Menu
▾
▴
snort-inline-users — The goal of this list is to help users debug/use snort_inline
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(15) |
Jun
(23) |
Jul
(54) |
Aug
(20) |
Sep
(18) |
Oct
(19) |
Nov
(36) |
Dec
(30) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(48) |
Feb
(16) |
Mar
(36) |
Apr
(36) |
May
(45) |
Jun
(47) |
Jul
(93) |
Aug
(29) |
Sep
(28) |
Oct
(42) |
Nov
(45) |
Dec
(53) |
| 2005 |
Jan
(62) |
Feb
(51) |
Mar
(65) |
Apr
(28) |
May
(57) |
Jun
(23) |
Jul
(24) |
Aug
(72) |
Sep
(16) |
Oct
(53) |
Nov
(53) |
Dec
(3) |
| 2006 |
Jan
(56) |
Feb
(6) |
Mar
(15) |
Apr
(14) |
May
(35) |
Jun
(57) |
Jul
(35) |
Aug
(7) |
Sep
(22) |
Oct
(16) |
Nov
(18) |
Dec
(9) |
| 2007 |
Jan
(8) |
Feb
(3) |
Mar
(11) |
Apr
(35) |
May
(6) |
Jun
(10) |
Jul
(26) |
Aug
(4) |
Sep
|
Oct
(29) |
Nov
|
Dec
(7) |
| 2008 |
Jan
(1) |
Feb
(2) |
Mar
(2) |
Apr
(13) |
May
(8) |
Jun
(3) |
Jul
(19) |
Aug
(20) |
Sep
(6) |
Oct
(5) |
Nov
|
Dec
(4) |
| 2009 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(10) |
Jul
(2) |
Aug
(5) |
Sep
|
Oct
(1) |
Nov
|
Dec
(5) |
| 2010 |
Jan
(10) |
Feb
(10) |
Mar
(2) |
Apr
|
May
(7) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2011 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Javier R. <jr...@on...> - 2010-02-09 14:50:59
|
I had succesfully implemented snort as ips on x86 , using gentoo-gnap and a soekris hardware, and it works quite well. All the info you need is in snort.org documentation. What are the problems you are facing? On Tue, Feb 09, 2010 at 09:11:29AM +0300, Emmanuel Mugarura wrote: > Hello > > Greetings > > I am inquiring about whether there is some one who has successfully > implemented Snort on *x86*-64. I would also appreciate any kind of guides on > how to do this > > Regards > > Emmanuel Mugarura > ------------------------------------------------------------------------------ > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
|
From: Emmanuel M. <cmu...@gm...> - 2010-02-09 06:11:37
|
Hello Greetings I am inquiring about whether there is some one who has successfully implemented Snort on *x86*-64. I would also appreciate any kind of guides on how to do this Regards Emmanuel Mugarura |
|
From: Will M. <wil...@gm...> - 2010-02-05 21:05:17
|
Hmmm I could be mistaken but I'm unaware of any divert socket/netfilter queue type of functionality on Solaris does such a beast exist? If so we never did any work on the snort-inline to support it. Regards, Will On Fri, Feb 5, 2010 at 6:56 AM, Emmanuel Mugarura <cmu...@gm...>wrote: > Hello > > Greetings > > I am working on a project to implement Snort inline on solaris 10. Any one > with tips, tutorials and any material that can help me achieve this, i would > love being pointed in the right direction > > The implementation could as well be on any flavor of Unix > > Regards > > Emmanuel Mugarura > > > > ------------------------------------------------------------------------------ > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the > business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
|
From: Emmanuel M. <cmu...@gm...> - 2010-02-05 20:59:14
|
Hello Greetings I am working on a project to implement Snort inline on solaris 10. Any one with tips, tutorials and any material that can help me achieve this, i would love being pointed in the right direction The implementation could as well be on any flavor of Unix Regards Emmanuel Mugarura |
|
From: charles m. <mug...@gm...> - 2010-01-20 14:47:18
|
Hi;
I changed snort-inline version to 2.6; now it is running and snort-inline
options are enabled but when i launch snort-inline with "snort_inline -Q -v
-c /etc/snort_inline/snort_inline.conf -l /var/log/snort_inline" command i'm
getting the following errors in the output.
1. WARNING /etc/snort_inline/snort_inline.conf(361) => flush_behavior set in
config file, using old static flushpoints (0)
2. ERROR: /etc/snort_inline/rules/exploit.rules(38): Cannot check flow
connection for non-TCP traffic
Can you please help?
Check the full output bellow
charles@ips:~$ sudo snort_inline -Q -v -c
/etc/snort_inline/snort_inline.conf -l /var/log/snort_inline
Reading from iptables
Running in IDS mode
Initializing Inline mode
--== Initializing Snort ==--
Initializing Output Plugins!
