[Honeywall] Snort rules

Earl esammons at hush.com
Wed Jul 23 16:04:46 EDT 2008


We gave up on creating "yet another snortrule interface" a while 
back to dedicate devel resources in what we considered at the time 
to be more important areas.  For clarity, this is not a "jab" just 
a general explanation of what happened...

either remove tftp.rules from /etc/snort_inline/snort_inline.conf 
entirely
or
poke around in /etc/snort_inline/rules/tftp.rules 
until you find the "offending" rule and comment it by prepending 
the line with a "#" (alal bash comment)

Need to restart snort-inline after.  I suggest 
'/etc/init.d/hwdaemons restart' or a reboot.

Earl

On Wed, 23 Jul 2008 14:23:29 -0400 "Jefferson, Shawn" 
<Shawn.Jefferson at bcferries.com> wrote:
>Hi,
>
>I'm having some trouble allowing TFTP GET transfers from my 
>Honeypots.
>Doing a packet capture on my TFTP server, I notice that the TFTP 
>opcode
>is being sent as 0x1201 from the Honeypot when it sends the 
>request
>through the Honeywall.  If I move the Honeypot so that it isn't 
>behind
>the Honeywall, TFTP works fine and the opcode is 0x0001 like you 
>would
>assume.  I'm assuming this is snort-inline that is changing the 
>packet,
>but I just can't see how to stop it from doing this.  I've looked 
>at the
>rules in etc and made changes there, but I'm still having this 
>problem.
>
>What's the method to change the snort_inline rules on Honeywall 
>roo 1.4
>?  Anyone else have this problem?



More information about the Honeywall mailing list