Menu
▾
▴
Re: [Snort-inline-users] Question: about the snort_inline
|
From: 520 j. <jac...@ho...> - 2004-05-04 08:32:59
|
Dear Willian:
Thanks for your spport.
I set all enviromental variable that will be used in system
path.
and do
./configure --with-mysql=/usr/local/mysql
make
make install
and now, It my test enviroment:
PC1: eth0: IP 192.192.192.1 --->LAN
eth1: IP 172.19.100.69 -->WAN
DGW 172.19.1.254
DNS 168.95.1.1
PC2: eth0: IP 192.192.192.10--->LAN PC
DGW 192.192.192.1
DNS 168.95.1.1
the PC1 eth0 and PC2 eth0 connected by ip sharing.
the PC1 eth1 can connect to internet.
and I echo 1 > /proc/sys/net/ipv4/ip_forward to be the
forward mode.
The drop-rule only used the test.rules and modify two rules:
drop tcp any any <> any any (msg: "hell stream"; content:
"yahoo"; nocase;)
drop udp any any <> any any (msg: "hell stream"; content:
"yahoo"; nocase;)
and do
./snort_inline -c ./snort_inline.conf -l /var/log -Q
[root@jackie69 snort]# ./snort_inline -c ./snort_inline.conf
-l /var/log
-Q
Reading from iptables
Running in IDS mode
Log directory = /var/log
Initializing Inline mode
--== Initializing Snort ==--
Initializing Output Plugins!
Setting the Packet Processor to decode packets from iptables
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file ./snort_inline.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
telnet_decode arguments:
Ports to decode telnet on: 21 23 25 119
2 Snort rules read...
2 Option Chains linked into 2 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| none
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application
order: ->activation->dynamic->drop->sdrop->reject->alert->pass->log
--== Initialization Complete ==--
*******************
snort_inline-2.1.2
*******************
a modification of ...
-*> Snort! <*-
Version 2.1.2 (Build 25)
By Martin Roesch (ro...@so..., www.snort.org)
But why the PC2 still can connect to internet?
Does it set drop in tables when it init. ?
Could you please tell me what's wrong with it?
Best Regard.
Jackie
---Original---------------------------------------------------------
>
>Like Rob said,
>just do
>
>make clean
>./configure --with-mysql
>make
>make install
>
>That is if your libraries are in your path statement otherwise include
>everything you did below minus the line
>
>--enable-ipfw --with-libipq-includes=/usr/local/include
>
>You probably don't need flexresp either
>
>If you want to get really crazy try
>
>./configure --with-mysql=/usr/local/mysql --enable-inline
>--with-libipq-includes=/usr/local/include
>--with-libipq-libraries=/usr/local/lib
>make
>make install
>
>Regards,
>
>Will
>
>
>
>
>
> "520 jackie"
> <jackie520520@hot
> mail.com>
To
> Wil...@kc...
> 05/03/2004 09:32
cc
> PM
>
Subject
> Re: [Snort-inline-users] Question:
> about the snort_inline
>
>
>
>
>
>
>
>
>
>
>Dear Willian:
> Thanks for your reply.
>./configure
>
>./configure --with-mysql=/usr/local/mysql --enable-flexresp
>--with-libnet-includes=/usr/include --with-libnet-libraries=/usr/lib
>--enable-ipfw --with-libipq-includes=/usr/local/include
>--with-libipq-libraries=/usr/local/lib
>
>Output(It the second times configure output):
>
>checking for a BSD-compatible install... /usr/bin/install -c
>checking whether build environment is sane... yes
>checking for gawk... gawk
>checking whether make sets $(MAKE)... yes
>checking for style of include used by make... GNU
>checking for gcc... gcc
>checking for C compiler default output... a.out
>checking whether the C compiler works... yes
>checking whether we are cross compiling... no
>checking for suffix of executables...