Var 'usbmon1_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'usbmon2_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'usbmon3_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'usbmon4_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'usbmon5_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'usbmon6_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'usbmon7_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'usbmon8_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'lo_ADDRESS' defined, value len = 19 chars, value = 127.0.0.0/255.0.0.0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort_inline/snort_inline.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Var 'HOME_NET' defined, value len = 3 chars, value = any
Var 'HONEYNET' defined, value len = 3 chars, value = any
Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any
Var 'SMTP_SERVERS' defined, value len = 3 chars, value = any
Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any
Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any
Var 'SQL_SERVERS' defined, value len = 3 chars, value = any
Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
Var 'AIM_SERVERS' defined, value len = 185 chars
[
64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
Var 'RULE_PATH' defined, value len = 23 chars, value =
/etc/snort_inline/rules
,-----------[Flow Config]----------------------
| Stats Interval: 0
| Hash Method: 2
| Memcap: 10485760
| Rows : 4099
| Overhead Bytes: 16400(%0.16)
`----------------------------------------------
stream4inline mode enabled
truncating mode enabled
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 3600 seconds
Session memory cap: 134217728 bytes
Session count max: 8192 sessions
Session cleanup count: 5
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: INACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Enforce TCP State: ACTIVE and DROPPING
Midstream Drop Alerts: INACTIVE
Allow Blocking of TCP Sessions in Inline: ACTIVE
Server Data Inspection Limit: -1
Inline-mode options:
Inline-mode enabled? (stream4inline): Yes
Scan mode? (scan_stream_only): Both packet and stream
Sliding Windowsize (window_size): 3000
Memcap reached method (truncate): Truncate
Truncate percentage (truncate_percentage): 33
Store/Load state from/to disk: No
Max out-of-order packets in a stream (max_ooo_pkts): 5
Max out-of-order bytes in a stream (max_ooo_bytes): 5000
Max sequence holes in a stream (max_seq_holes): 2
Normalize wscale max (norm_wscale_max): 2
Perform window scale normaliztion: Yes
Disable out-of-order packet drop: No
Disable out-of-order packet drop: No
Disable sequence hole packet drop: No
Max sequence holes in a stream (max_seq_holes): 2
Disable wscale normalization alerts (disable_norm_wscale_alerts): No
Disable out-of-order alerts (disable_ooo_alerts): No
Drop bad RST packets? (drop_bad_rst): No
WARNING /etc/snort_inline/snort_inline.conf(361) => flush_behavior set in
config file, using old static flushpoints (0)
Stream4_reassemble config:
Server reassembly: ACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Zero out flushed packets: INACTIVE
Flush stream on alert: INACTIVE
flush_data_diff_size: 500
Reassembler Packet Preferance : Favor New
Packet Sequence Overlap Limit: -1
Flush behavior: Small (<255 bytes)
Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521
3306
Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513
1433 1521 3306
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: /etc/snort_inline/unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Server profile: All
Ports: 80 8080 8180
Flow Depth: 300
Max Chunk Length: 500000
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES alert: YES
Base36: OFF
UTF 8: OFF
IIS Unicode: YES alert: YES
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: YES
Apache WhiteSpace: YES alert: NO
IIS Delimiter: YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: NONE
Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan
distributed_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
Number of Nodes: 36900
ERROR: /etc/snort_inline/rules/exploit.rules(38): Cannot check flow
connection for non-TCP traffic
Fatal Error, Quitting..
charles@ips:~$
|
|
From: Emilio M. S. <em...@te...> - 2010-01-17 13:27:03
|
I installed an old version as I do not know how to install a new one and I wanted to follow www.openmaniak.com instructions. I have the sensation that I always go one step behind. When I tried to load libmyhsqlclient12-dev my Ubuntu 9.10 do not find the package and instead invite me to load libmysqlclient15off. I loaded this package but when configuring snort_inline-2.4.5a I got the error and the tutorial says that is because of libmysqlclient12 missing. I would like to install a new version like snort 2.8.5.2 as snort inline but I do not know which steps to follow or how to compile it to work in the line of www.openmaniak.com as I loaded all the packages as they say in the tutorial. I tried to load a new bundle from securixlive. The NMWnow but in the middle they say that I DO NOT HAVE mysql-server 5.0 because I installed the last version that is my-sqlserver 5.1. So my sensation is that I am one step behind because I do not know all this in linux. I am coming from the windows world where things are not cheep but a little bit easier to install Is there a full guide on how to install snort 2.8.5.2 in Ubuntu 9.10 without any errors or old packages? Regards and Thanks Emilio |
|
From: John D. <joh...@gm...> - 2010-01-17 11:02:34
|
Hi, Did you install anything like libmysqlclient-dev ? Usually *dev packages contain header files needed for compilation. And "sudo apt-get install libmysqlclient-dev" worked for me just now. 'make' should not work for you until you have ./configure without errors. By the way, I hope there is a reason you are installing and old version. Usually newer one have less errors. Some things even work only from svn (like using nfqueue with multiple queues). Best regards John Default Emilio Mari Solera wrote: > ERROR: unable to find mysql headers (mysql.h) > checked in the following places > /usr/include > /usr/include/mysql > /usr/local/include > /usr/local/include/mysql > ********************************************** > > emilio@ubuntu:~/Downloads/snort_inline-2.4.5a$ make > make: *** No targets specified and no makefile found. Stop. > emilio@ubuntu:~/Downloads/snort_inline-2.4.5a$ > > NEW TO LINUX WHAT I CAN DO? > I HAVE GCC AND G++ INSTALLED AS WELL AS BUILD-ESSENTIALS > > ------------------------------------------------------------------------------ > Throughout its 18-year history, RSA Conference consistently attracts the > world's best and brightest in the field, creating opportunities for Conference > attendees to learn about information security's most important issues through > interactions with peers, luminaries and emerging and established companies. > http://p.sf.net/sfu/rsaconf-dev2dev > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Emilio M. S. <em...@te...> - 2010-01-17 08:56:18
|
ERROR: unable to find mysql headers (mysql.h)
checked in the following places
/usr/include
/usr/include/mysql
/usr/local/include
/usr/local/include/mysql
**********************************************
emilio@ubuntu:~/Downloads/snort_inline-2.4.5a$ make
make: *** No targets specified and no makefile found. Stop.
