Menu
▾
▴
snort-inline-users — The goal of this list is to help users debug/use snort_inline
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(15) |
Jun
(23) |
Jul
(54) |
Aug
(20) |
Sep
(18) |
Oct
(19) |
Nov
(36) |
Dec
(30) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(48) |
Feb
(16) |
Mar
(36) |
Apr
(36) |
May
(45) |
Jun
(47) |
Jul
(93) |
Aug
(29) |
Sep
(28) |
Oct
(42) |
Nov
(45) |
Dec
(53) |
| 2005 |
Jan
(62) |
Feb
(51) |
Mar
(65) |
Apr
(28) |
May
(57) |
Jun
(23) |
Jul
(24) |
Aug
(72) |
Sep
(16) |
Oct
(53) |
Nov
(53) |
Dec
(3) |
| 2006 |
Jan
(56) |
Feb
(6) |
Mar
(15) |
Apr
(14) |
May
(35) |
Jun
(57) |
Jul
(35) |
Aug
(7) |
Sep
(22) |
Oct
(16) |
Nov
(18) |
Dec
(9) |
| 2007 |
Jan
(8) |
Feb
(3) |
Mar
(11) |
Apr
(35) |
May
(6) |
Jun
(10) |
Jul
(26) |
Aug
(4) |
Sep
|
Oct
(29) |
Nov
|
Dec
(7) |
| 2008 |
Jan
(1) |
Feb
(2) |
Mar
(2) |
Apr
(13) |
May
(8) |
Jun
(3) |
Jul
(19) |
Aug
(20) |
Sep
(6) |
Oct
(5) |
Nov
|
Dec
(4) |
| 2009 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(10) |
Jul
(2) |
Aug
(5) |
Sep
|
Oct
(1) |
Nov
|
Dec
(5) |
| 2010 |
Jan
(10) |
Feb
(10) |
Mar
(2) |
Apr
|
May
(7) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2011 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Nick R. <ni...@ro...> - 2007-01-31 01:21:53
|
> > Which I suppose messes up the snort-inline port also, paul? You ever use > it? > Yes, this would mess up the snort-inline port as well...since the logging part is the same for inline and vanilla. > -----Original Message----- > From: sno...@li... > [mailto:sno...@li...] On Behalf Of Paul > Schmehl > Sent: Tuesday, January 23, 2007 4:25 PM > To: sno...@li... > Subject: Re: [Snort-users] Just upgraded snort - now barnyard won't run > > > I just downgraded snort to 2.6.1.1, and this problem went away. It > appears > there is something wrong with 2.6.1.2 that causes writes to the logs > that > barnyard doesn't like. > > --On Tuesday, January 23, 2007 10:45:08 -0600 Paul Schmehl > <pa...@ut...> wrote: > >> I just upgraded snort to version 2.6.1.2 (FreeBSD 6.1): >> snort -V >> >> ,,_ -*> Snort! <*- >> o" )~ Version 2.6.1.2 (Build 34) FreeBSD >> '''' By Martin Roesch & The Snort Team: >> http://www.snort.org/team.html >> (C) Copyright 1998-2006 Sourcefire Inc., et al. >> >> Now barnyard won't start: >> tail /var/log/messages >> Jan 22 22:30:01 buttercup3 snort[56469]: Writing PID "56469" to file >> "/var/run//snort_bge0E.pid" Jan 22 22:30:01 buttercup3 snort[56469]: >> Daemon initialized, signaled parent pid: 56468 >> Jan 22 22:30:01 buttercup3 snort[56468]: Daemon parent exiting >> Jan 22 22:31:06 buttercup3 snort[56469]: Snort initialization > completed >> successfully (pid=56469) >> Jan 22 22:31:06 buttercup3 snort[56469]: Not Using PCAP_FRAMES >> Jan 23 16:08:43 buttercup3 barnyard[68251]: Initializing daemon mode >> Jan 23 16:08:43 buttercup3 barnyard[68252]: Opened spool file >> '/var/log/snort//snort.log.1169504455' >> Jan 23 16:08:43 buttercup3 barnyard[68252]: ERROR: Invalid packet > length: >> 3810967040 >> Jan 23 16:08:43 buttercup3 barnyard[68252]: FATAL ERROR: Read error >> Jan 23 16:08:43 buttercup3 barnyard[68252]: Exiting >> >> Snort.conf has: >> grep output /usr/local/etc/snort/snort.conf >># Step #4: Configure output plugins >># output alert_unified: filename snort.alert, limit 128 >> output log_unified: filename snort.log, limit 128 >> >> Was the spo_unified log format changed in some way? >> >> I've deleted a bunch of log files to get barnyard to start and stay >> running, but as soon as snort creates a new logfile, barnyard exits >> with a FATAL ERROR. >> >> Paul Schmehl (pa...@ut...) >> Senior Information Security Analyst >> The University of Texas at Dallas http://www.utdallas.edu/ir/security/ Nick Rogness <ni...@ro...> |