>checking for suffix of object files... o
>checking whether we are using the GNU C compiler... yes
>checking whether gcc accepts -g... yes
>checking for gcc option to accept ANSI C... none needed
>checking dependency style of gcc... gcc
>checking for gcc option to accept ANSI C... none needed
>checking for ranlib... ranlib
>checking for gcc... (cached) gcc
>checking whether we are using the GNU C compiler... (cached) yes
>checking whether gcc accepts -g... (cached) yes
>checking for gcc option to accept ANSI C... (cached) none needed
>checking dependency style of gcc... (cached) gcc
>checking build system type... i586-pc-linux-gnu
>checking host system type... i586-pc-linux-gnu
>checking whether byte ordering is bigendian... no
>checking for sparc alignment... no
>checking how to run the C preprocessor... gcc -E
>checking for egrep... grep -E
>checking for ANSI C header files... yes
>checking for sys/types.h... yes
>checking for sys/stat.h... yes
>checking for stdlib.h... yes
>checking for string.h... yes
>checking for memory.h... yes
>checking for strings.h... yes
>checking for inttypes.h... yes
>checking for stdint.h... yes
>checking for unistd.h... yes
>checking for strings.h... (cached) yes
>checking for string.h... (cached) yes
>checking for stdlib.h... (cached) yes
>checking for unistd.h... (cached) yes
>checking sys/sockio.h usability... no
>checking sys/sockio.h presence... no
>checking for sys/sockio.h... no
>checking paths.h usability... yes
>checking paths.h presence... yes
>checking for paths.h... yes
>checking for inet_ntoa in -lnsl... yes
>checking for socket in -lsocket... no
>checking whether printf must be declared... no
>checking whether fprintf must be declared... no
>checking whether syslog must be declared... no
>checking whether puts must be declared... no
>checking whether fputs must be declared... no
>checking whether fputc must be declared... no
>checking whether fopen must be declared... no
>checking whether fclose must be declared... no
>checking whether fwrite must be declared... no
>checking whether fflush must be declared... no
>checking whether getopt must be declared... no
>checking whether bzero must be declared... no
>checking whether bcopy must be declared... no
>checking whether memset must be declared... no
>checking whether strtol must be declared... no
>checking whether strcasecmp must be declared... no
>checking whether strncasecmp must be declared... no
>checking whether strerror must be declared... no
>checking whether perror must be declared... no
>checking whether socket must be declared... no
>checking whether sendto must be declared... no
>checking whether vsnprintf must be declared... no
>checking whether snprintf must be declared... no
>checking whether strtoul must be declared... no
>checking for snprintf... yes
>checking for strlcpy... no
>checking for strlcat... no
>checking for strerror... yes
>checking for __FUNCTION__... yes
>checking for floor in -lm... yes
>checking for pcap_datalink in -lpcap... yes
>checking pcre.h usability... yes
>checking pcre.h presence... yes
>checking for pcre.h... yes
>checking for pcre_compile in -lpcre... yes
>checking for mysql... yes
>checking for compress in -lz... yes
>checking "for libnet.h version 1.0.x"... /usr/local/include
>checking libnet.h usability... yes
>checking libnet.h presence... yes
>checking for libnet.h... yes
>checking for libnet version 1.0.2a... yes
>checking for libnet_build_ip in -lnet... yes
>checking for u_int8_t... yes
>checking for u_int16_t... yes
>checking for u_int32_t... yes
>checking for a BSD-compatible install... /usr/bin/install -c
>configure: creating ./config.status
>config.status: creating Makefile
>config.status: creating src/Makefile
>config.status: creating src/sfutil/Makefile
>config.status: creating src/detection-plugins/Makefile
>config.status: creating src/output-plugins/Makefile
>config.status: creating src/preprocessors/Makefile
>config.status: creating src/preprocessors/HttpInspect/Makefile
>config.status: creating src/preprocessors/HttpInspect/include/Makefile
>config.status: creating src/preprocessors/HttpInspect/utils/Makefile
>config.status: creating
>src/preprocessors/HttpInspect/anomaly_detection/Makefile
>config.status: creating src/preprocessors/HttpInspect/client/Makefile
>config.status: creating
src/preprocessors/HttpInspect/event_output/Makefile
>config.status: creating
>src/preprocessors/HttpInspect/mode_inspection/Makefile
>config.status: creating
>src/preprocessors/HttpInspect/normalization/Makefile
>config.status: creating src/preprocessors/HttpInspect/server/Makefile
>config.status: creating