emilio@ubuntu:~/Downloads/snort_inline-2.4.5a$
NEW TO LINUX WHAT I CAN DO?
I HAVE GCC AND G++ INSTALLED AS WELL AS BUILD-ESSENTIALS
|
|
From: Joel E. <es...@gm...> - 2010-01-15 13:59:08
|
Looks like you are using an old version of Snort with a new version of rules. Please update your Snort version. J On Fri, Jan 15, 2010 at 3:44 AM, charles mugisha <mug...@gm...> wrote: > Hi; > > > > This is my first time to run snort-inline, it look like I syccesfully > install snort-inline but when I start it I’m getting the following message. > Is saying that no process found. > > What I’m I missing? > > > > charles@ips:~$ sudo /etc/init.d/snort_inlined restart > > snort_inline: no process found > > Removing iptables rules: > > Starting ip_queue module: > > Starting iptables rules: > > Starting snort_inline: > > Reading from iptables > > Initializing Inline mode > > > > > > Also when I run this command “snort_inline -Q -v -c > /etc/snort_inline/snort_inline.conf -l /var/log/snort_inline > > Reading from iptables” I’m getting the following output with two errors. > What is wrong with my snort-inline?Is any one can help? > > > > charles@ips:~$ sudo snort_inline -Q -v -c > /etc/snort_inline/snort_inline.conf -l /var/log/snort_inline > > Reading from iptables > > Running in IDS mode > > Initializing Inline mode > > > > --== Initializing Snort ==-- > > Initializing Output Plugins! > > Setting the Packet Processor to decode packets from iptables > > Initializing Preprocessors! > > Initializing Plug-ins! > > Parsing Rules file /etc/snort_inline/snort_inline.conf > > > > +++++++++++++++++++++++++++++++++++++++++++++++++++ > > Initializing rule chains... > > ,-----------[Flow Config]---------------------- > > | Stats Interval: 0 > > | Hash Method: 2 > > | Memcap: 10485760 > > | Rows : 4099 > > | Overhead Bytes: 16400(%0.16) > > `---------------------------------------------- > > Stream4 config: > > Stateful inspection: ACTIVE > > Session statistics: INACTIVE > > Session timeout: 30 seconds > > Session memory cap: 8388608 bytes > > Session count max: 8192 sessions > > Session cleanup count: 5 > > State alerts: INACTIVE > > Evasion alerts: INACTIVE > > Scan alerts: INACTIVE > > Log Flushed Streams: INACTIVE > > MinTTL: 1 > > TTL Limit: 5 > > Async Link: 0 > > State Protection: 0 > > Self preservation threshold: 50 > > Self preservation period: 90 > > Suspend threshold: 200 > > Suspend period: 30 > > Enforce TCP State: INACTIVE > > Midstream Drop Alerts: INACTIVE > > Server Data Inspection Limit: -1 > > Inline-mode options: > > Inline-mode enabled? (stream4inline): No > > Sliding Windowsize (window_size): 7000 (max full conn: 1198) > > Memcap reached method (truncate): Prune > > Truncate percentage (truncate_percentage): 33 > > DROP out-of-window packets (drop_out_of_window): No > > DROP data on unestablised session state (drop_data_on_unest): No > > DROP no tcp-flags on establised packets (drop_no_tcp_on_est): No > > DROP packet not within session limits (drop_not_in_limits): No > > DROP ttl evasion (drop_ttl_evasion): No > > Store/Load state from/to disk: No > > WARNING /etc/snort_inline/snort_inline.conf(299) => flush_behavior set in > config file, using old static flushpoints (0) > > Stream4_reassemble config: > > Server reassembly: ACTIVE > > Client reassembly: ACTIVE > > Reassembler alerts: ACTIVE > > Zero out flushed packets: INACTIVE > > Flush stream on alert: INACTIVE > > flush_data_diff_size: 500 > > Reassembler Packet Preferance : Favor Old > > Packet Sequence Overlap Limit: -1 > > Flush behavior: Small (<255 bytes) > > Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 > 3306 > > Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 > 1433 1521 3306 > > HttpInspect Config: > > GLOBAL CONFIG > > Max Pipeline Requests: 0 > > Inspection Type: STATELESS > > Detect Proxy Usage: NO > > IIS Unicode Map