|
From: Will M. <wil...@gm...> - 2007-01-26 13:46:24
|
(from the 2.6.1.2 source directory) make distclean && ./autojunk.sh && ./configure && make && make install On 1/26/07, Cyril CLOCHARD <cyr...@gm...> wrote: > > > > Maybe you can try to see if the new 2.6.1.2-BETA1 version works better: > > > http://sourceforge.net/project/showfiles.php?group_id=3D78497&package_id= =3D219144&release_id=3D480637 > > I have already test with the lastest Beta version but I 've the same > problem. > > > > I 've started ip_queue > > > I've add those rules in iptables: > > > > > > iptables -A INPUT -p tcp --dport 80 -j QUEUE > > > iptables -A OUTPUT -p tcp --sport 80 -j QUEUE > > > > These rules apply to incoming http connections, not outgoing. Is that w= hat > > you want? > > > > > Please test if icmp and udp do work. If so, your problem might be this: > > > http://sourceforge.net/mailarchive/forum.php?thread_id=3D31006775&forum_i= d=3D32933 > > > > Cheers, > > Victor > > > > > > Hi Victor > > i have tested with the new BETA version of snort_line but I ' ve the same > problem. > When I add those lignes, there is just TCP protocol blocked. > > iptables -I INPUT -p tcp --dport 80 -j QUEUE > iptables -I INPUT -p udp --dport 20000 -j QUEUE > iptables -I INPUT -p icmp -j QUEUE > > So I tried to recompile snort_inline with ' -fno-strict-aliasing' set at = the > variable CFLAGS. > > I did this: > > ./configure --with-mysql --enable-dynamicplugin > make "CFLAGS=3D-g -O2 -Wall -DDYNAMIC_PLUGIN -fno-strict-aliasing" > make install > > but I have errors: > > sf_dynamic_plugins.c: In function 'InitDynamicEngines': > sf_dynamic_plugins.c:843: attention : pointer targets in assignment diffe= r > in signedness > sf_dynamic_plugins.c: In function 'DynamicDropInline': > sf_dynamic_plugins.c:922: attention : implicit declaration of function > 'InlineDrop' > sf_dynamic_plugins.c: In function 'InitDynamicPreprocessors': > sf_dynamic_plugins.c:957: attention : pointer targets in assignment diffe= r > in signedness > sf_dynamic_plugins.c:985: erreur: 'InlineMode' undeclared (first use in t= his > function) > sf_dynamic_plugins.c:985: erreur: (Each undeclared identifier is reported > only once > sf_dynamic_plugins.c:985: erreur: for each function it appears in.) > make[4]: *** [sf_dynamic_plugins.o] Erreur 1 > make[4]: quittant le r=E9pertoire =AB > /usr/local/src/snort_inline-2.6.1.2-BETA1/src/dynamic-plugins =BB > make[3]: *** [all-recursive] Erreur 1 > make[3]: quittant le r=E9pertoire =AB /usr/local/src/snort_inline- > 2.6.1.2-BETA1/src/dynamic-plugins =BB > make[2]: *** [all-recursive] Erreur 1 > make[2]: quittant le r=E9pertoire =AB > /usr/local/src/snort_inline-2.6.1.2-BETA1/src =BB > make[1]: *** [all-recursive] Erreur 1 > make[1]: quittant le r=E9pertoire =AB /usr/local/src/snort_inline- 2.6.1.