>src/preprocessors/HttpInspect/session_inspection/Makefile
>config.status: creating
>src/preprocessors/HttpInspect/user_interface/Makefile
>config.status: creating src/preprocessors/flow/Makefile
>config.status: creating src/preprocessors/flow/int-snort/Makefile
>config.status: creating src/preprocessors/flow/portscan/Makefile
>config.status: creating src/parser/Makefile
>config.status: creating doc/Makefile
>config.status: creating contrib/Makefile
>config.status: creating etc/Makefile
>config.status: creating rules/Makefile
>config.status: creating templates/Makefile
>config.status: creating src/win32/Makefile
>config.status: creating config.h
>config.status: config.h is unchanged
>config.status: executing depfiles commands
>
>And I modify the config.h and add smoe define var:
>(Beacuse I found the Redhat 6.2 this var. is called __func__, and the
newer
>
>version is called __FUNCTION__)
>
>#ifndef __FUNCTION__
>#undef __FUNCTION__
>#define ____FUNCTION__ __func__
>#endif
>
>#ifdef __func__
>#define __func__ __FUNCTION__
>#endif
>
>
>Next,
>
>make
>
>URCE -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H -DLIBNET_LIL_ENDIAN -c `test -f
>'inline.c' || echo './'`inline.c
>In file included from /usr/include/libnet.h:51,
> from inline.c:8:
>/usr/include/netinet/ip.h:224: warning: `IPOPT_EOL' redefined
>decode.h:436: warning: this is the location of the previous definition
>/usr/include/netinet/ip.h:226: warning: `IPOPT_NOP' redefined
>decode.h:440: warning: this is the location of the previous definition
>/usr/include/netinet/ip.h:229: warning: `IPOPT_RR' redefined
>decode.h:444: warning: this is the location of the previous definition
>/usr/include/netinet/ip.h:230: warning: `IPOPT_TS' redefined
>decode.h:452: warning: this is the location of the previous definition
>/usr/include/netinet/ip.h:232: warning: `IPOPT_SECURITY' redefined
>decode.h:456: warning: this is the location of the previous definition
>decode.h:456: warning: this is the location of the previous definition
>/usr/include/netinet/ip.h:234: warning: `IPOPT_LSRR' redefined
>decode.h:460: warning: this is the location of the previous definition
>/usr/include/netinet/ip.h:235: warning: `IPOPT_SATID' redefined
>decode.h:468: warning: this is the location of the previous definition
>/usr/include/netinet/ip.h:237: warning: `IPOPT_SSRR' redefined
>decode.h:472: warning: this is the location of the previous definition
>inline.c: In function `InitInline':
>inline.c:155: warning: implicit declaration of function `pcap_open_dead'
>inline.c:155: warning: assignment makes pointer from integer without a
>cast
>inline.c:88: warning: unused variable `status'
>inline.c: In function `IpfwLoop':
>inline.c:231: `IPPROTO_DIVERT' undeclared (first use in this function)
>inline.c:231: (Each undeclared identifier is reported only once
>inline.c:231: for each function it appears in.)
>inline.c: In function `HandlePacket':
>inline.c:309: warning: unused variable `status'
>make[3]: *** [inline.o] Error 1
>make[3]: Leaving directory `/backup/IDS/snort_inline-2.1.2/src'
>make[2]: *** [all-recursive] Error 1
>make[2]: Leaving directory `/backup/IDS/snort_inline-2.1.2/src'
>make[1]: *** [all-recursive] Error 1
>make[1]: Leaving directory `/backup/IDS/snort_inline-2.1.2'
>make: *** [all] Error 2
>
>and I found the function Ipfwloop in inline.c is only for FreeBSD.
>
>Could you please tell me how to do? Does It have another solutions for
>other linux systems?
>
>
>Best Regards.
> Jackie
>
>---Original
>Mail---------------------------------------------------------------
> >what is the output from your ./configure, make, and make install?
> >
> >Regards,
> >
> >Will
> >
> >
> >
> > "HOT-Jackie"
> > <jackie520520@hot
> > mail.com>
>To
> > Sent by:
><sno...@li...urcefor
> > snort-inline-user ge.net>
> > s-...@li...u
>cc
> > rceforge.net
> >
>Subject
> > [Snort-inline-users] Question:
> > 05/03/2004 11:44 about the snort_inline
> > AM
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >Dear All,
> > I am the snort_inline new user.
> > And I have some problems when I compiler the snort_inline
> >v2.12.
> > The function IpfwLoop only support FreeBSD, But my
>environment
> >is Redhat: v6.2, Kernel: v2.4.20 iptables: v1.2.9.
> > Could anyone tell me how to do? Or it have another
solutions?
> >Thx all!!
> >
> >Best Regards.
> >
> >Jackie
>
>_________________________________________________________________
>謅鬖葞 MSN 磟棎紵ㄩ謅鉌葞抰拶蜪椳橏ㄛ?迼鰬葯欒鎏?筈
>http://members.msn.com?pgmarket=zh-tw
>
_________________________________________________________________
免費試聽 MSN 英語學習:和真人老師線上學英文 http://www.msn.com.tw/english/
|
