I installed snort-2.9.7 from sources, and launch as IDS:
% snort -devQ -A console -c /etc/snort/snort.conf -i eth0:eth1
Enabling inline operation
Running in IDS mode
...
The config file is very trivial:
#
var RULE_PATH rules
# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET any
# Setup the network addresses you are protecting
ipvar HOME_NET [10.10.10.0/24]
config daq: afpacket
config daq_mode: inline
config policy_mode:inline
include $RULE_PATH/icmp.rules
The rule in icmp.rules is simple as well for purpose of testing:
block icmp 10.10.10.2 any <> 10.10.10.1 any (msg:"Blocking ICMP Packet from 10.10.10.2"; sid:1000001; rev:1;)
On the host where Snort is running the interface eth0 has address 10.10.10.1, however when I send ping 10.10.10.1 from another host, icmp packets don't get dropped by Snort and icmp replies generate:
WARNING: No preprocessors configured for policy 0.
02/27-15:04:40.623763 [Drop] [**] [1:1000001:1] Blocking ICMP Packet from 10.10.10.2 [**] [Priority: 0] {ICMP} 10.10.10.2 -> 10.10.10.1
What does warning mean? Am I doing something wrong?
Best Answer
Replace your icmp rule by the following:
Note that there is no snort rule action called block. Use either reject or drop. For more information, see this manual page.
UPDATE:
I am not sure you can put more than one interface in your
snortcommand. Try running two instances ofsnort, one for each network interface, or use the other approach explained here.