Menu
▾
▴
Re: [Snort-inline-users] Basic Questions
|
From: Cliff M. <cl...@un...> - 2004-07-09 03:40:32
|
Thanks, I finally have snort_inline functioning correctly. Now I am=20 trying to log to an external mysql server. I am using the following=20 options to start snort_inline: snort_inline -Q -i eth0 -I -c /etc/snort_inline/snort_inline.conf This does not receive any errors, but also does not route the packets=20= for some reason. When I take the mysql line out of the config file,=20 snort_inline works and routes packets: output database: log, mysql, user=3Dsnort host=3Dxx.xx.xx.xx = password=3Dxxxx=20 dbname=3Dsnort_db I ran ./configure --with mysql and can successfully log into that=20 database remotely from the snort_inline box using the supplied user and=20= password. Also, when I do not specify the interface, I receive this=20 error: Interface is NULL. Name may not be unique for the host I have also tried using "inline" for the interface. Any ideas? Cliff On Jun 30, 2004, at 11:42 AM, William Metcalf wrote: > modprobe ip_queue > -j QUEUE > not > -j -QUEUE > > Regards, > > Will > <image.tiff>Cliff Massey <cl...@un...> > > > > > Cliff Massey <cl...@un...> > Sent by: sno...@li... > > 06/30/2004 01:21 PM > > <image.tiff> > > To > <image.tiff> > sno...@li... > > <image.tiff> > > cc > <image.tiff> > sno...@li... > > <image.tiff> > > Subject > <image.tiff> > Re: [Snort-inline-users] Basic Questions > > <image.tiff><image.tiff> > Thanks for the tip, When i try -j -QUEUE. I recieve the error no such > chain/rule by that name. I can see the module loaded using insmod. Do=20= > I > need to set up a new rule for this? > > On Jun 30, 2004, at 11:12 AM, William Metcalf wrote: > > > Here is an e-mail I sent to the list a while ago regarding using > > snort_inline in NAT mode, There is an overabundance of QUEUE > > statements, but it will give you some idea of what to do. > > > > > > > > =A0It shouldn"t be all that difficult, If you already have a nat > > firewall, > > =A0just change the target in your rules from -j ACCEPT to -j QUEUE. > > =A0Using the > > =A0QUEUE target snort-inline will look at the traffic. =A0If it is = good=20 > it > > will > > =A0pass it, if it is bad it will drop it. =A0Or let"s assume that = you=20 > have > > a > > =A0linux box with two interfaces and you want it to be an ips = router. > > =A0Lets > > =A0also assume that eth0 is int of the network you want to protect = and > > eth1 is > > =A0the interface you have plugged into an untrusted network (cable=20= > modem > > =A0etc.....) =A0Something like the iptables script below should=20 > suffice. =A0I > > =A0might have some redundant QUEUE targets, but I wrote and tested=20= > this > > in > > =A0fifteen minutes. =A0It was dropping bad traffic like a champ. =A0I= =20 > didn"t > > =A0include any icmp statements, so if you want ping you will have = to=20 > add > > it > > =A0yourself. > > > > =A0iptables -F INPUT > > =A0iptables -F FORWARD > > =A0iptables -F OUTPUT > > =A0iptables -t nat -F PREROUTING > > =A0iptables -t nat -F POSTROUTING > > =A0iptables -P INPUT DROP > > =A0iptables -P FORWARD DROP > > =A0iptables -P OUTPUT ACCEPT > > =A0# Enable IP forwarding > > =A0echo "1" > /proc/sys/net/ipv4/ip_forward > > =A0echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route > > =A0echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects > > =A0echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects > > =A0echo "1" > /proc/sys/net/ipv4/tcp_syncookies > > =A0#INPUT > > =A0#Let firewall talk to itself > > =A0iptables -A INPUT -i lo -m state --state NEW -j ACCEPT > > =A0#Allow traffic initiated from this box back in and check for=20 > nastiness > > =A0iptables -A INPUT -m state --state RELATED,ESTABLISHED -j QUEUE > > =A0#Set up the FORWARD table for NAT > > =A0iptables -A FORWARD -i eth0 -o eth1 -j QUEUE > > =A0iptables -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED = -j > > QUEUE > > =A0#Setup the NAT rule > > =A0iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE > > > > =A0Regards, > > > > =A0Will > > > > > > <image.tiff>Cliff Massey <cl...