Menu
▾
▴
snort-inline-users — The goal of this list is to help users debug/use snort_inline
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(15) |
Jun
(23) |
Jul
(54) |
Aug
(20) |
Sep
(18) |
Oct
(19) |
Nov
(36) |
Dec
(30) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(48) |
Feb
(16) |
Mar
(36) |
Apr
(36) |
May
(45) |
Jun
(47) |
Jul
(93) |
Aug
(29) |
Sep
(28) |
Oct
(42) |
Nov
(45) |
Dec
(53) |
| 2005 |
Jan
(62) |
Feb
(51) |
Mar
(65) |
Apr
(28) |
May
(57) |
Jun
(23) |
Jul
(24) |
Aug
(72) |
Sep
(16) |
Oct
(53) |
Nov
(53) |
Dec
(3) |
| 2006 |
Jan
(56) |
Feb
(6) |
Mar
(15) |
Apr
(14) |
May
(35) |
Jun
(57) |
Jul
(35) |
Aug
(7) |
Sep
(22) |
Oct
(16) |
Nov
(18) |
Dec
(9) |
| 2007 |
Jan
(8) |
Feb
(3) |
Mar
(11) |
Apr
(35) |
May
(6) |
Jun
(10) |
Jul
(26) |
Aug
(4) |
Sep
|
Oct
(29) |
Nov
|
Dec
(7) |
| 2008 |
Jan
(1) |
Feb
(2) |
Mar
(2) |
Apr
(13) |
May
(8) |
Jun
(3) |
Jul
(19) |
Aug
(20) |
Sep
(6) |
Oct
(5) |
Nov
|
Dec
(4) |
| 2009 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(10) |
Jul
(2) |
Aug
(5) |
Sep
|
Oct
(1) |
Nov
|
Dec
(5) |
| 2010 |
Jan
(10) |
Feb
(10) |
Mar
(2) |
Apr
|
May
(7) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2011 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: David G. <gu...@in...> - 2007-04-13 06:50:18
|
The patch seems to work very well indeed, I now can end snort_inline and get my nifty statistics :) thanks! /David Gunnarsson Victor Julien wrote: > Okay after some testing I noticed the same thing, signals seem to be > ignored by nfq enabled Snort_inline. Please try the attached patch to > see if it works well for you. On my system it seems to work fine :-) > > Let me know! > > Cheers, > Victor > > Victor Julien wrote: >> Hi David, >> >> David Gunnarsson wrote: >> >>> I have a minor issue with snort_inline 2.6.1.2. >>> >>> It is when i try to stop it with ctrl+c, nothing happens! >>> It seems to be only when using from queues (with nf_queue) and not >>> when i try with pcap. >>> It does not seem to matter if snort_inline has recieved any traffic >>> or not. >>> >> Like we discussed in IRC, I think the issue here is specific to >> nfqueue. Snort_inline evaluates a signal only when the 'packet read' >> function returns. In case of ip_queue I have added a timeout (to >> ipq_read) so it returns a number of times per second iirc. For >> nfqueue we haven't done that yet, as far as I can see. The recv call >> that gets a packet from the kernel is blocking and will wait forever >> until a packet is read. Dave, do you have any idea's on how to fix >> this? As far as I know we can't add a timeout value to the recv call. >> Maybe we need to look at using something like select or poll? >> >> Cheers, >> Victor >> >> ------------------------------------------------------------------------- >> >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net's Techsay panel and you'll get the chance to >> share your >> opinions on IT & business topics through brief surveys-and earn cash >> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >> >> _______________________________________________ >> Snort-inline-users mailing list >> Sno...@li... >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> > > ------------------------------------------------------------------------ > > Index: src/inline.c > =================================================================== > --- src/inline.c (revision 52) > +++ src/inline.c (working copy) > @@ -518,6 +518,17 @@ > nh = nfq_nfnlh(nfqh); > nl_fd = nfnl_fd(nh); > > + /* set a timeout to the socket so we can check for a signal > + * in case we don't get packets for a longer period. */ > + struct timeval tv; > + tv.tv_sec = 1; > + tv.tv_usec = 0; > + > + if ( setsockopt(nl_fd, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv) ) == -1) { > + printf("[%d] can't set socket timeout: %s\n",getpid(), strerror(errno)); > + exit(1); > + } > + > /* The following loop basically gets executed forever, or until > * snort blows or gets signalled to exit. As with libipq, > * netlink_queue requires that every single packet asked for > @@ -546,7 +557,11 @@ > //printf("recvd %i bytes glid = %u\n", rcvstatus, glid); > if (rcvstatus < 0) > { > - printf("[%d] packet recv contents failure\n",getpid()); > + if (errno == EINTR || errno == EWOULDBLOCK) { > + sig_check(); > + } else { > + printf("[%d] packet recv contents failure\n",getpid()); > + } > } > else > { > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > ------------------------------------------------------------------------ > > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Victor J. <li...@in...> - 2007-04-12 20:28:13
|
Okay after some testing I noticed the same thing, signals seem to be ignored by nfq enabled Snort_inline. Please try the attached patch to see if it works well for you. On my system it seems to work fine :-) Let me know! Cheers, Victor Victor Julien wrote: > Hi David, > > David Gunnarsson wrote: > >> I have a minor issue with snort_inline 2.6.1.2. >> >> It is when i try to stop it with ctrl+c, nothing happens! >> It seems to be only when using from queues (with nf_queue) and not when >> i try with pcap. >> It does not seem to matter if snort_inline has recieved any traffic or not. >> >> > Like we discussed in IRC, I think the issue here is specific to nfqueue. > Snort_inline evaluates a signal only when the 'packet read' function > returns. In case of ip_queue I have added a timeout (to ipq_read) so it > returns a number of times per second iirc. For nfqueue we haven't done > that yet, as far as I can see. The recv call that gets a packet from the > kernel is blocking and will wait forever until a packet is read. Dave, > do you have any idea's on how to fix this? As far as I know we can't add > a timeout value to the recv call. Maybe we need to look at using > something like select or poll? > > Cheers, > Victor > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Victor J. <li...@in...> - 2007-04-11 12:07:33