Filename: /etc/snort_inline/unicode.map > > IIS Unicode Map Codepage: 1252 > > DEFAULT SERVER CONFIG: > > Ports: 80 8080 8180 > > Flow Depth: 300 > > Max Chunk Length: 500000 > > Inspect Pipeline Requests: YES > > URI Discovery Strict Mode: NO > > Allow Proxy Usage: NO > > Disable Alerting: NO > > Oversize Dir Length: 500 > > Only inspect URI: NO > > Ascii: YES alert: NO > > Double Decoding: YES alert: YES > > %U Encoding: YES alert: YES > > Bare Byte: YES alert: YES > > Base36: OFF > > UTF 8: OFF > > IIS Unicode: YES alert: YES > > Multiple Slash: YES alert: NO > > IIS Backslash: YES alert: NO > > Directory Traversal: YES alert: NO > > Web Root Traversal: YES alert: YES > > Apache WhiteSpace: YES alert: NO > > IIS Delimiter: YES alert: NO > > IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG > > Non-RFC Compliant Characters: NONE > > rpc_decode arguments: > > Ports to decode RPC on: 111 32771 > > alert_fragments: INACTIVE > > alert_large_fragments: ACTIVE > > alert_incomplete: ACTIVE > > alert_multiple_requests: ACTIVE > > telnet_decode arguments: > > Ports to decode telnet on: 21 23 25 119 > > Portscan Detection Config: > > Detect Protocols: TCP UDP ICMP IP > > Detect Scan Type: portscan portsweep decoy_portscan > distributed_portscan > > Sensitivity Level: Low > > Memcap (in bytes): 10000000 > > Number of Nodes: 36900 > > > > database: compiled support for ( mysql ) > > database: configured to use mysql > > database: user = snortuser > > database: password is set > > database: database name = snort > > database: host = localhost > > Interface is NULL. Name may not be unique for the host > > Node unique name is: unknown:(null) > > > > database: sensor name = unknown:(null) > > database: sensor id = 1 > > database: schema version = 106 > > database: using the "log" facility > > ERROR: Warning: /etc/snort_inline/rules/exploit.rules(24) => Unknown > keyword ' metadata' in rule! > > Fatal Error, Quitting.. > > > ------------------------------------------------------------------------------ > Throughout its 18-year history, RSA Conference consistently attracts the > world's best and brightest in the field, creating opportunities for > Conference > attendees to learn about information security's most important issues > through > interactions with peers, luminaries and emerging and established companies. > http://p.sf.net/sfu/rsaconf-dev2dev > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > -- Joel Esler |
|
From: Ihab el B. <iha...@ho...> - 2010-01-15 08:54:23
|
Hi,
have you configured your snort_inline.conf file correctly, try to check the mysql database itself (containig rows ...)
also try to except the exploit.rules from the config file and give it a try then, and dont forget to send the packet stream to the queue e.g( iptables -A FORWARD -p all - j QUEUE)
Best regards
Ihab El Bakri
Date: Fri, 15 Jan 2010 10:44:36 +0200
From: mug...@gm...
To: sno...@li...
Subject: [Snort-inline-users] Help
Hi;
This is my first time to run snort-inline, it look like I syccesfully
install snort-inline but when I start it I’m getting the following message. Is saying
that no process found.
What I’m I missing?
charles@ips:~$ sudo /etc/init.d/snort_inlined restart
snort_inline: no process found
Removing iptables rules:
Starting ip_queue module:
Starting iptables rules:
Starting snort_inline:
Reading from iptables
Initializing Inline mode
Also when I run this command “snort_inline -Q -v -c
/etc/snort_inline/snort_inline.conf -l /var/log/snort_inline
Reading from iptables” I’m getting the following output with
two errors. What is wrong with my snort-inline?Is any one can help?
charles@ips:~$ sudo snort_inline -Q -v -c
/etc/snort_inline/snort_inline.conf -l /var/log/snort_inline
Reading from iptables
Running in IDS mode
Initializing Inline mode
--==
Initializing Snort ==--
Initializing Output Plugins!