= 2-BETA1 > =BB > make: *** [all] Erreur 2 > > So I tied without the --enable-dynamicplugin option: > I did this: > > ./configure --with-mysql > make "CFLAGS=3D-g -O2 -Wall -fno-strict-aliasing" > make install > > and I have those errors: > > spp_stream4.c:3902: erreur: 'Stream4Data' has no member named 'drop_bad_r= st' > spp_stream4.c:3907: attention : implicit declaration of function > 'InlineDropPacketOnly' > spp_stream4.c: In function 'CreateNewSession': > spp_stream4.c:4433: erreur: 'Stream' has no member named 'rc' > spp_stream4.c:4433: erreur: 'Stream' has no member named 'rc' > spp_stream4.c:4434: erreur: 'Stream' has no member named 'rc' > spp_stream4.c:4434: erreur: 'Stream' has no member named 'rc' > spp_stream4.c: In function 'Stream4ShutdownFunction': > spp_stream4.c:5196: erreur: 'Stream4Data' has no member named > 'store_state_to_disk' > spp_stream4.c:5198: erreur: 'Stream4Data' has no member named 'state_file= ' > spp_stream4.c: In function 'Stream4RestartFunction': > spp_stream4.c:5231: erreur: 'Stream4Data' has no member named > 'store_state_to_disk' > spp_stream4.c:5233: erreur: 'Stream4Data' has no member named 'state_file= ' > spp_stream4.c: In function 'FlushStream': > spp_stream4.c:7433: erreur: 'Stream4Data' has no member named > 'stream4inline_mode' > spp_stream4.c: In function 'AlertFlushStream': > spp_stream4.c:7797: erreur: 'Stream4Data' has no member named > 'stream4inline_mode' > spp_stream4.c: In function 'ForceFlushStream': > spp_stream4.c:7909: erreur: 'Stream4Data' has no member named > 'stream4inline_mode' > make[4]: *** [spp_stream4.o] Erreur 1 > > > I'm sorry to disturb you like that, I'm a novice in Linux. > > If you have any suggestions about this problem.... > > Thanks a lot again for all you're doing. > > > Cheers, > Cyril > > > -- > CLOCHARD Cyril > 12, rue du ch=E2teau > 79300 Bressuire > T=E8l: 06 73 86 43 33 > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share y= our > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=3Djoin.php&p=3Dsourceforge&CID=3D= DEVDEV > > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > |
|
From: Cyril C. <cyr...@gm...> - 2007-01-26 13:33:51
|
> Maybe you can try to see if the new 2.6.1.2-BETA1 version works better: > > http://sourceforge.net/project/showfiles.php?group_id=3D78497&package_id= =3D219144&release_id=3D480637 I have already test with the lastest Beta version but I 've the same problem. > I 've started ip_queue > > I've add those rules in iptables: > > > > iptables -A INPUT -p tcp --dport 80 -j QUEUE > > iptables -A OUTPUT -p tcp --sport 80 -j QUEUE > > These rules apply to incoming http connections, not outgoing. Is that wha= t > you want? Please test if icmp and udp do work. If so, your problem might be this: > > http://sourceforge.net/mailarchive/forum.php?thread_id=3D31006775&forum_i= d=3D32933 > > Cheers, > Victor > > Hi Victor i have tested with the new BETA version of snort_line but I ' ve the same problem. When I add those lignes, there is just TCP protocol blocked. iptables -I INPUT -p tcp --dport 80 -j QUEUE iptables -I INPUT -p udp --dport 20000 -j QUEUE iptables -I INPUT -p icmp -j QUEUE So I tried to recompile snort_inline with ' -fno-strict-aliasing' set at th= e variable CFLAGS. I did this: ./configure --with-mysql --enable-dynamicplugin make "CFLAGS=3D-g -O2 -Wall -DDYNAMIC_PLUGIN -fno-strict-aliasing" make install but I have errors: sf_dynamic_plugins.c: In function 'InitDynamicEngines': sf_dynamic_plugins.c:843: attention : pointer targets in assignment differ in signedness sf_dynamic_plugins.c: In function 'DynamicDropInline': sf_dynamic_plugins.c:922: attention : implicit declaration of function 'InlineDrop' sf_dynamic_plugins.c: In function 'InitDynamicPreprocessors': sf_dynamic_plugins.c:957: attention : pointer targets in assignment differ in signedness sf_dynamic_plugins.c:985: erreur: 'InlineMode' undeclared (first use in thi= s function) sf_dynamic_plugins.c:985: erreur: (Each undeclared identifier is reported only once sf_dynamic_plugins.c:985: erreur: for each function it appears in.) make[4]: *** [sf_dynamic_plugins.o] Erreur 1 make[4]: quittant le r=E9pertoire =AB /usr/local/src/snort_inline-2.6.1.2-BETA1/src/dynamic-plugins =BB make[3]: *** [all-recursive] Erreur 1 make[3]: quittant le r=E9pertoire =AB /usr/local/src/snort_inline- 2.6.1.2-BETA1/src/dynamic-plugins =BB make[2]: *** [all-recursive] Erreur 1 make[2]: quittant le r=E9pertoire =AB /usr/local/src/snort_inline-2.6.1.2-B= ETA1/src =BB make[1]: *** [all-recursive] Erreur 1 make[1]: quittant le r=E9pertoire =AB /usr/local/src/snort_inline- 2.6.1.2-= BETA1=BB make: *** [all] Erreur 2 So I tied without the --enable-dynamicplugin option: I did this: ./configure --with-mysql make "CFLAGS=3D-g -O2 -Wall -fno-strict-aliasing" make install and I have those errors: spp_stream4.c:3902: erreur: 'Stream4Data' has no member named 'drop_bad_rst= ' spp_stream4.c:3907: attention : implicit declaration of function 'InlineDropPacketOnly' spp_stream4.c: In function 'CreateNewSession': spp_stream4.c:4433: erreur: 'Stream' has no member named 'rc' spp_stream4.c:4433: erreur: 'Stream' has no member named 'rc' spp_stream4.c:4434: erreur: 'Stream' has no member named 'rc' spp_stream4.c:4434: erreur: 'Stream' has no member named 'rc' spp_stream4.c: In function 'Stream4ShutdownFunction': spp_stream4.c:5196: erreur: 'Stream4Data' has no member named 'store_state_to_disk' spp_stream4.c:5198: erreur: 'Stream4Data' has no member named 'state_file' spp_stream4.c: In function 'Stream4RestartFunction': spp_stream4.c:5231: erreur: 'Stream4Data' has no member named 'store_state_to_disk' spp_stream4.c:5233: erreur: 'Stream4Data' has no member named 'state_file' spp_stream4.c: In function 'FlushStream': spp_stream4.c:7433: erreur: 'Stream4Data' has no member named 'stream4inline_mode' spp_stream4.c: In function 'AlertFlushStream': spp_stream4.c:7797: erreur: 'Stream4Data' has no member named 'stream4inline_mode' spp_stream4.c: In function 'ForceFlushStream': spp_stream4.c:7909: erreur: 'Stream4Data' has no member named 'stream4inline_mode' make[4]: *** [spp_stream4.o] Erreur 1 I'm sorry to disturb you like that, I'm a novice in Linux. If you have any suggestions about this problem.... Thanks a lot again for all you're doing. Cheers, Cyril --=20 CLOCHARD Cyril 12, rue du ch=E2teau 79300 Bressuire T=E8l: 06 73 86 43 33 |
|
From: Michael S. <sch...@se...> - 2007-01-25 11:44:44
|