|
Hi David, David Gunnarsson wrote: > I have a minor issue with snort_inline 2.6.1.2. > > It is when i try to stop it with ctrl+c, nothing happens! > It seems to be only when using from queues (with nf_queue) and not when > i try with pcap. > It does not seem to matter if snort_inline has recieved any traffic or not. > Like we discussed in IRC, I think the issue here is specific to nfqueue. Snort_inline evaluates a signal only when the 'packet read' function returns. In case of ip_queue I have added a timeout (to ipq_read) so it returns a number of times per second iirc. For nfqueue we haven't done that yet, as far as I can see. The recv call that gets a packet from the kernel is blocking and will wait forever until a packet is read. Dave, do you have any idea's on how to fix this? As far as I know we can't add a timeout value to the recv call. Maybe we need to look at using something like select or poll? Cheers, Victor |
|
From: David G. <gu...@in...> - 2007-04-11 11:46:15
|
I have a minor issue with snort_inline 2.6.1.2. It is when i try to stop it with ctrl+c, nothing happens! It seems to be only when using from queues (with nf_queue) and not when i try with pcap. It does not seem to matter if snort_inline has recieved any traffic or not. |
|
From: Roman G. <sl...@sl...> - 2007-04-10 14:43:32
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hallo. i have here dualcore p4 prescott server with 2.6 ghz. I get 20mbit/s performance with snort_inline 2.6.1.2-Beta1 + 2k rules again : pcre-7.0 libnetfilter_queue-0.0.13 libdnet-1.11 libnfnetlink-0.0.25.tar.bz2 clamav-0.88.5 are selfcompiled with def flags. snort_inline was compiled with: ./configure --enable-nfnetlink --enable-queue - --enable-linux-smp-stats --enable-perfprofiling - --with-libipq-includes=/usr/local/include/ --enable-clamav i still have the limit of 1024 packet for the nfqueue. buffers are set to: net.core.rmem_default = 8388608 net.core.wmem_default = 109568 and the config is : atached + rules i am using. It would be cool to be able to get 10mbit/s more :) i am using default debian etch smp kernel 2.6.18-4 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBRhuiFLhQu20hGMIkAQKMbQ//QYS4KKvsWcZVsP+/R/qyY+1GIpIyVQfS Mgf2qxnybe7/KU0FU+uN6UsJzc+VMiBsjZR4wnVD/XJsH4uRe5hCCcjMofcVP0qh CNl+qWg+y4hPyp400OXuSxEx7peM4HZi1AtoqzHbGz65XVqyrWhhexUAWGHJTD8P 783TjgD63mIKsAEqYfd45CubO+6Fanj2DeArpV7yh0i+4UpV8JBBD54CBepioxEI SHZaeFSVJtLXH9j2pi/sgpY8AIJCLKfvsIuEQ1dD48nodlEIY9KBK6P24K9hYjzS JlhnAFQtp6FB31J2WgZl69mELSsplW7cIoHyjoPWAmi0EoTXW5rlBwSKDLfjNqfZ Xbbk1cr5oMXPMSZVt2utbNiGdXrP9pxZwZ3mzn640R5Y2J+/1/juMVrtpFN8yq+O ditqQx1ciBLKOjkdBcnO/QJeWRgfMNWy6sNgWxnbS3qOB/09HCIksKug0VFAzq1E 30G6mrc21Dnb5YGRxvFLGMArD4MIdbGihLCRUPVSDAatkrhfBFsb7BxTgQlS9X1t XvsPWnNy3ZFdfgvU5x9gtXuHDWP87pL5daVuxlfTkicbQjR/ISKPTzz4RZEw/NGR aDyqVhHBDlWR5GZCKermtIen5/yR99eC1avhvDenBP9MSCjoRajrypzvARybv2n8 9hXOXtdYW2c= =J8Iy -----END PGP SIGNATURE----- |
|
From: Dave R. <da...@re...> - 2007-04-09 20:57:34
|
On Mon, 9 Apr 2007, Roman Glebov wrote: +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +Hallo! +Thank you for your response! Sure thing! +Dave Remien wrote: +> You've run into the "other" "stuck packet issue" with netlink_queues and +> heavy traffic. When you're seeing the 2 sec round trip times, do a "cat +> /proc/net/netfilter/nfnetlink_queue". You'll probably see something like +> this: +> +> 50 5679 1 2 65535 0 34 1155049 90214 +> +> The 34 in the 7th column means that there wasn't room on the netlink +> socket's queue for the number of packets you had queued up, so some 34 +> were dropped; when that happens, the last packet you received is always in +> the nf queue and doesn't get delivered to snort until the next packet +> arrives, effectively pushing it out. (That's the permanent 1 in the 3rd +> field; under normal circumstances, this will go to 0 a lot of the time). +> In the real world, this is usually in less than a second, but your pings +> are a second apart, and probably go through snort twice, hence the 2 +> second timing. Try "watch cat /proc/net/netfilter/nfnetlink_queue". +> +But normaly when load disappears the queue should become empty and +this problem should disappear. right? +And it is not the case here. It stays forever. Even when there is no +load at all. This is why this is what I call the non-fatal stuck packet problem. Yes, it should go to zero. No, it doesn't go to zero. Harald Welte mentioned this at one point in time, while working on another "stuck packet" bug, but I don't think it's currently listed in bugzilla.netfilter.org. Feel free to raise it with Harald and Patrick 8-). + +Here is the output + +zaga4:~# cat /proc/net/netfilter/nfnetlink_queue + 1 4787 1 2 65535 0 889803 4062359 1 + 2 4788 1 2 65535 0 672482 3527632 1 + +Ideas ? Yeah, you've definitely blown the memory buffers. I know of no way to clear the stuck packet, other than either stopping/starting snort, or adding code in snort to disconnect/reconnect to the netlink queue. Try setting the mem buffer up. After that, you could see if it still happens with Harald's test program (nfqnl_test.c). It did for me... As far as I can see, it's an outstanding bug, but as I say - in a "normal" network, the amount of latency introduced is the time for the next packet to show up, which usually is "not very long". Cheers! Dave + +> Couple of things to do: +> +> 1. Make sure you're using the latest/greatest libnfnetlink and +> libnetfilter_queue: +> +> http://www.netfilter.org/projects/libnfnetlink/files/libnfnetlink-0.0.25.tar.bz2 +> +> and +> +> http://www.netfilter.org/projects/libnetfilter_queue/files/libnetfilter_queue-0.0.13.tar.bz2 +> +> They have fixes that help with this; the 2.6.18 kernel has the kernel side +> fixes (added at 2.6.15). +> +> Also, you should increase the amount of memory available for packets on +> your sockets with: +> +> sysctl -w net.core.rmem_default = 8388608 +> sysctl -w net.core.rmem_max = 16777216 +> +> and last, but not least, set the +> +> #define NFQNL_QMAX_DEFAULT 1024 +> +> value in nfnetlink_queue.c (in your kernel tree) to something like 8192 +> and rebuild the nfnetlink_queue module. (Harald's defaults are fine if +> you're using a ton of queues and the programs reading/writing them are +> extremely fast, snort_inline doesn't fit that category 8-). +> +> Cheers, +> +> Dave +> +> +I try all the things now, you have suggested! + +With best wishes and lots of thanks + +Roman +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.2.2 (GNU/Linux) +Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org + +iQIVAwUBRhqWYrhQu20hGMIkAQKeZQ/9EQ/6Kc50bKrLfP4xbqAatjTIknX+m639 +w/Pffe4ZZtwpyJnwt6KpWyJSmhDBm1FOtduJ9jyqjVj0JcobhhU/APwHRO/F8Qhg +zHqoLBNegQoRFWbMSL9FsafWrAV5pbWPj1jRzD66hLY8GarerQ812emzWEDNEfch +CoM0eG9tONmV3A5MuUVEwjNVrbxT2ggsbPBaqgHIC7YpfskrY0Ew9glFsmjbkZFS +ShrU603+fVr7XwB74J1+3S4qp8QXQxabt9sLyxkhzbejogrTgfJSPRBMS4BFV+4x +jUTDgkbsye70Uuq0qUK4jJ7xxvEuU+IyrkepgUQ+5WDWfbSHEOndCMkUtb9WKkxG +ppjkLfXHskn3ImacxQncl6MwXlPJNZI3NU898o3n3nnsTsIE+/b4kAtKm3VHAGCw +fhbCaSTmsfQs1Ia2/46f3L1RJ5oOttBQFCWSFTMY2XWEBCkx/Nfpl0c7or/8AMI0 +bHo7Mo935yn1LgjRQ+glj8TDMMnSWrS58bAW1Zg0j27CqPt9xLGfdV0j90iOQddz +HF6yujbOcnQ/1OD7OX9Zp3VloRhN5wZDAoVqZ30Ybq5ge17WdELaQzUe8jkoK2eb +1mSD0/0kPfE6yfc3q/heCDR+z6HAYFOzMrIy8b+KnnuSRT1ziklhjL7siK1LU+BT +NJao1C7ri7I= +=Kn1+ +-----END PGP SIGNATURE----- + + +-- +This message has been scanned for viruses and +dangerous content by MailScanner, and is +believed to be clean. + -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. |
|
From: Roman G. <sl...@sl...> - 2007-04-09 19:41:22
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hallo!
Thank you for your response!
Dave Remien wrote:
> You've run into the "other" "stuck packet issue" with netlink_queues and
> heavy traffic. When you're seeing the 2 sec round trip times, do a "cat
> /proc/net/netfilter/nfnetlink_queue". You'll probably see something like
> this:
>
> 50 5679 1 2 65535 0 34 1155049 90214
>
> The 34 in the 7th column means that there wasn't room on the netlink
> socket's queue for the number of packets you had queued up, so some 34
> were dropped; when that happens, the last packet you received is always in
> the nf queue and doesn't get delivered to snort until the next packet
> arrives, effectively pushing it out. (That's the permanent 1 in the 3rd
> field; under normal circumstances, this will go to 0 a lot of the time).
> In the real world, this is usually in less than a second, but your pings
> are a second apart, and probably go through snort twice, hence the 2
> second timing. Try "watch cat /proc/net/netfilter/nfnetlink_queue".
>
But normaly when load disappears the queue should become empty and
this problem should disappear. right?
And it is not the case here. It stays forever. Even when there is no
load at all.
Here is the output
zaga4:~# cat /proc/net/netfilter/nfnetlink_queue
1 4787 1 2 65535 0 889803 4062359 1
2 4788 1 2 65535 0 672482 3527632 1
Ideas ?
> Couple of things to do:
>
> 1. Make sure you're using the latest/greatest libnfnetlink and
> libnetfilter_queue:
>
> http://www.netfilter.org/projects/libnfnetlink/files/libnfnetlink-0.0.25.tar.bz2
>
> and
>
> http://www.netfilter.org/projects/libnetfilter_queue/files/libnetfilter_queue-0.0.13.tar.bz2
>
> They have fixes that help with this; the 2.6.18 kernel has the kernel side
> fixes (added at 2.6.15).
>
> Also, you should increase the amount of memory available for packets on
> your sockets with:
>
> sysctl -w net.core.rmem_default = 8388608
> sysctl -w net.core.rmem_max = 16777216
>
> and last, but not least, set the
>
> #define NFQNL_QMAX_DEFAULT 1024
>
> value in nfnetlink_queue.c (in your kernel tree) to something like 8192
> and rebuild the nfnetlink_queue module. (Harald's defaults are fine if
> you're using a ton of queues and the programs reading/writing them are
> extremely fast, snort_inline doesn't fit that category 8-).
>
> Cheers,
>
> Dave
>
>
I try all the things now, you have suggested!