Setting the Packet Processor to decode packets from iptables
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort_inline/snort_inline.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
,-----------[Flow Config]----------------------
| Stats Interval: 0
| Hash Method: 2
| Memcap:
10485760
| Rows : 4099
| Overhead Bytes:
16400(%0.16)
`----------------------------------------------
Stream4 config:
Stateful
inspection: ACTIVE
Session
statistics: INACTIVE
Session timeout:
30 seconds
Session memory
cap: 8388608 bytes
Session count max:
8192 sessions
Session cleanup
count: 5
State alerts:
INACTIVE
Evasion alerts:
INACTIVE
Scan alerts:
INACTIVE
Log Flushed
Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection:
0
Self preservation
threshold: 50
Self preservation
period: 90
Suspend threshold:
200
Suspend period: 30
Enforce TCP State:
INACTIVE
Midstream Drop
Alerts: INACTIVE
Server Data
Inspection Limit: -1
Inline-mode
options:
Inline-mode enabled? (stream4inline):
No
Sliding Windowsize
(window_size): 7000 (max full conn: 1198)
Memcap reached
method (truncate): Prune
Truncate
percentage (truncate_percentage): 33
DROP out-of-window
packets (drop_out_of_window): No
DROP data on
unestablised session state (drop_data_on_unest): No
DROP no tcp-flags
on establised packets (drop_no_tcp_on_est): No
DROP packet not
within session limits (drop_not_in_limits): No
DROP ttl evasion
(drop_ttl_evasion): No
Store/Load state
from/to disk: No
WARNING /etc/snort_inline/snort_inline.conf(299) =>
flush_behavior set in config file, using old static flushpoints (0)
Stream4_reassemble config:
Server reassembly:
ACTIVE
Client reassembly:
ACTIVE
Reassembler alerts:
ACTIVE
Zero out flushed
packets: INACTIVE
Flush stream on
alert: INACTIVE
flush_data_diff_size: 500
Reassembler Packet
Preferance : Favor Old
Packet Sequence
Overlap Limit: -1
Flush behavior:
Small (<255 bytes)
Ports: 21 23 25 42
53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
Emergency Ports:
21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline
Requests: 0
Inspection
Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename:
/etc/snort_inline/unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Ports: 80 8080
8180
Flow Depth: 300
Max Chunk
Length: 500000
Inspect Pipeline
Requests: YES
URI Discovery
Strict Mode: NO
Allow Proxy
Usage: NO
Disable
Alerting: NO
Oversize Dir
Length: 500
Only inspect
URI: NO
Ascii: YES
alert: NO
Double Decoding:
YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES
alert: YES
Base36: OFF
UTF 8: OFF
IIS Unicode: YES
alert: YES
Multiple Slash:
YES alert: NO
IIS Backslash:
YES alert: NO
Directory
Traversal: YES alert: NO
Web Root
Traversal: YES alert: YES
Apache
WhiteSpace: YES alert: NO
IIS Delimiter:
YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: NONE
rpc_decode arguments:
Ports to decode
RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
telnet_decode
arguments:
Ports to decode telnet on: 21 23 25 119
Portscan
Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan
distributed_portscan
Sensitivity Level:
Low
Memcap (in bytes):
10000000
Number of
Nodes: 36900
database: compiled support for ( mysql )
database: configured to use mysql
database:
user = snortuser
database: password is set
database: database name = snort
database:
host = localhost
Interface is NULL. Name may not be unique for the host
Node unique name is: unknown:(null)
database: sensor
name = unknown:(null)
database: sensor
id = 1
database: schema version = 106
database: using the "log" facility
ERROR: Warning: /etc/snort_inline/rules/exploit.rules(24)
=> Unknown keyword ' metadata' in rule!
Fatal Error, Quitting..
_________________________________________________________________
Windows Live: Make it easier for your friends to see what you’re up to on Facebook.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009 |
|
From: charles m. <mug...@gm...> - 2010-01-15 08:44:46
|
Hi;
This is my first time to run snort-inline, it look like I syccesfully
install snort-inline but when I start it I’m getting the following message.
Is saying that no process found.
What I’m I missing?
charles@ips:~$ sudo /etc/init.d/snort_inlined restart
snort_inline: no process found
Removing iptables rules:
Starting ip_queue module:
Starting iptables rules:
Starting snort_inline:
Reading from iptables
Initializing Inline mode
Also when I run this command “snort_inline -Q -v -c
/etc/snort_inline/snort_inline.conf -l /var/log/snort_inline
Reading from iptables” I’m getting the following output with two errors.
What is wrong with my snort-inline?Is any one can help?
charles@ips:~$ sudo snort_inline -Q -v -c
/etc/snort_inline/snort_inline.conf -l /var/log/snort_inline
Reading from iptables
Running in IDS mode
Initializing Inline mode
--== Initializing Snort ==--
Initializing Output Plugins!
