Menu
▾
▴
RE: [Snort-inline-users] RE: Problem with -Q
|
From: Schwendinger, D. T., 1. IO C. <dt...@1s...> - 2004-03-02 14:53:24
|
All, A little background: > I'm using SNORT_inline as part of a honeypot on a RedHat 9.0 box with the > snort_inline.sh script from honeynet.org. The only modifications I made > were to add the "-s" option to send the alerts to syslog as well as a file > and change the interface. > > $SNORT -D -d -s -c /etc/snort_inline/snort_inline.conf -Q -i vmnet1 -l > $DIR/$DATE -t $DIR/$DATE > > It seems to start without any problems, no errors or messages in syslog > that indicate there's a problem but it will not log to syslog or to a > file. A "ps -ef" shows that it is running. > > If I remove the "-Q" option it will begin logging. The Problem: I found that when I patched the kernel with "ebtables-brnf-3_vs_2.4.22-kernel.diff.gz" patch and got the following error. > patching file net/Makefile > > Hunk #1 FAILED at 7. > 1 out of 2 hunks FAILED -- saving rejects to file net/Makefile.rej -According to http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html: "The br-nf code makes bridged IP frames/packets go through the iptables chains. Ebtables filters on the Ethernet layer, while iptables only filters IP packets." This caused the traffic from the Linux host to be queued and looked at by snort_inline but traffic that was bridged was sent right through without being queued and examined by snort_inline because of this error in the installation of ebtables. The solution: I was unable to correct this problem with the patch, so I upgraded the kernel to 2.6.2 ( has ebtables and bridge-netfilters built in) and recompiled it with all the bridge-netfilters and ebt options selected. This fixed the problem and now snort_inline is working perfectly. David |