With best wishes and lots of thanks
Roman
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQIVAwUBRhqWYrhQu20hGMIkAQKeZQ/9EQ/6Kc50bKrLfP4xbqAatjTIknX+m639
w/Pffe4ZZtwpyJnwt6KpWyJSmhDBm1FOtduJ9jyqjVj0JcobhhU/APwHRO/F8Qhg
zHqoLBNegQoRFWbMSL9FsafWrAV5pbWPj1jRzD66hLY8GarerQ812emzWEDNEfch
CoM0eG9tONmV3A5MuUVEwjNVrbxT2ggsbPBaqgHIC7YpfskrY0Ew9glFsmjbkZFS
ShrU603+fVr7XwB74J1+3S4qp8QXQxabt9sLyxkhzbejogrTgfJSPRBMS4BFV+4x
jUTDgkbsye70Uuq0qUK4jJ7xxvEuU+IyrkepgUQ+5WDWfbSHEOndCMkUtb9WKkxG
ppjkLfXHskn3ImacxQncl6MwXlPJNZI3NU898o3n3nnsTsIE+/b4kAtKm3VHAGCw
fhbCaSTmsfQs1Ia2/46f3L1RJ5oOttBQFCWSFTMY2XWEBCkx/Nfpl0c7or/8AMI0
bHo7Mo935yn1LgjRQ+glj8TDMMnSWrS58bAW1Zg0j27CqPt9xLGfdV0j90iOQddz
HF6yujbOcnQ/1OD7OX9Zp3VloRhN5wZDAoVqZ30Ybq5ge17WdELaQzUe8jkoK2eb
1mSD0/0kPfE6yfc3q/heCDR+z6HAYFOzMrIy8b+KnnuSRT1ziklhjL7siK1LU+BT
NJao1C7ri7I=
=Kn1+
-----END PGP SIGNATURE-----
|
|
From: Dave R. <da...@re...> - 2007-04-09 18:44:17
|
You've run into the "other" "stuck packet issue" with netlink_queues and heavy traffic. When you're seeing the 2 sec round trip times, do a "cat /proc/net/netfilter/nfnetlink_queue". You'll probably see something like this: 50 5679 1 2 65535 0 34 1155049 90214 The 34 in the 7th column means that there wasn't room on the netlink socket's queue for the number of packets you had queued up, so some 34 were dropped; when that happens, the last packet you received is always in the nf queue and doesn't get delivered to snort until the next packet arrives, effectively pushing it out. (That's the permanent 1 in the 3rd field; under normal circumstances, this will go to 0 a lot of the time). In the real world, this is usually in less than a second, but your pings are a second apart, and probably go through snort twice, hence the 2 second timing. Try "watch cat /proc/net/netfilter/nfnetlink_queue". Couple of things to do: 1. Make sure you're using the latest/greatest libnfnetlink and libnetfilter_queue: http://www.netfilter.org/projects/libnfnetlink/files/libnfnetlink-0.0.25.tar.bz2 and http://www.netfilter.org/projects/libnetfilter_queue/files/libnetfilter_queue-0.0.13.tar.bz2 They have fixes that help with this; the 2.6.18 kernel has the kernel side fixes (added at 2.6.15). Also, you should increase the amount of memory available for packets on your sockets with: sysctl -w net.core.rmem_default = 8388608 sysctl -w net.core.rmem_max = 16777216 and last, but not least, set the #define NFQNL_QMAX_DEFAULT 1024 value in nfnetlink_queue.c (in your kernel tree) to something like 8192 and rebuild the nfnetlink_queue module. (Harald's defaults are fine if you're using a ton of queues and the programs reading/writing them are extremely fast, snort_inline doesn't fit that category 8-). Cheers, Dave + +Message: 2 +Date: Mon, 09 Apr 2007 19:04:25 +0200 +From: Roman Glebov <sl...@sl...> +Subject: [Snort-inline-users] snort_inline constantly bad latency + after heavy load until you restart +To: sno...@li... +Message-ID: <461...@sl...> +Content-Type: text/plain; charset="iso-8859-1" + +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +My problem is following : + +When i start snort_inline and then do simple ping i get 0.5ms responses. +Then i generate 100mbit load for 2 minutes or so. + +Then when i try to ping again i get response time of 2000ms! with 10% +packet los all the time until i restart snort_inline. + +During heavy load i see : +[4788] packet recv contents failure +messasges. they disappear then. + +The slow down is definetly snort_inline or the netlink QUEUE problem +because then i remove a rule to put packets to the QUEUE i get +imediatly 0.5ms ping. + +My system is standart debian etch box with 2.6.18 smp kernel +i compiled libnet pcre and snort_inline from sources with gcc 4.1 +compiler with default compile flags. + +My machine is dual athlon box in 32 bit mode. + +software : +libnet 1.0.2a dfault configure +libdnet-1.11 default config +pcre-7.0 default configure + +snort_inline snort_inline-2.6.1.2-BETA1 +./configure --enable-nfnetlink --enable-queue --enable-linux-smp-stats +- --enable-perfprofiling --with-libipq-includes=/usr/local/include/ +- --enable-clamav -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. |
|
From: Roman G. <sl...@sl...> - 2007-04-09 17:06:43
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 My problem is following : When i start snort_inline and then do simple ping i get 0.5ms responses. Then i generate 100mbit load for 2 minutes or so. Then when i try to ping again i get response time of 2000ms! with 10% packet los all the time until i restart snort_inline. During heavy load i see : [4788] packet recv contents failure messasges. they disappear then. The slow down is definetly snort_inline or the netlink QUEUE problem because then i remove a rule to put packets to the QUEUE i get imediatly 0.5ms ping. My system is standart debian etch box with 2.6.18 smp kernel i compiled libnet pcre and snort_inline from sources with gcc 4.1 compiler with default compile flags. My machine is dual athlon box in 32 bit mode. software : libnet 1.0.2a dfault configure libdnet-1.11 default config pcre-7.0 default configure snort_inline snort_inline-2.6.1.2-BETA1 ./configure --enable-nfnetlink --enable-queue --enable-linux-smp-stats - --enable-perfprofiling --with-libipq-includes=/usr/local/include/ - --enable-clamav iptables version : 1.3.7 I hope someone knows the solution. with best regards: Roman Glebov aka sleon I attach my snort inline configuration. P.S - ------------ secondly when i try to start snort_inline with clamav preprocessor, it tells: misconfigured dynamic preprocessor. but it is less important. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBRhpyGLhQu20hGMIkAQK49A//bjpHRhV7GDU8cQdMZ7dYEK5eIYNm3eKp Lg/bLC1fG4HJlutNkImzqLyPMsnlbyAsBCfUMcVJkY8WuNVBoSuhwoPKYFRo0qS9 QqU3XkQ3hqqPsj6JGmzGUptlfauICgqgUOd7EZBzMYp++hcWdsqMbY8DUgeDHpPz Ve3cZZ7770+SvY1wQ1lRnL/IPZVnmm3BRyAJANqboUAEFRKaXsVvGoeErcDPwGqM POEUDq2EgE6PmBdNP91UdTyDbw6tIZSvzWbX3PGRSdOIeYhFruEGDp/w4XS0KlGR SFmpARsiEVbChjB72MKrvUDeClOmfbOC4F8bKBxqxtpqxYNo5a/jJw+NaMGWMWgj r6wLjOz0DW85B3SNnja8qZy7a15+LolCUA254lKmQrV6HbPSbhiYf6HNubyTVUL+ QEsUrrlbBg28CjZCE4Ou+PJocffhKxQ2lOVAhjosoCxFg6yQMSRJTVsl+GDfYBfs PEogt3d48PsTP7rxwdy5UgkG9CXTSaKKeablE60sNZkXZSHYlsTbnZgp6o1wupgE gMM3w437RhQnTu8p4mDYJqoETPP6K2p0AuaCsVSjkBHPcbIrVC2NQsh3OfHsIG8R LfHRcER4pwi6yc68ouxaYiaLjuUF6QbNL+oJzEr6gE9OsfRGj3yjXEANHAT3OSak tOqNYm7lP9A= =MQSa -----END PGP SIGNATURE----- |
|
From: Victor J. <li...@in...> - 2007-04-09 08:23:00
|