Setting the Packet Processor to decode packets from iptables
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort_inline/snort_inline.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
,-----------[Flow Config]----------------------
| Stats Interval: 0
| Hash Method: 2
| Memcap: 10485760
| Rows : 4099
| Overhead Bytes: 16400(%0.16)
`----------------------------------------------
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
Session count max: 8192 sessions
Session cleanup count: 5
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: INACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Enforce TCP State: INACTIVE
Midstream Drop Alerts: INACTIVE
Server Data Inspection Limit: -1
Inline-mode options:
Inline-mode enabled? (stream4inline): No
Sliding Windowsize (window_size): 7000 (max full conn: 1198)
Memcap reached method (truncate): Prune
Truncate percentage (truncate_percentage): 33
DROP out-of-window packets (drop_out_of_window): No
DROP data on unestablised session state (drop_data_on_unest): No
DROP no tcp-flags on establised packets (drop_no_tcp_on_est): No
DROP packet not within session limits (drop_not_in_limits): No
DROP ttl evasion (drop_ttl_evasion): No
Store/Load state from/to disk: No
WARNING /etc/snort_inline/snort_inline.conf(299) => flush_behavior set in
config file, using old static flushpoints (0)
Stream4_reassemble config:
Server reassembly: ACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Zero out flushed packets: INACTIVE
Flush stream on alert: INACTIVE
flush_data_diff_size: 500
Reassembler Packet Preferance : Favor Old
Packet Sequence Overlap Limit: -1
Flush behavior: Small (<255 bytes)
Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521
3306
Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513
1433 1521 3306
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: /etc/snort_inline/unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Ports: 80 8080 8180
Flow Depth: 300
Max Chunk Length: 500000
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES alert: YES
Base36: OFF
UTF 8: OFF
IIS Unicode: YES alert: YES
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: YES
Apache WhiteSpace: YES alert: NO
IIS Delimiter: YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: NONE
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
telnet_decode arguments:
Ports to decode telnet on: 21 23 25 119
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan
distributed_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
Number of Nodes: 36900
database: compiled support for ( mysql )
database: configured to use mysql
database: user = snortuser
database: password is set
database: database name = snort
database: host = localhost
Interface is NULL. Name may not be unique for the host
Node unique name is: unknown:(null)
database: sensor name = unknown:(null)
database: sensor id = 1
database: schema version = 106
database: using the "log" facility
ERROR: Warning: /etc/snort_inline/rules/exploit.rules(24) => Unknown keyword
' metadata' in rule!
Fatal Error, Quitting..
|
|
From: Ihab el B. <iha...@ho...> - 2010-01-13 15:38:23
|
Hello base , placid , or sguil are just web interfaces for the logs , you can try webmin i think it has a snort addon to add rules to snort and iptables. Best regards Ihab ElBakri _________________________________________________________________ Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010 |
|
From: Dave R. <dav...@gm...> - 2010-01-05 17:11:05
|
On Tue, Jan 5, 2010 at 2:55 AM, Morgan Cox <mor...@gm...> wrote: > Thanks Will for getting back to me. > > (Sorry if this has gone to a new thread, my mailing list options were set > to not deliver mail previously) > > I have 1 further question to ask about rule whitelisting.. > > Can I stop a rule for one (or more) IP(s), if I comment out the rule that > will prevent the rule entirely. > At this point you need 2 rules, I think - one that accepts for the whitelisted address (1st), 1 that takes the other action (for the rest). > > Also should I be able to use snort inline with latest normal snort in AMD64 > ? > SF snort should work as a 64 bit app, although it's inline mode might not because ip_queueing is a wrapper for nfqueueing these days. I've run snort-inline 2.8.4.1 as a 64 bit app using NFQUEUEs; no problem. > I got it to compile but it segfaulted.. Is it advisible to stick with > 2.4.8.1 snort_inline svn for now ? > > Thank you for all your help Will. > > Cheers > > > > > ------------------------------------------------------------------------------ > This SF.Net email is sponsored by the Verizon Developer Community > Take advantage of Verizon's best-in-class app development support > A streamlined, 14 day to market process makes app distribution fast and > easy > Join now and get one step closer to millions of Verizon customers > http://p.sf.net/sfu/verizon-dev2dev > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > -- "Of course, someone who knows more about this will correct me if I'm wrong, and someone who knows less will correct me if I'm right." David Palmer (pa...@ty...) |
|
From: Morgan C. <mor...@gm...> - 2010-01-05 09:56:04
|
Thanks Will for getting back to me. (Sorry if this has gone to a new thread, my mailing list options were set to not deliver mail previously) I have 1 further question to ask about rule whitelisting.. Can I stop a rule for one (or more) IP(s), if I comment out the rule that will prevent the rule entirely. Also should I be able to use snort inline with latest normal snort in AMD64 ? I got it to compile but it segfaulted.. Is it advisible to stick with 2.4.8.1 snort_inline svn for now ? Thank you for all your help Will. Cheers |
