Re: [Snort-inline-users] Basic Questions

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

I FINALLY got it to work!

I ended up setting the FORWARD rule to the alias IP instead of eth0.

  However, there is a trade off, by specifying the interface when=20
starting snort (-i eth0 -I), it doesn't log incoming packets :(

I'm going to try changing plugbase.c and see what happens.

On Jul 9, 2004, at 11:30 AM, William Metcalf wrote:

> oops! your right, it was 2:30 in the morning and well...... : - ).=20
> Have yet to hear from cliff today, I made a couple of other suggestion=20=

> over irc.
>
>  Regards,
>
>  Will
> <image.tiff>Earl <uno...@ya...>
>
>
>
>
> Earl <uno...@ya...>
> Sent by: sno...@li...
>
> 07/09/2004 01:22 PM
>
> <image.tiff>
>
> To
> <image.tiff>
> Victor Julien <vi...@nk...>, William Metcalf=20
> <Wil...@kc...>
>
> <image.tiff>
>
> cc
> <image.tiff>
> Cliff Massey <cl...@un...>, sno...@li...
>
> <image.tiff>
>
> Subject
> <image.tiff>
> Re: [Snort-inline-users] Basic Questions
>
> <image.tiff><image.tiff>
> Isn't "=3D" for assignemnt and "=3D=3D" for comparison?
>
>  If so then (pv.interface =3D NULL) is true for all
>  non-zero values of "NULL", right?
>
>  Earl
>
>  PS: I didnt actually see "=3D" being used as a
>  comparison operator in the actual code...
>
>
>  --- Victor Julien <vi...@nk...> wrote:
>  > On Friday 09 July 2004 15:30, William Metcalf wrote:
>  > > Yep that's how i wrote it : - ).
>  >
>  > Okay, but what is the difference between:
>  >
>  > if (InlineMode())
>  >
>  > and
>  >
>  > =A0if((InlineMode()) && (pv.interface =3D NULL))
>  >
>  > if you are already sure pv.interface is NULL??
>  >
>  > Please enlighten me : - )
>  >
>  > Victor
>  >
>  > >
>  > > Regards,
>  > >
>  > > Will
>  > >
>  > >
>  > >
>  > > =A0 =A0 =A0 =A0 =A0 =A0 =A0Victor Julien
>  > > =A0 =A0 =A0 =A0 =A0 =A0 =A0<vi...@nk...>
>  > > =A0 =A0 =A0 =A0 =A0 =A0 =A0Sent by: =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
 =A0 =A0 =A0 =A0 =A0 =A0
>  > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0To
>  > > =A0 =A0 =A0 =A0 =A0 =A0 =A0snort-inline-user =A0 =A0 =A0 =A0
>  > sno...@li...urceforg
>  > > =A0 =A0 =A0 =A0 =A0 =A0 =A0s...@li...u =A0 =A0 =A0 =A0 =
e.net
>  > > =A0 =A0 =A0 =A0 =A0 =A0 =A0rceforge.net =A0 =A0 =A0 =A0 =A0 =A0 =A0=
 =A0 =A0 =A0 =A0 =A0
>  > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0cc
>  > > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
 =A0 =A0 =A0William
>  > Metcalf
>  > > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
 =A0 =A0
>  > <Wil...@kc...>, Cliff
>  > > =A0 =A0 =A0 =A0 =A0 =A0 =A007/09/2004 03:54 =A0 =A0 =A0 =A0 =
=A0Massey
>  > <cl...@un...>
>  > > =A0 =A0 =A0 =A0 =A0 =A0 =A0AM =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0
>  > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Subject
>  > > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
 =A0 =A0 =A0Re:
>  > [Snort-inline-users] Basic
>  > > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
 =A0 =A0 =A0Questions
>  > >
>  > >
>  > >
>  > >
>  > >
>  > >
>  > >
>  > >
>  > >
>  > >
>  > > If i see it correct, the code on line 357 can only
>  > be reached if
>  > > pv.interface
>  > > is already NULL...
>  > >
>  > > On Friday 09 July 2004 09:50, William Metcalf
>  > wrote:
>  > > > I forgot that you are trying to do NAT mode...
>  > The error comes out of
>  > > > plugbase.c why it thinks you have yet to specify
>  > an interface i'm not
>  > >
>  > > sure.
>  > >
>  > > > Just for grins try changing line 357 in
>  > spo_database.c from
>  > > >
>  > > > if (InlineMode())
>  > > >
>  > > > to
>  > > >
>  > > > if((InlineMode()) && (pv.interface =3D NULL))
>  > > >
>  > > > I'm not sure what difference this will make as
>  > via the command line
>  > > > switches you sent you are specifying an
>  > interface and the original if
>  > > > statement is only called if escapedinterface
>  > can't be filled by what you
>  > > > specified on the command line but give it a shot
>  > anyway.
>  > > >
>  > > > Regards,
>  > > >
>  > > > Will
>  > >
>  > >
>  >
>  -------------------------------------------------------
>  > > This SF.Net email sponsored by Black Hat Briefings
>  > & Training.
>  > > Attend Black Hat Briefings & Training, Las Vegas
>  > July 24-29 -
>  > > digital self defense, top technical experts, no
>  > vendor pitches,
>  > > unmatched networking opportunities. Visit
>  > www.blackhat.com
>  > > _______________________________________________
>  > > Snort-inline-users mailing list
>  > > Sno...@li...
>  > >
>  >
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>  >
>  >
>  >
>  -------------------------------------------------------
>  > This SF.Net email sponsored by Black Hat Briefings &
>  > Training.
>  > Attend Black Hat Briefings & Training, Las Vegas
>  > July 24-29 -
>  > digital self defense, top technical experts, no
>  > vendor pitches,
>  > unmatched networking opportunities. Visit
>  > www.blackhat.com
>  > _______________________________________________
>  > Snort-inline-users mailing list
>  > Sno...@li...
>  >
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>  >
>
>
>
>
>
>  __________________________________
>  Do you Yahoo!?
>  Yahoo! Mail - 50x more storage than other providers!
> http://promotions.yahoo.com/new_mail
>
>
>  -------------------------------------------------------
>  This SF.Net email sponsored by Black Hat Briefings & Training.
>  Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
>  digital self defense, top technical experts, no vendor pitches,
>  unmatched networking opportunities. Visit www.blackhat.com
>  _______________________________________________
>  Snort-inline-users mailing list
>  Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>