Hi harrismare, How are you running Snort_inline (what commandline arguments)? Can you attach the configuration file you are using? Regards, Victor maremare mare wrote: > Hello.. > i've got problem with my snort inline. i 've install snort inline 2.4.5 > on ubuntu edgy. > rule in iptable : iptables -I INPUT -p tcp --dport 80 -j QUEUE > and i want to test with modify rules web attack by add : > drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80 > connection initiated";) > i follow step in http://linuxgazette.net/117/savage.html > > Problem is : > when running, snort inline can read packet from ip_queue, but not block > port 80. > Please help :) > > this is message when snort inline running. > Rule application order: > ->activation->dynamic->drop->sdrop->reject->rejectboth->rejectsrc->rejectdst->alert->pass->log > Log directory = /var/log/snort/ > > --== Initialization Complete ==-- > > ,,_ -*> Snort_Inline! <*- > o" )~ Version 2.4.5 (Build 29) > '''' By Martin Roesch & The Snort Team: > http://www.snort.org/team.html > (C) Copyright 1998-2005 Sourcefire Inc., et al. > Snort_Inline Mod by William Metcalf, Victor Julien, Nick > Rogness, > Dave Remien, Rob McMillen and Jed Haile > NOTE: Snort's default output has changed in version 2.4.1! > The default logging mode is now PCAP, use "-K ascii" to activate > the old default logging mode. > > 03/26-21:14:37.497682 *MailScanner warning: numerical links are often > malicious:* 127.0.0.1:80 <http://127.0.0.1:80> -> *MailScanner > warning: numerical links are often malicious:* 127.0.0.1:35218 > <http://127.0.0.1:35218> > TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF > ***A**S* Seq: 0x413860F1 Ack: 0x410A66AC Win: 0x8000 TcpLen: 40 > TCP Options (5) => MSS: 16396 SackOK TS: 7416483 7416483 NOP WS: 2 > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= > +=+ > > 03/26-21:14:40.494183 *MailScanner warning: numerical links are often > malicious:* 127.0.0.1:80 <http://127.0.0.1:80> -> *MailScanner > warning: numerical links are often malicious:* 127.0.0.1:35218 > <http://127.0.0.1:35218> > TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF > ***A**S* Seq: 0x413860F1 Ack: 0x410A66AC Win: 0x8000 TcpLen: 40 > TCP Options (5) => MSS: 16396 SackOK TS: 7417233 7416483 NOP WS: 2 > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= > +=+ > > 03/26-21:14:41.293851 *MailScanner warning: numerical links are often > malicious:* 127.0.0.1:80 <http://127.0.0.1:80> -> *MailScanner > warning: numerical links are often malicious:* 127.0.0.1:35218 > <http://127.0.0.1:35218> > TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF > ***A**S* Seq: 0x413860F1 Ack: 0x410A66AC Win: 0x8000 TcpLen: 40 > TCP Options (5) => MSS: 16396 SackOK TS: 7417433 7416483 NOP WS: 2 > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= > +=+ > > > > =============================================================================== > > Snort processed 3 packets. > =============================================================================== > Breakdown by protocol: > TCP: 3 (100.000%) > UDP: 0 (0.000%) > ICMP: 0 (0.000%) > ARP: 0 (0.000%) > EAPOL: 0 (0.000%) > IPv6: 0 (0.000%) > ETHLOOP: 0 (0.000%) > IPX: 0 (0.000%) > FRAG: 0 (0.000%) > OTHER: 0 (0.000%) > DISCARD: 0 (0.000%) > =============================================================================== > Action Stats: > ALERTS: 0 > LOGGED: 0 > PASSED: 0 > =============================================================================== > Final Flow Statistics > ,----[ FLOWCACHE STATS ]---------- > Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1) > Overhead blocks: 1 Could Hold: (0) > IPV4 count: 0 frees: 0 > low_time: 0, high_time: 0, diff: 0h:00:00s > finds: 0 reversed: 0(%0.000000) > find_sucess: 0 find_fail: 0 > percent_success: (%0.000000) new_flows: 0 > Frag3 statistics: > Total Fragments: 0 > Frags Reassembled: 0 > Discards: 0 > Memory Faults: 0 > Timeouts: 0 > Overlaps: 0 > Anomalies: 0 > Alerts: 0 > FragTrackers Added: 0 > FragTrackers Dumped: 0 > FragTrackers Auto Freed: 0 > Frag Nodes Inserted: 0 > Frag Nodes Deleted: 0 > =============================================================================== > Snort exiting > > > thanks before > > regards > > harrismare > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > ------------------------------------------------------------------------ > > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: maremare m. <ma...@gm...> - 2007-04-09 08:15:55
|
Hello.. i've got problem with my snort inline. i 've install snort inline 2.4.5 on ubuntu edgy. rule in iptable : iptables -I INPUT -p tcp --dport 80 -j QUEUE and i want to test with modify rules web attack by add : drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80 connection initiated";) i follow step in http://linuxgazette.net/117/savage.html Problem is : when running, snort inline can read packet from ip_queue, but not block port 80. Please help :) this is message when snort inline running. Rule application order: ->activation->dynamic->drop->sdrop->reject->rejectboth->rejectsrc->rejectdst->alert->pass->log Log directory = /var/log/snort/ --== Initialization Complete ==-- ,,_ -*> Snort_Inline! <*- o" )~ Version 2.4.5 (Build 29) '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2005 Sourcefire Inc., et al. Snort_Inline Mod by William Metcalf, Victor Julien, Nick Rogness, Dave Remien, Rob McMillen and Jed Haile NOTE: Snort's default output has changed in version 2.4.1! The default logging mode is now PCAP, use "-K ascii" to activate the old default logging mode. 03/26-21:14:37.497682 127.0.0.1:80 -> 127.0.0.1:35218 TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF ***A**S* Seq: 0x413860F1 Ack: 0x410A66AC Win: 0x8000 TcpLen: 40 TCP Options (5) => MSS: 16396 SackOK TS: 7416483 7416483 NOP WS: 2 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= +=+ 03/26-21:14:40.494183 127.0.0.1:80 -> 127.0.0.1:35218 TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF ***A**S* Seq: 0x413860F1 Ack: 0x410A66AC Win: 0x8000 TcpLen: 40 TCP Options (5) => MSS: 16396 SackOK TS: 7417233 7416483 NOP WS: 2 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= +=+ 03/26-21:14:41.293851 127.0.0.1:80 -> 127.0.0.1:35218 TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF ***A**S* Seq: 0x413860F1 Ack: 0x410A66AC Win: 0x8000 TcpLen: 40 TCP Options (5) => MSS: 16396 SackOK TS: 7417433 7416483 NOP WS: 2 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= +=+ =============================================================================== Snort processed 3 packets. =============================================================================== Breakdown by protocol: TCP: 3 (100.000%) UDP: 0 (0.000%) ICMP: 0 (0.000%) ARP: 0 (0.000%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) ETHLOOP: 0 (0.000%) IPX: 0 (0.000%) FRAG: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) =============================================================================== Action Stats: ALERTS: 0 LOGGED: 0 PASSED: 0 =============================================================================== Final Flow Statistics ,----[ FLOWCACHE STATS ]---------- Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1) Overhead blocks: 1 Could Hold: (0) IPV4 count: 0 frees: 0 low_time: 0, high_time: 0, diff: 0h:00:00s finds: 0 reversed: 0(%0.000000) find_sucess: 0 find_fail: 0 percent_success: (%0.000000) new_flows: 0 Frag3 statistics: Total Fragments: 0 Frags Reassembled: 0 Discards: 0 Memory Faults: 0 Timeouts: 0 Overlaps: 0 Anomalies: 0 Alerts: 0 FragTrackers Added: 0 FragTrackers Dumped: 0 FragTrackers Auto Freed: 0 Frag Nodes Inserted: 0 Frag Nodes Deleted: 0 =============================================================================== Snort exiting thanks before regards harrismare |