Which I suppose messes up the snort-inline port also, paul? You ever use it? -----Original Message----- From: sno...@li... [mailto:sno...@li...] On Behalf Of Paul Schmehl Sent: Tuesday, January 23, 2007 4:25 PM To: sno...@li... Subject: Re: [Snort-users] Just upgraded snort - now barnyard won't run I just downgraded snort to 2.6.1.1, and this problem went away. It appears=20 there is something wrong with 2.6.1.2 that causes writes to the logs that=20 barnyard doesn't like. --On Tuesday, January 23, 2007 10:45:08 -0600 Paul Schmehl=20 <pa...@ut...> wrote: > I just upgraded snort to version 2.6.1.2 (FreeBSD 6.1): > snort -V > > ,,_ -*> Snort! <*- > o" )~ Version 2.6.1.2 (Build 34) FreeBSD > '''' By Martin Roesch & The Snort Team: > http://www.snort.org/team.html > (C) Copyright 1998-2006 Sourcefire Inc., et al. > > Now barnyard won't start: > tail /var/log/messages > Jan 22 22:30:01 buttercup3 snort[56469]: Writing PID "56469" to file=20 > "/var/run//snort_bge0E.pid" Jan 22 22:30:01 buttercup3 snort[56469]:=20 > Daemon initialized, signaled parent pid: 56468 > Jan 22 22:30:01 buttercup3 snort[56468]: Daemon parent exiting > Jan 22 22:31:06 buttercup3 snort[56469]: Snort initialization completed > successfully (pid=3D56469) > Jan 22 22:31:06 buttercup3 snort[56469]: Not Using PCAP_FRAMES > Jan 23 16:08:43 buttercup3 barnyard[68251]: Initializing daemon mode > Jan 23 16:08:43 buttercup3 barnyard[68252]: Opened spool file > '/var/log/snort//snort.log.1169504455' > Jan 23 16:08:43 buttercup3 barnyard[68252]: ERROR: Invalid packet length: > 3810967040 > Jan 23 16:08:43 buttercup3 barnyard[68252]: FATAL ERROR: Read error > Jan 23 16:08:43 buttercup3 barnyard[68252]: Exiting > > Snort.conf has: > grep output /usr/local/etc/snort/snort.conf ># Step #4: Configure output plugins ># output alert_unified: filename snort.alert, limit 128 > output log_unified: filename snort.log, limit 128 > > Was the spo_unified log format changed in some way? > > I've deleted a bunch of log files to get barnyard to start and stay=20 > running, but as soon as snort creates a new logfile, barnyard exits=20 > with a FATAL ERROR. > > Paul Schmehl (pa...@ut...) > Senior Information Security Analyst > The University of Texas at Dallas http://www.utdallas.edu/ir/security/ Paul Schmehl (pa...@ut...) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ =0A----------------------------------------------------------------- =0AThis em= ail has been scanned and certified safe by SpammerTrap(tm) =0AFor Information = please see http://www.spammertrap.com =0A-------------------------------------= ---------------------------- =0A=0A |
|
From: Victor J. <vi...@nk...> - 2007-01-25 10:04:17
|
> Hi, > > I'm sorry to contact you again but need some help on snort inline. > I will explain the problem... > > I 've installed snort inline v.2.4.4.final on a Ubuntu 6.10 with mysql > option and I've the same problem with others versions. Maybe you can try to see if the new 2.6.1.2-BETA1 version works better: http://sourceforge.net/project/showfiles.php?group_id=78497&package_id=219144&release_id=480637 > I 've started ip_queue > I've add those rules in iptables: > > iptables -A INPUT -p tcp --dport 80 -j QUEUE > iptables -A OUTPUT -p tcp --sport 80 -j QUEUE These rules apply to incoming http connections, not outgoing. Is that what you want? Please test if icmp and udp do work. If so, your problem might be this: http://sourceforge.net/mailarchive/forum.php?thread_id=31006775&forum_id=32933 Cheers, Victor |
|
From: Cyril C. <cyr...@gm...> - 2007-01-25 09:09:55
|