|
From: Will M. <wil...@gm...> - 2009-12-31 20:49:06
|
Full Announcement here: http://www.openinfosecfoundation.org/ It's been about three years in the making, but the day has finally come! We have the first release of the Suricata Engine! The engine is an Open Source Next Generation Intrusion Detection and Prevention Tool, not intended to just replace or emulate the existing tools in the industry, but to bring new ideas and technologies to the field. The Suricata Engine and the HTP Library are available to use under the GPLv2. The HTP Library is an HTTP normalizer and parser written by Ivan Ristic of Mod Security fame for the OISF. This integrates and provides very advanced processing of HTTP streams for Suricata. The HTP library is required by the engine, but may also be used independently in a range of applications and tools. This is considered a Beta Release as we are seeking feedback from the community. This release has many of the major new features we wanted to add to the industry, but certainly not all. We intend to get this base engine out and stable, and then continue to add new features. We expect several new releases in the month of January culminating in a production quality release shortly thereafter. The engine and the HTP Library are available here: http://www.openinfosecfoundation.org/index.php/download-suricata Please join the oisf-users mailing list to discuss and share feedback. The developers will be there ready to help you test. http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users As this is a first release we don't really have a "what's New" section because everything is new. But we do have a number of new ideas and new concepts to Intrusion Detection to note. Some of those are listed below: Multi-Threading Amazing that multi-threading is new to IDS, but it is, and we've got it! Automatic Protocol Detection The engine not only has keywords for IP, TCP, UDP and ICMP, but also has HTTP, TLS, FTP and SMB! A user can now write a rule to detect a match within an HTTP stream for example regardless of the port the stream occurs on. This is going to revolutionize malware detection and control. Detections for more layer 7 protocols are on the way. Gzip Decompression The HTP Parser will decode Gzip compressed streams, allowing much more detailed matching within the engine. Independent HTP Library The HTP Parser will be of great use to many other applications such as proxies, filters, etc. The parser is available as a library also under GPLv2 for easy integration ito other tools. Standard Input Methods You can use NFQueue, IPFRing, and the standard LibPcap to capture traffic. IPFW support coming shortly. Unified2 Output You can use your standard output tools and methods with the new engine, 100% compatible! Flow Variables It's possible to capture information out of a stream and save that in a variable which can then be matched again later. Fast IP Matching The engine will automatically take rules that are IP matches only (such as the RBN and compromised IP lists at Emerging Threats) and put them into a special fast matching preprocessor. HTTP Log Module All HTTP requests can be automatically output into an apache-style log format file. Very useful for monitoring and logging activity completely independent of rulesets and matching. Should you need to do so you could use the engine only as an HTTP logging sniffer. Coming Very Soon: (Within a few weeks) Global Flow Variables The ability to store more information from a stream or match (actual data, not just setting a bit), and storing that information for a period of time. This will make comparing values across many streams and time possible. Graphics Card Acceleration Using CUDA and OpenCL we will be able to make use of the massive processing power of even old graphics cards to accelerate your IDS. Offloading the very computationally intensive functions of the sensor will greatly enhance performance. IP Reputation Hard to summarize in a sentence, but Reputation will allow sensors and organizations to share intelligence and eliminate many false positives. Windows Binaries As soon as we have a reasonably stable body of code. The list could go on and on. Please take a few minutes to download the engine and try it out and let us know what you think. We're not comfortable calling it production ready at the moment until we get your feedback, and we have a few features to complete. We really need your feedback and input. We intend to put out a series of small releases in the two to three weeks to come, and then a production ready major release shortly thereafter. Phase two of our development plan will then begin where we go after some major new features such as IP Reputation shortly. http://www.openinfosecfoundation.org |
|
From: Michael S. <sch...@se...> - 2009-12-30 14:26:24
|
On 12/30/09 7:50 AM, Morgan Cox wrote:
> Hi.
>
> At present I am commenting out rules I do not use.
>
> This works fine until I update the rules, then obviously the rules
> that were commented out will no longer be.
>
>
use oinkmaster. you use oinkmaster to both update rules AND keep your
customizations (including disabling rules)
Its much better to disable the rule, same ram, cpu, buffer space, than
ignore it once its been triggered.
