Menu
▾
▴
Re: [Snort-inline-users] snort-inline dropping only TCP packets.
|
From: Pravin <shi...@gm...> - 2006-10-09 08:11:10
|
Thanx Adam, I compiled snort with "-fno-strict-aliasing" option, and it is working fine now. On 10/6/06, Adam Keeton <ak...@so...> wrote: > Run Snort with "-k none", if you start getting TCP packets, then the > checksums are failing. > > FC 5 comes with GCC 4.x.x. In GCC 4.x.x, (and, potentially, late > versions of the 3 series), optimizations were re-worked. Snort compiles > with optimization level 2, which now assumes strict aliasing by > default. The resulting optimizations break the TCP checksumming code. > The solution is to compile Snort with "-fno-strict-aliasing". > > If you check out the latest Snort from CVS, or download the beta, the > configure script will take care of it for you. If you want to stick is beta that you are refering is "snort_inline-2.4.5a" ? because, I downloaded it, but it didnt worked. > with your current version, set the CFLAGS variable to > -fno-strict-aliasing and rerun configure, then and do a fresh compile > (be sure to make clean first). This method worked, I added "-fno-strict-aliasing" to CFLAGS and now its working fine. Thank you very much > > Thanks, > Adam > > > Hi, > > I have a problem that snort-inline is allowing UDP and ICMP packets > > but dropping TCP packets. > > I Fedora core - 5 on my box. > > > > I refered the http://linuxgazette.net/117/savage.html tutorial for > > this installation and configuration purpose. > > I run snort-inline using following command. > > snort_inline -c /etc/snort_inline/snort_inline.conf -Q -N -l > > /var/log/snort_inline/ \ > > -t /var/log/snort_inline/ -v > > > > after starting snort-inline ICMP and UDP packets are able to get > > through but > > TCP packets are getting dropped > > > > I used simple IPTABLES rules to queue up the packets to user space. > > iptables -I INPUT -p tcp --dport 80 -j QUEUE > > iptables -I INPUT -p udp --dport 20000 -j QUEUE > > iptables -I INPUT -p icmp -j QUEUE > > > > I checked logs files and all of them are empty. > > > > I also tried to go through the source code. > > I found following lines which are responsible for packet droping or > > packet allowing. > > > > inline.c : 948. status = ipq_set_verdict(ipqh, m->packet_id, > > NF_DROP, 0, NULL); > > > > inline.c :1025 status = ipq_set_verdict(ipqh, m->packet_id, > > NF_ACCEPT, 0, NULL); > > > > inline.c :1047 status = ipq_set_verdict(ipqh, m->packet_id, > > NF_ACCEPT, > > m->data_len, > > m->payload ); > > I added some printf after them for debugging purpose, > > and find out that ICMP and UDP packets were being accepted by second > > ipq_set_verdict function call (inline.c:1025) but TCP packets were > > getting droped by first ipq_set_verdict > > function call (inline.c:948). > > > > My guess is that there is something wrong in configuration file, > > As per me, the default rules are not supposed to drop any packets. > > The only change that I have done in config file is to change > > "var RULE_PATH /etc/snort_inline/drop_rules" > > to > > "var RULE_PATH /etc/snort_inline/rules " > > > > I am attaching my snort_inline.conf file with this mail. > > can someone please help me to find out what I am missing ? > > > > ------------------------------------------------------------------------ > > > > ------------------------------------------------------------------------- > > Take Surveys. Earn Cash. Influence the Future of IT > > Join SourceForge.net's Techsay panel and you'll get the chance to share your > > opinions on IT & business topics through brief surveys -- and earn cash > > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > -- Pravin Shinde |
