I want to use snort in inline mode with IPFW type.I'm using divert-packet, and target host receives icmp packets but their reply drops with default block rule.
I run snort with this command:
This is my PF rules:
here is pfctl -s rules output:
And this is log from tcpdump :
I run snort with this command:
Code:
snort --daq-dir /usr/local/lib/daq/ -vde --daq ipfw --daq-mode inline --daq-var port=9000 -c /etc/snort/snort.con* -l /var/log/snort/ -A console
Code:
block log all
pass out on {em0,em2}
pass in on em0 divert-packet port 9000
pass in on em2 divert-packet port 9000here is pfctl -s rules output:
Code:
block drop log all
pass out on em0 all flags S/SA
pass out on em2 all flags S/SA
pass in on em0 all flags S/SA scrub (reassemble tcp) divert-packet port 9000
pass in on em2 all flags S/SA scrub (reassemble tcp) divert-packet port 9000And this is log from tcpdump :
Code:
rule 0/(match) block in on em2: 192.168.3.15 > 192.168.2.15: icmp: echo reply