[Snort-inline-users] snort_inline & IPFW

[Craig M. <cmu...@al...>]

Hello:
I've been trying to get snort_inline 2.3.0RC1 running on FreeBSD 
5.2-RELEASE.
It seems to start OK according to var/log/messages - yet the process is 
not running, no looging occurs

I have IPDIVERT enabled in kernel,
rc.conf =
gateway_enable="YES"
natd_enable="YES"
natd_interface="dc0"
natd_flags="-p 7500"
firewall_enable="YES"

ipfw divert rules=
ipfw add 1000 divert 7500 tcp from any to any in via dc0

snort_inline built with --enable-inline --enable-ipfw

When starting snort_inline -D -J 7500 -I dc0 -c snort_inline.conf
/var/log/messages =
Feb 28 11:09:39 cm-top snort_inline: Reading from ipfw divert socket
Feb 28 11:09:39 cm-top snort_inline: IPFW Divert port set to: 7500
Feb 28 11:09:39 cm-top snort_inline: Initializing daemon mode
Feb 28 11:09:39 cm-top snort_inline: PID path stat checked out ok, PID 
path set to /var/run/
Feb 28 11:09:39 cm-top snort_inline: Writing PID "33552" to file 
"/var/run//snort_inline.pid"
Feb 28 11:09:39 cm-top snort_inline: Parsing Rules file 
/usr/local/snort_inline-2.3.0/etc/snort_inline.conf
Feb 28 11:09:39 cm-top snort_inline: ,-----------[Flow 
Config]----------------------
Feb 28 11:09:39 cm-top snort_inline: | Stats Interval:  0
Feb 28 11:09:39 cm-top snort_inline: | Hash Method:     2
Feb 28 11:09:39 cm-top snort_inline: | Memcap:          10485760
Feb 28 11:09:39 cm-top snort_inline: | Rows  :          4099
Feb 28 11:09:39 cm-top snort_inline: | Overhead Bytes:  16400(%0.16)
Feb 28 11:09:39 cm-top snort_inline: 
`----------------------------------------------
Feb 28 11:09:39 cm-top snort_inline: HttpInspect Config:
Feb 28 11:09:39 cm-top snort_inline:     GLOBAL CONFIG
Feb 28 11:09:39 cm-top snort_inline:       Max Pipeline Requests:    0
Feb 28 11:09:39 cm-top snort_inline:       Inspection Type:          
STATELESS
Feb 28 11:09:39 cm-top snort_inline:       Detect Proxy Usage:       NO
Feb 28 11:09:39 cm-top snort_inline:       IIS Unicode Map Filename: 
/usr/local/snort_inline-2.3.0/etc/unicode.map
Feb 28 11:09:39 cm-top snort_inline:       IIS Unicode Map Codepage: 1252
Feb 28 11:09:39 cm-top snort_inline:     DEFAULT SERVER CONFIG:
Feb 28 11:09:39 cm-top snort_inline:       Ports: 80 8080 8180 
Feb 28 11:09:39 cm-top snort_inline:       Flow Depth: 300
Feb 28 11:09:39 cm-top snort_inline:       Max Chunk Length: 500000
Feb 28 11:09:39 cm-top snort_inline:       Inspect Pipeline Requests: YES
Feb 28 11:09:39 cm-top snort_inline:       URI Discovery Strict Mode: NO
Feb 28 11:09:39 cm-top snort_inline:       Allow Proxy Usage: NO
Feb 28 11:09:39 cm-top snort_inline:       Disable Alerting: NO
Feb 28 11:09:39 cm-top snort_inline:       Oversize Dir Length: 500
Feb 28 11:09:39 cm-top snort_inline:       Only inspect URI: NO
Feb 28 11:09:39 cm-top snort_inline:       Ascii: YES alert: NO
Feb 28 11:09:39 cm-top snort_inline:       Double Decoding: YES alert: YES
Feb 28 11:09:39 cm-top snort_inline:       %U Encoding: YES alert: YES
Feb 28 11:09:39 cm-top snort_inline:       Bare Byte: YES alert: YES
Feb 28 11:09:39 cm-top snort_inline:       Base36: OFF
Feb 28 11:09:39 cm-top snort_inline:       UTF 8: OFF
Feb 28 11:09:39 cm-top snort_inline:       IIS Unicode: YES alert: YES
Feb 28 11:09:39 cm-top snort_inline:       Multiple Slash: YES alert: NO
Feb 28 11:09:39 cm-top snort_inline:       IIS Backslash: YES alert: NO
Feb 28 11:09:39 cm-top snort_inline:       Directory Traversal: YES 
alert: NO
Feb 28 11:09:39 cm-top snort_inline:       Web Root Traversal: YES 
alert: YES
Feb 28 11:09:39 cm-top snort_inline:       Apache WhiteSpace: YES alert: NO
Feb 28 11:09:39 cm-top snort_inline:       IIS Delimiter: YES alert: NO
Feb 28 11:09:39 cm-top snort_inline:       IIS Unicode Map: GLOBAL IIS 
UNICODE MAP CONFIG
Feb 28 11:09:39 cm-top snort_inline:       Non-RFC Compliant Characters: 
NONE
Feb 28 11:09:39 cm-top snort_inline: rpc_decode arguments:
Feb 28 11:09:39 cm-top snort_inline:     Ports to decode RPC on: 111 32771 
Feb 28 11:09:39 cm-top snort_inline:     alert_fragments: INACTIVE
Feb 28 11:09:39 cm-top snort_inline:     alert_large_fragments: ACTIVE
Feb 28 11:09:39 cm-top snort_inline:     alert_incomplete: ACTIVE
Feb 28 11:09:39 cm-top snort_inline: Warning: flowbits key 
'realplayer.playlist' is checked but not ever set.
Feb 28 11:09:39 cm-top snort_inline: 
Feb 28 11:09:39 cm-top snort_inline: 
+-----------------------[thresholding-config]---------------------------------- 

