpdump grabs the eth0 package. But from the beginning to the end, my communication test was not blocked, and there was no record of my testing IP in the alert file.
5. I would like to ask all the great gods, what is wrong with my configuration? do you need special configuration, or does snort"s IPS do not support bypass blocking? if not, can you provide a better open source bypass blocking IPS? -sharp-sharp-sharp problem description
the environmental background of the problems and what methods you have tried
related codes
/ / Please paste the code text below (do not replace the code with pictures)