Re: [Snort-inline-users] Scripts/Snort_inline/iptables and bridging/Snort Output questions...

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

> 1. I know for inline we have to use the snort_inline.conf.  But why is the
> snort.conf also in the /etc/ directory when you unpack snort_inline?

snort_inline is a patch to the vanilla snort code, we don't remove any
files from the orignal source, just add/modify them.

>What do we need that for?  

see above...
>Im guessing we can run two instances of snort, and
> reference snort_inline.conf for the blocking ruleset, and reference the 2nd
> instance of snort for alerting or traffic sniffing (for honeynet) purposes?
yeah you can.

> But if this is the case, wouldnt we have to install regular snort for the
> 2nd instance?  

no, you can use the snort_inline executable.

Can snort_inline be used and act like regular snort if called  with snort.conf?

yeah but remember kids, currently only one userspace app can hook into ip_queue

> 2. I read the Honeynet GenII paper, which talks about how to setup the
> rc.firewall.script.  It is straight forward.  I do not see anything in
> snort_inline.conf that references rc.firewall.script.  I assume you have to
> run the script first, then run snort_inline.  What command do you use to
> envoke rc.firewall.script?

errr ./rc.firewall

> 3.  I also would like to use the snort_inline startup script.  What do I
> need to do to use that as well?

./snort.sh

>  Am Icorrect if I say the 2.6 kernel does not need the a patch because bridging
> and iptables working together is built into the new kernels?

yes, you are correct....

>Can I just have snort_inline use
> the unified binary output plugin for the fastest speed?  

yeah

>Then use Barnyard to gather logs and output to database?  

should be fine

>I would like to test >snort_inline in a gigabit+ environment.

cool, let us know how it does.  I fear that context switching in
ip_queue is going to kill performance.

Regards,

Will

On Sun, 6 Mar 2005 22:37:13 -0500, Peter J Manis <pm...@co...> wrote:
> Ive done tons of reading and research so these questions are not being asked
> blind.
>  
> 1. I know for inline we have to use the snort_inline.conf.  But why is the
> snort.conf also in the /etc/ directory when you unpack snort_inline?  What
> do we need that for?  Im guessing we can run two instances of snort, and
> reference snort_inline.conf for the blocking ruleset, and reference the 2nd
> instance of snort for alerting or traffic sniffing (for honeynet) purposes? 
> But if this is the case, wouldnt we have to install regular snort for the
> 2nd instance?  Can snort_inline be used and act like regular snort if called
> with snort.conf?
>  
> 2. I read the Honeynet GenII paper, which talks about how to setup the
> rc.firewall.script.  It is straight forward.  I do not see anything in
> snort_inline.conf that references rc.firewall.script.  I assume you have to
> run the script first, then run snort_inline.  What command do you use to
> envoke rc.firewall.script?
>  
> 3.  I also would like to use the snort_inline startup script.  What do I
> need to do to use that as well?
>  
> 4. I am using a 2.6 kernel (Fedora 3).  I read through all of the bridging
> how to docs, and confirm I have the bridging packages installed properly in
> the kernel.  I read about possibly needing some patches to allow bridging to
> work with iptables.  The bridging website did not have any patches, and
> mentioned not worrying if you are using new 2.4 and 2.6 kernels.  I just
> want to doublecheck since Im asking all these questions anyway.  Am I
> correct if I say the 2.6 kernel does not need the a patch because bridging
> and iptables working together is built into the new kernels?
>  
> 5. The output method for snort_inline.conf are:
> alert_fast
> alert_full
> alert_fast gives you limited information, and alert_full slows Snort down a
> lot.  I believe both these plugins ask snort to do some extra work to
> convert from binary to ascii and log it.  Can I just have snort_inline use
> the unified binary output plugin for the fastest speed?  Then use Barnyard
> to gather logs and output to database?  I would like to test snort_inline in
> a gigabit+ environment.
>  
> Thanks
>  
> Peter