Feb 28 11:09:39 cm-top snort_inline: | memory-cap : 1048576 bytes
Feb 28 11:09:39 cm-top snort_inline: 
+-----------------------[thresholding-global]---------------------------------- 

Feb 28 11:09:39 cm-top snort_inline: | none
Feb 28 11:09:39 cm-top snort_inline: 
+-----------------------[thresholding-local]----------------------------------- 

Feb 28 11:09:39 cm-top snort_inline: | gen-id=1      sig-id=2523       
type=Both      tracking=dst count=10  seconds=10 
Feb 28 11:09:39 cm-top snort_inline: | gen-id=1      sig-id=2495       
type=Both      tracking=dst count=20  seconds=60 
Feb 28 11:09:39 cm-top snort_inline: | gen-id=1      sig-id=2923       
type=Threshold tracking=dst count=10  seconds=60 
Feb 28 11:09:39 cm-top snort_inline: | gen-id=1      sig-id=2275       
type=Threshold tracking=dst count=5   seconds=60 
Feb 28 11:09:39 cm-top snort_inline: | gen-id=1      sig-id=2494       
type=Both      tracking=dst count=20  seconds=60 
Feb 28 11:09:39 cm-top snort_inline: | gen-id=1      sig-id=2496       
type=Both      tracking=dst count=20  seconds=60 
Feb 28 11:09:39 cm-top snort_inline: | gen-id=1      sig-id=2924       
type=Threshold tracking=dst count=10  seconds=60 
Feb 28 11:09:39 cm-top snort_inline: | none
Feb 28 11:09:40 cm-top snort_inline: Snort initialization completed 
successfully (pid=33552)

**** yet snort_inline is not running, a PS -auxw shows no PID for 
snort_inline.
No core dumps.

Any suggestions would be greatly appreciated...

-- 
Craig Mueller CISSP