|
From: shetravel <she...@gm...> - 2007-03-22 17:14:32
|
Hi, whatever i tried to exeute the snort-inlne with -Q option, it always failed following messages. InitInline: : Failed to send netlink message: Connection refused # iptables -V iptables v1.3.5 # lsmod Module Size Used by Not tainted ip_queue 5816 0 # cat /proc/net/netlink sk Eth Pid Groups Rmem Wmem Dump Locks dfde2040 0 0 00000000 0 0 00000000 2 df4df3e0 3 0 00000000 0 0 00000000 3 dfde2740 4 0 00000000 0 0 00000000 2 df4df060 5 0 00000000 0 0 00000000 2 # cat /proc/net/ip_queue Peer PID : 0 Copy mode : 0 Copy range : 0 Queue length : 0 Queue max. length : 1024 any ideas ? thanks in avance. jason |
|
From: Will M. <wil...@gm...> - 2007-03-12 17:58:57
|
Same differences as before. We are ironing out some issues with 2.6.1.3 and stream4inline which is what is taking so long to get a release out. Regards, Will On 3/12/07, Bill Warren <bw...@op...> wrote: > > Does it matter if I use Snort 2.6 with the --inline command or > Snort_Inline 2.6? > -- > > Bill Warren > > Network Systems Administrator > Optivel, Inc. > 317.275.2305 office > 317.523.8468 cell > www.optivel.com > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share > your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Bill W. <bw...@op...> - 2007-03-12 15:54:43
|
Does it matter if I use Snort 2.6 with the --inline command or Snort_Inline 2.6? -- Bill Warren Network Systems Administrator Optivel, Inc. 317.275.2305 office 317.523.8468 cell www.optivel.com |
|
From: Will M. <wil...@gm...> - 2007-03-07 01:30:20
|
As long as you are forcing HAVP to be your upstream proxy you should get back a "page has been blocked because of virus xyz" message...... Make sure you have ALL of the lines listed on the FAQ page... acl all src 0.0.0.0/0.0.0.0 cache_peer 127.0.0.1 parent 8000 0 no-query no-digest no-netdb-exchange default cache_peer_access 127.0.0.1 allow all acl Scan_HTTP proto HTTP never_direct allow Scan_HTTP Regards, Will On 3/6/07, Cooper F. Nelson <cn...@uc...> wrote: > > I have done this and it works great, in that malicious content does not > make it into the squid cache. Its pretty fast and uses both clamav and > snort sigs, so I'm covered for virus, malware, phishing and web client > exploits. Once content is validated it sits in the squid cache for fast > retrieval. > > The only problem is that the page just hangs in the browser until it > times out. I've been trying to figure out a way to hijack the session > and redirect it to a page that would alert the reader to the malicious > content and block the offending site for some period of time. > > My initial opinion was that the bait'n'switch code could be turned on > its ear and proxy the source of the attack, rather than the destination. > However, in retrospect this seems clunky and would not work with the > clamav preprocessor (I don't think). > > My current thinking is either to punt the whole thing and just use HAVP, > or setup a named pipe to write snort alerts to and create some sort of > daemon to create IP tables rules based on alerts piped to it. > > -Cooper > > > Will Metcalf wrote: > > why not just your traffic through squid and snort_inline? > > > > On 3/6/07, *Cooper F. Nelson* <cn...@uc... > > <mailto:cn...@uc...>> wrote: > > > > I did not know about it! Thanks for the tip, I will look into it. > > > > I've also seen the squidclamav product, http://www.samse.fr/GPL/ > > , which I was not able to get to work. > > > > I was able to get the snort-inline based solution working pretty > easily > > and blocking on virus, phishing and web client exploits; however the > > bad > > packet is just dropped. No way currently to alert the user of > malicious > > content. > > > > My problem with both of these projects is that they are basically AV > > based, where I want AV + web client exploits. Maybe the right thing > to > > do is write a parser that can read snort rules and generate clamav > sigs > > from them. > > > > I guess I could also create a daemon to read the snort logs or > database > > and creates IP tables based rule on that. > > > > -Cooper > > > > > -- > Cooper Nelson > Network Security Analyst > UCSD ACS/Network Operations > cn...@uc... x41042 > |
|
From: Cooper F. N. <cn...@uc...> - 2007-03-07 00:36:10
|
I have done this and it works great, in that malicious content does not make it into the squid cache. Its pretty fast and uses both clamav and snort sigs, so I'm covered for virus, malware, phishing and web client exploits. Once content is validated it sits in the squid cache for fast retrieval. The only problem is that the page just hangs in the browser until it times out. I've been trying to figure out a way to hijack the session and redirect it to a page that would alert the reader to the malicious content and block the offending site for some period of time. My initial opinion was that the bait'n'switch code could be turned on its ear and proxy the source of the attack, rather than the destination. However, in retrospect this seems clunky and would not work with the clamav preprocessor (I don't think). My current thinking is either to punt the whole thing and just use HAVP, or setup a named pipe to write snort alerts to and create some sort of daemon to create IP tables rules based on alerts piped to it. -Cooper Will Metcalf wrote: > why not just your traffic through squid and snort_inline? > > On 3/6/07, *Cooper F. Nelson* <cn...@uc... > <mailto:cn...@uc...>> wrote: > > I did not know about it! Thanks for the tip, I will look into it. > > I've also seen the squidclamav product, http://www.samse.fr/GPL/ > , which I was not able to get to work. > > I was able to get the snort-inline based solution working pretty easily > and blocking on virus, phishing and web client exploits; however the > bad > packet is just dropped. No way currently to alert the user of malicious > content. > > My problem with both of these projects is that they are basically AV > based, where I want AV + web client exploits. Maybe the right thing to > do is write a parser that can read snort rules and generate clamav sigs > from them. > > I guess I could also create a daemon to read the snort logs or database > and creates IP tables based rule on that. > > -Cooper > -- Cooper Nelson Network Security Analyst UCSD ACS/Network Operations cn...@uc... x41042 |
|
From: Will M. <wil...@gm...> - 2007-03-06 22:25:05
|
why not just your traffic through squid and snort_inline? On 3/6/07, Cooper F. Nelson <cn...@uc...> wrote: > > I did not know about it! Thanks for the tip, I will look into it. > > I've also seen the squidclamav product, http://www.samse.fr/GPL/ > , which I was not able to get to work. > > I was able to get the snort-inline based solution working pretty easily > and blocking on virus, phishing and web client exploits; however the bad > packet is just dropped. No way currently to alert the user of malicious > content. > > My problem with both of these projects is that they are basically AV > based, where I want AV + web client exploits. Maybe the right thing to > do is write a parser that can read snort rules and generate clamav sigs > from them. > > I guess I could also create a daemon to read the snort logs or database > and creates IP tables based rule on that. > > -Cooper > > > Will Metcalf wrote: > > Why would you not use and or extend HAVP? > > > > http://www.server-side.de/ > > > > On 3/2/07, *Cooper F. Nelson* < cn...@uc... > > <mailto:cn...@uc...>> wrote: > > > > Hi, > > > > I'm currently evaluating the possibility of using snort-inline as a > > malware/phishing filter on an existing squid cache. > > > > I would appreciate some feedback/suggestions on a few issues. > > > > Performance is critical. Does --enable-nfnetlink help in this > regard? > > Are there any other suggestions to optimize deployment, other than > > simply enabling only the rules/preprocessors appropriate for web > > traffic? > > > > As a feature request, would it be possible to add an iptables client > > re-direct to the clamav preprocessor and rule syntax? I would like > to > > implement something like SquidClamAV project where users are > presented > > with a page detailing that the site is blocked and why. > > > > -- > > Cooper Nelson > > Network Security Analyst > > UCSD ACS/Network Operations > > cn...@uc... <mailto:cn...@uc...> x41042 > > > > > ------------------------------------------------------------------------- > > Take Surveys. Earn Cash. Influence the Future of IT > > Join SourceForge.net 's Techsay panel and you'll get the chance to > > share your > > opinions on IT & business topics through brief surveys-and earn cash > > > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > > < > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > <mailto:Sno...@li...> > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > > -- > Cooper Nelson > Network Security Analyst > UCSD ACS/Network Operations > cn...@uc... x41042 > |
|
From: Cooper F. N. <cn...@uc...> - 2007-03-06 21:01:43
|
I did not know about it! Thanks for the tip, I will look into it. I've also seen the squidclamav product, http://www.samse.fr/GPL/ , which I was not able to get to work. I was able to get the snort-inline based solution working pretty easily and blocking on virus, phishing and web client exploits; however the bad packet is just dropped. No way currently to alert the user of malicious content. My problem with both of these projects is that they are basically AV based, where I want AV + web client exploits. Maybe the right thing to do is write a parser that can read snort rules and generate clamav sigs from them. I guess I could also create a daemon to read the snort logs or database and creates IP tables based rule on that. -Cooper Will Metcalf wrote: > Why would you not use and or extend HAVP? > > http://www.server-side.de/ > > On 3/2/07, *Cooper F. Nelson* < cn...@uc... > <mailto:cn...@uc...>> wrote: > > Hi, > > I'm currently evaluating the possibility of using snort-inline as a > malware/phishing filter on an existing squid cache. > > I would appreciate some feedback/suggestions on a few issues. > > Performance is critical. Does --enable-nfnetlink help in this regard? > Are there any other suggestions to optimize deployment, other than > simply enabling only the rules/preprocessors appropriate for web > traffic? > > As a feature request, would it be possible to add an iptables client > re-direct to the clamav preprocessor and rule syntax? I would like to > implement something like SquidClamAV project where users are presented > with a page detailing that the site is blocked and why. > > -- > Cooper Nelson > Network Security Analyst > UCSD ACS/Network Operations > cn...@uc... <mailto:cn...@uc...> x41042 > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net 's Techsay panel and you'll get the chance to > share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > <http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > <mailto:Sno...@li...> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > -- Cooper Nelson Network Security Analyst UCSD ACS/Network Operations cn...@uc... x41042 |
|
From: Will M. <wil...@gm...> - 2007-03-05 13:26:30
|
Why would you not use and or extend HAVP? http://www.server-side.de/ On 3/2/07, Cooper F. Nelson <cn...@uc...> wrote: > > Hi, > > I'm currently evaluating the possibility of using snort-inline as a > malware/phishing filter on an existing squid cache. > > I would appreciate some feedback/suggestions on a few issues. > > Performance is critical. Does --enable-nfnetlink help in this regard? > Are there any other suggestions to optimize deployment, other than > simply enabling only the rules/preprocessors appropriate for web traffic? > > As a feature request, would it be possible to add an iptables client > re-direct to the clamav preprocessor and rule syntax? I would like to > implement something like SquidClamAV project where users are presented > with a page detailing that the site is blocked and why. > > -- > Cooper Nelson > Network Security Analyst > UCSD ACS/Network Operations > cn...@uc... x41042 > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share > your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Cooper F. N. <cn...@uc...> - 2007-03-02 23:08:08
|
Hi, I'm currently evaluating the possibility of using snort-inline as a malware/phishing filter on an existing squid cache. I would appreciate some feedback/suggestions on a few issues. Performance is critical. Does --enable-nfnetlink help in this regard? Are there any other suggestions to optimize deployment, other than simply enabling only the rules/preprocessors appropriate for web traffic? As a feature request, would it be possible to add an iptables client re-direct to the clamav preprocessor and rule syntax? I would like to implement something like SquidClamAV project where users are presented with a page detailing that the site is blocked and why. -- Cooper Nelson Network Security Analyst UCSD ACS/Network Operations cn...@uc... x41042 |
|
From: Will M. <wil...@gm...> - 2007-03-02 13:53:41
|
can you send your your full snort_inline.conf? On 3/2/07, cross <cr...@sm...> wrote: > > Hi! > I test snort_inline config with snort_inline -QNTc snort_inline.conf > command > but, > It stop too long time at samewhere follows, and CPU loading too high > ++++++++++++++++++++++++++++++++++++++++++++++++++++ > DNS config: > DNS Client rdata txt Overflow Alert: ACTIVE > Obsolete DNS RR Types Alert: INACTIVE > Experimental DNS RR Types Alert: INACTIVE > Ports: 53 > Verifying Preprocessor Configurations! > Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set. > Warning: flowbits key 'realplayer.playlist' is checked but not ever set. > Warning: flowbits key 'dce.isystemactivator.bind.call.attempt' is set > but not ever checked. > Warning: flowbits key 'dce.bind.veritas' is set but not ever checked. > 43 out of 2048 flowbits in use. > Setting the Packet Processor to decode packets from iptables > ++++++++++++++++++++++++++++++++++++++++++++++++++++ > > why? > > Regards, > > cross > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share > your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: cross <cr...@sm...> - 2007-03-02 09:48:49
|
Hi!
