[Honeywall] Snort rules
esammons at hush.com
Wed Jul 23 16:04:46 EDT 2008
We gave up on creating "yet another snortrule interface" a while
back to dedicate devel resources in what we considered at the time
to be more important areas. For clarity, this is not a "jab" just
a general explanation of what happened...
either remove tftp.rules from /etc/snort_inline/snort_inline.conf
poke around in /etc/snort_inline/rules/tftp.rules
until you find the "offending" rule and comment it by prepending
the line with a "#" (alal bash comment)
Need to restart snort-inline after. I suggest
'/etc/init.d/hwdaemons restart' or a reboot.
On Wed, 23 Jul 2008 14:23:29 -0400 "Jefferson, Shawn"
<Shawn.Jefferson at bcferries.com> wrote:
>I'm having some trouble allowing TFTP GET transfers from my
>Doing a packet capture on my TFTP server, I notice that the TFTP
>is being sent as 0x1201 from the Honeypot when it sends the
>through the Honeywall. If I move the Honeypot so that it isn't
>the Honeywall, TFTP works fine and the opcode is 0x0001 like you
>assume. I'm assuming this is snort-inline that is changing the
>but I just can't see how to stop it from doing this. I've looked
>rules in etc and made changes there, but I'm still having this
>What's the method to change the snort_inline rules on Honeywall
>? Anyone else have this problem?
More information about the Honeywall