@un...> > > > > > > > > > > Cliff Massey <cl...@un...> > > Sent by: sno...@li... > > > > 06/30/2004 01:04 PM > > > > <image.tiff> > > > > To > > <image.tiff> > > Rob McMillen <ro...@ho...> > > > > <image.tiff> > > > > cc > > <image.tiff> > > sno...@li... > > > > <image.tiff> > > > > Subject > > <image.tiff> > > Re: [Snort-inline-users] Basic Questions > > > > <image.tiff><image.tiff> > > I'm using Fedora Core 2. As far as sending packets to snort_inline, > > =A0that I'm not quite sure how to do. I read the README, but it = really > > =A0doesn't explain the inline part too well.. What is the best way = to=20 > do > > =A0that? With a QUEUE chain? > > > > =A0=A0Cliff > > > > =A0On Jun 30, 2004, at 5:18 AM, Rob McMillen wrote: > > > > =A0> What linux distro are you using? =A0How are you sending = packets to > > =A0> snort_inline? > > =A0> > > =A0> Rob > > =A0> > > =A0> On Wed, 30 Jun 2004, Cliff Massey wrote: > > =A0> > > =A0>> Date: Wed, 30 Jun 2004 00:35:51 -0700 > > =A0>> From: Cliff Massey <cl...@un...> > > =A0>> To: sno...@li... > > =A0>> Subject: [Snort-inline-users] Basic Questions > > =A0>> > > =A0>> > > =A0>> =A0 Hi, > > =A0>> > > =A0>> =A0 I was wondering if it is possible to get snort_inline to = work > > with > > =A0>> my > > =A0>> current configuration. I'm using the linux 2.6 kernel & = iptables > > with > > =A0>> a > > =A0>> basic nat setup between two interfaces. =A0I can pickup = alerts=20 > when > > =A0>> running it in sniffer mode, although I can't when running in = ids > > mode. > > =A0>> The ip_queue module is loading correctly as I don't receive = an > > error > > =A0>> when using the -Q option. > > =A0>> > > =A0>> =A0 Any help would be appreciated. > > =A0>> > > =A0>> =A0 Cliff Massey > > =A0>> > > =A0>> > > =A0>> > > =A0>> > > =A0>> ------------------------------------------------------- > > =A0>> This SF.Net email sponsored by Black Hat Briefings & = Training. > > =A0>> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > > =A0>> digital self defense, top technical experts, no vendor = pitches, > > =A0>> unmatched networking opportunities. Visit www.blackhat.com > > =A0>> _______________________________________________ > > =A0>> Snort-inline-users mailing list > > =A0>> Sno...@li... > > =A0>> = https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > =A0>> > > =A0> > > =A0> > > =A0> ------------------------------------------------------- > > =A0> This SF.Net email sponsored by Black Hat Briefings & Training. > > =A0> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > > =A0> digital self defense, top technical experts, no vendor = pitches, > > =A0> unmatched networking opportunities. Visit www.blackhat.com > > =A0> _______________________________________________ > > =A0> Snort-inline-users mailing list > > =A0> Sno...@li... > > =A0> = https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > =A0> > > > > > > > > =A0------------------------------------------------------- > > =A0This SF.Net email sponsored by Black Hat Briefings & Training. > > =A0Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > > =A0digital self defense, top technical experts, no vendor pitches, > > =A0unmatched networking opportunities. Visit www.blackhat.com > > =A0_______________________________________________ > > =A0Snort-inline-users mailing list > > =A0S...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > |
