Menu
▾
▴
Re: [Snort-inline-users] IPFW FreeBSD 4.10 invisible bridge
|
From: Nick R. <ni...@ro...> - 2005-01-04 18:00:46
|
On Tue, 4 Jan 2005, Christopher Black wrote: > On Mon, 2005-01-03 at 19:44, Nick Rogness wrote: >> On Mon, 3 Jan 2005, Christopher Black wrote: >> >>> On Mon, 2005-01-03 at 14:55, Nick Rogness wrote: >>>> On Mon, 3 Jan 2005, Christopher Black wrote: >>>> >>>>> List, >>>>> >>>>> I'm running freebsd 4.10 on a system configured with no IPs, briding >>>>> between two interfaces. The network works fine if diverting is >>>>> disabled, but when packets are diverted to snort_inline, snort never >>>>> appears to recieve them. Has anyone seen this before? >>>> >>>> What is the output of: >>>> >>>> root# sysctl net.link.ether.bridge.ipfw >>>> >>>> >>>> Nick Rogness <ni...@ro...> >>>> - >>>> How many people here have telekenetic powers? Raise my hand. >>>> -Emo Philips >>> >>> bash-2.05b# sysctl -a | grep net.link.ether.bridge >>> net.link.ether.bridge_cfg: sis0,sis1 >>> net.link.ether.bridge: 1 >>> net.link.ether.bridge_ipfw: 1 >>> ... >>> >>> The bridging part itself is working fine, until I divert the packets to >>> snort. The one command 'ipfw add divert 6666 all from any to any' (6666 >>> being the port I put snort on) causes a complete loss of throughput. >>> Snort is never receiving them as debug statements in the main loop of >>> inline.c report. Is there a special bridging (as opposed to inline) >>> mode to enable? >> >> No, snort_inline is unaware of anything in the lower layers, e.g. >> bridging vs routing. The divert socket is just a socket, not much >> different than a standard TCP socket. >> >> I've never done briding+IPFW before on FreeBSD. What happens if >> you divert to say natd as a test? Is this on FreeBSD 5.3 again? >> > > This was on FreeBSD 4.10. Since I'm under a fairly tight deadline, I > had to revert to just doing NAT on that box. I will try this out later > though. Is there a special way to create a divert socket from a > userland application to just test to see what's hitting the socket? Yes. You can simply take the code out of any standard divert userland app (such as tcpmssd or natd) and use it to read/write without changing the packet. I'm putting together a set of test tools to do this. Nick Rogness <ni...@ro...> - How many people here have telekenetic powers? Raise my hand. -Emo Philips |
