Menu
▾
▴
Re: [Snort-inline-users] snort-inline 2.2.0a issue after upgrading from 2.1.1
|
From: James A. P. <ja...@pc...> - 2004-11-18 23:56:54
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 William Metcalf wrote: | Try using the state tracking mechanisms we built into 2.2.0a. We | accomplished by using marks in iptables and arguments to stream4. | Something like: | | /usr/local/sbin/iptables -t mangle -A FORWARD -p tcp --syn -m state | --state NEW -j MARK --set-mark 1 | /usr/local/sbin/iptables -t mangle -A FORWARD -p tcp -m state --state | ESTABLISHED -j MARK --set-mark 2 | /usr/local/sbin/iptables -I FORWARD -m mark --mark 1 -j QUEUE | /usr/local/sbin/iptables -I FORWARD -m mark --mark 2 -j QUEUE | /usr/local/sbin/iptables -I FORWARD -p udp -j QUEUE | /usr/local/sbin/iptables -I FORWARD -p icmp -j QUEUE | | And then modify the stream4 line to read: | | preprocessor stream4: disable_evasion_alerts, iptablesnewmark, | iptablesestmark, forceiptstate | preprocessor stream4_reassemble: both I was hoping to not have to use the new iptables stuff since I'm currently using my PCXFirewall code (http://pcxfirewall.sf.net/) and my firewall frontend doesn't support specifying custom marks yet. Shouldn't the old way still work fine? If so, was the old stream4, stream4_reassemble preprocessor entries correct for 2.2.0a? | | In addition I don't see anything in your conf regarding http_inspect, if | you are going to be matching rules that have uricontent in them you are | going to need the following. | | preprocessor http_inspect: global \ | iis_unicode_map unicode.map 1252 | | preprocessor http_inspect_server: server default \ | profile all ports { 80 8080 8180 } oversize_dir_length 500 \ | no_alerts I had added that in from the newer config file and after updating to the 2.2 series rules I started seeing a bunch of http drops in regards to unknown protocol and DOUBLE ENCODE (or something similiar - from memory) hits, which I had not seen using the 2.1.1 codebase. - -- James A. Pattie ja...@pc... Linux -- SysAdmin / Programmer Xperience, Inc. http://www.pcxperience.org/ GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBnTa/tUXjwPIRLVERAgxeAKCXjSpQctilmBR0oF0pJPBMwiNkBQCgz0qf ZehD8hDHcRi2s2dQI5SUV64= =LrVK -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. |