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com
_________________________________________________________________________ |
|
From: Morgan C. <mor...@gm...> - 2009-12-30 12:50:56
|
Hi. At present I am commenting out rules I do not use. This works fine until I update the rules, then obviously the rules that were commented out will no longer be. I thought that you could prevent rules being used by adding lines such as - suppress gen_id 1, sig_id 1852 to /etc/snort/threshold.conf I know realise that just prevents the log/alert it doesn't prevent the rule from running - I know this to be true as I am running in inline mode (with drop) and lots of things do not work until I comment out the lines of the rules... My question is, Is there any config file I can tell snort to ignore a sid id, so that when I replace the updated rules I am still whitelisting certain rules ? Also I still notice that inline mode doesn't work with 64bit in the standard snort version (2.8.5.1) - when will 64bit standard snort (inline) work with 64 bit ? Running snort-inline svn 2.8.4.1 - Debian Lenny - AMD64 Cheers |
|
From: Will M. <wil...@gm...> - 2009-12-22 11:12:37
|
There isn't a pre-built drop rule set. This is an exercise left to the user. Run the non-drop rules for a while to weed out false positives, etc, and then change the alert type from alert to drop where it makes sense for your environment. Regards, Will 2009/12/21 <gw...@gm...>: > i surf the internet ,but i can't find it > ------------------------------------------------------------------------------ > This SF.Net email is sponsored by the Verizon Developer Community > Take advantage of Verizon's best-in-class app development support > A streamlined, 14 day to market process makes app distribution fast and easy > Join now and get one step closer to millions of Verizon customers > http://p.sf.net/sfu/verizon-dev2dev > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
|
From: <gw...@gm...> - 2009-12-22 05:35:19
|
i surf the internet ,but i can't find it |
|
From: star6868 <sta...@gm...> - 2009-10-08 09:18:35
|
I have installed snort-inline in Centos http://snort-inline.sourceforge.net/download.html, Version: snort_inline-2.6.1.5.tar.gz I work very well, it can Alert or Drop packet well! *In iptable rule, I monitor only port 80:* iptables -I INPUT -p tcp --dport 80 -j QUEUE iptables -I OUTPUT -p tcp --sport 80 -j QUEUE *In rule, I use only one rule for test:* #Drop all access to webserver if more than 10 access/second drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC access"; flow:to_server, established; uricontent:"/"; nocase; reference:nessus,10302; classtype:web-application-activity; threshold: type both , track by_dst, count 10 , seconds 10 ; sid:1852; rev:1;) (I refer this rule at: http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/doc/README.thresholding?rev=1.5 ) *But now, I have problem: * When drop packet, snort-inline BLOCKs that IP and Snort-inline seem NOT release that IP ----> It means snort-inline BLOCK that IP forever (untill restart snort-inline) So, I want snort inline drop/block one IP in time range (ex, some minute). How to do this? *Thank you in advanced! * |
|
From: Victor J. <li...@in...> - 2009-08-17 11:00:12
|
Hi everyone, Most of you have probably heard of the new Open Source IDS/IPS project Will and I are working on at the Open Infosec Foundation (see http://www.openinfosecfoundation.org/ and http://www.inliniac.net/blog/tag/oisf). We're still looking for help. We're especially interested in C coders. So if you're a C coder and interested in getting involved, please contact me off list. We're well funded and the work is paid. We're both interested in part time and full time coders, so if you have some spare time, let me know! Cheers, Victor -- --------------------------------------------- Victor Julien http://www.inliniac.net/ PGP: http://www.inliniac.net/victorjulien.asc --------------------------------------------- |
|
From: Dave R. <dav...@gm...> - 2009-08-05 15:40:50
|
You can get the latest (2.8.3) snort_inline source tree from
svn co
https://snort-inline.svn.sourceforge.net/svnroot/snort-inline/trunk
and testing (2.8.4.1)
svn co
https://snort-inline.svn.sourceforge.net/svnroot/snort-inline/testing
At this point, I'd venture that the 2.8.4.1 tree is as ready as it's likely
to get.
Cheers,
Dave
On Tue, Aug 4, 2009 at 4:15 AM, Ondrej Pesta <ond...@id...> wrote:
> Maybe I just find out, that newest snort with snortsam can do the work...
>
> Ondrej Pesta wrote:
> > Hi.
> > I am interested in snort_inline IPS solution. I am using FreeBSD and i
> > install snort_inline from ports. There is version 2.4.5 available. I
> > cannot find updated rules file for this version.
> > What can I do to have newer version or updated rules file?
> > Thanx
> >
> >
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
--
"Of course, someone who knows more about this will correct me if I'm
wrong, and someone who knows less will correct me if I'm right."
David Palmer (pa...@ty...)
|
|
From: Ondrej P. <ond...@id...> - 2009-08-04 10:15:55
|
Maybe I just find out, that newest snort with snortsam can do the work... Ondrej Pesta wrote: > Hi. > I am interested in snort_inline IPS solution. I am using FreeBSD and i > install snort_inline from ports. There is version 2.4.5 available. I > cannot find updated rules file for this version. > What can I do to have newer version or updated rules file? > Thanx > > |
|
From: Ondrej P. <ond...@id...> - 2009-08-04 07:34:27
|
Hi. I am interested in snort_inline IPS solution. I am using FreeBSD and i install snort_inline from ports. There is version 2.4.5 available. I cannot find updated rules file for this version. What can I do to have newer version or updated rules file? Thanx -- ------------------------------------ Regards Ondrej Pesta |
|
From: Ondrej P. <ond...@id...> - 2009-08-04 07:34:27
|
Hi. I am interested in snort_inline IPS solution. I am using FreeBSD and i install snort_inline from ports. There is version 2.4.5 available. I cannot find updated rules file for this version. What can I do to have newer version or updated rules file? Thanx -- ------------------------------------ Regards Ondrej Pesta |
133 messages has been excluded from this view by a project administrator.