I test snort_inline config with snort_inline -QNTc snort_inline.conf command
but,
It stop too long time at samewhere follows, and CPU loading too high
++++++++++++++++++++++++++++++++++++++++++++++++++++
DNS config:
DNS Client rdata txt Overflow Alert: ACTIVE
Obsolete DNS RR Types Alert: INACTIVE
Experimental DNS RR Types Alert: INACTIVE
Ports: 53
Verifying Preprocessor Configurations!
Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Warning: flowbits key 'dce.isystemactivator.bind.call.attempt' is set
but not ever checked.
Warning: flowbits key 'dce.bind.veritas' is set but not ever checked.
43 out of 2048 flowbits in use.
Setting the Packet Processor to decode packets from iptables
++++++++++++++++++++++++++++++++++++++++++++++++++++
why?
Regards,
cross
|
|
From: Will M. <wil...@gm...> - 2007-02-22 00:35:01
|
Also if you are just looking for a webproxy that scans with clamav, let me suggest HAVP. http://havp.sourceforge.net/ Regards, Will On 2/21/07, Will Metcalf <wil...@gm...> wrote: > > change cl_scanbuff in the chunk of configure.in shown below to read > cl_scandesc and then make distclean && autojunk.sh && ./configure > --enable-clamav && make && make install. Otherwise you can check out the > working version of snort_inline- 2.6.1.3 from from svn by > > svn co > https://snort-inline.svn.sourceforge.net/svnroot/snort-inline/trunk/ > > Regards, > > Will > > > AC_CHECK_LIB(clamav,cl_scanbuff,, LCLAM="no") > if test "$LCLAM" = "no"; then > echo > echo " ERROR! libclamav library not found, go get it from" > echo " http://www.clamav.net/ or make sure that the place" > echo " you installed it is in the library path." > exit > fi > > > > > On 2/21/07, Cooper F. Nelson <cn...@uc...> wrote: > > > > Hi, > > > > I tried building the clamav_preprocessor against the latest .90 clamav > > release and was unsuccessful. Is this a known issue or am I doing > > something wrong? I can dig up the error report if that helps. > > > > I'm interested in building a webproxy to filter phishing sites via the > > signatures from http://www.sanesecurity.com/clamav/downloads.htm , which > > seem to require the latest & greatest clamav. > > > > -- > > Cooper Nelson > > Network Security Analyst > > UCSD ACS/Network Operations > > cn...@uc... x41042 > > > > ------------------------------------------------------------------------- > > > > Take Surveys. Earn Cash. Influence the Future of IT > > Join SourceForge.net's Techsay panel and you'll get the chance to share > > your > > opinions on IT & business topics through brief surveys-and earn cash > > > > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > |
|
From: Will M. <wil...@gm...> - 2007-02-22 00:33:11
|
change cl_scanbuff in the chunk of configure.in shown below to read cl_scandesc and then make distclean && autojunk.sh && ./configure --enable-clamav && make && make install. Otherwise you can check out the working version of snort_inline-2.6.1.3 from from svn by svn co https://snort-inline.svn.sourceforge.net/svnroot/snort-inline/trunk/ Regards, Will AC_CHECK_LIB(clamav,cl_scanbuff,, LCLAM="no") if test "$LCLAM" = "no"; then echo echo " ERROR! libclamav library not found, go get it from" echo " http://www.clamav.net/ or make sure that the place" echo " you installed it is in the library path." exit fi On 2/21/07, Cooper F. Nelson <cn...@uc...> wrote: > > Hi, > > I tried building the clamav_preprocessor against the latest .90 clamav > release and was unsuccessful. Is this a known issue or am I doing > something wrong? I can dig up the error report if that helps. > > I'm interested in building a webproxy to filter phishing sites via the > signatures from http://www.sanesecurity.com/clamav/downloads.htm , which > seem to require the latest & greatest clamav. > > -- > Cooper Nelson > Network Security Analyst > UCSD ACS/Network Operations > cn...@uc... x41042 > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share > your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Cooper F. N. <cn...@uc...> - 2007-02-21 22:51:23
|
Hi, I tried building the clamav_preprocessor against the latest .90 clamav release and was unsuccessful. Is this a known issue or am I doing something wrong? I can dig up the error report if that helps. I'm interested in building a webproxy to filter phishing sites via the signatures from http://www.sanesecurity.com/clamav/downloads.htm , which seem to require the latest & greatest clamav. -- Cooper Nelson Network Security Analyst UCSD ACS/Network Operations cn...@uc... x41042 |
133 messages has been excluded from this view by a project administrator.