Hi, I'm sorry to contact you again but need some help on snort inline. I will explain the problem... I 've installed snort inline v.2.4.4.final on a Ubuntu 6.10 with mysql option and I've the same problem with others versions. I 've started ip_queue I've add those rules in iptables: iptables -A INPUT -p tcp --dport 80 -j QUEUE iptables -A OUTPUT -p tcp --sport 80 -j QUEUE The problem is when I load snort_inline the traffic on port 80 continue to be blocked. I haven't specified any drop rules in snort_inline. I have only one network interface eth0. I suppose there are problems in my config file but I don't know how resolv this. I paste the message when I load snort_inline: ----------- sudo snort_inline -Qvc /etc/snort_inline/snort_inline.conf Password: Reading from iptables Running in IDS mode Initializing Inline mode --=3D=3D Initializing Snort =3D=3D-- Initializing Output Plugins! Setting the Packet Processor to decode packets from iptables Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort_inline/snort_inline.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- stream4inline mode enabled Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes Session count max: 8192 sessions Session cleanup count: 5 State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Enforce TCP State: ACTIVE Midstream Drop Alerts: INACTIVE Server Data Inspection Limit: -1 Inline-mode options: Inline-mode enabled? (stream4inline): Yes Sliding Windowsize (window_size): 7000 (max full conn: 119[image: Cool] Memcap reached method (truncate): Prune Truncate percentage (truncate_percentage): 33 DROP out-of-window packets (drop_out_of_window): No DROP data on unestablised session state (drop_data_on_unest): No DROP no tcp-flags on establised packets (drop_no_tcp_on_est): No DROP packet not within session limits (drop_not_in_limits): No DROP ttl evasion (drop_ttl_evasion): No Store/Load state from/to disk: No WARNING /etc/snort_inline/snort_inline.conf(29[image: Cool] =3D> flush_behavior set in config file, using old static flushpoints (0) Stream4_reassemble config: Server reassembly: ACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE Flush stream on alert: INACTIVE flush_data_diff_size: 500 Reassembler Packet Preferance : Favor Old Packet Sequence Overlap Limit: -1 Flush behavior: Small (<255 bytes) Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort_inline/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 Portscan Detection Config: Detect Protocols: TCP UDP ICMP IP Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan Sensitivity Level: Low Memcap (in bytes): 10000000 Number of Nodes: 36900 2762 Snort rules read... 2762 Option Chains linked into 154 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Warning: flowbits key 'dce.bind.veritas' is set but not ever checked. Warning: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked. Warning: flowbits key 'realplayer.playlist ' is checked but not ever set. Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set. InitInline stage 2: InitInlinePostConfig starting... +-----------------------[thresholding-config]------------------------------= ---- | memory-cap : 1048576 bytes +-----------------------[thresholding-global]------------------------------= ---- | none +-----------------------[thresholding-local]-------------------------------= ---- | gen-id=3D1 sig-id=3D2924 type=3DThreshold tracking=3Ddst count=3D10 seconds=3D60 | gen-id=3D1 sig-id=3D2496 type=3DBoth tracking=3Ddst count=3D20 seconds=3D60 | gen-id=3D1 sig-id=3D2495 type=3DBoth tracking=3Ddst count=3D20 seconds=3D60 | gen-id=3D1 sig-id=3D3527 type=3DLimit tracking=3Ddst count=3D5 seconds=3D60 | gen-id=3D1 sig-id=3D2923 type=3DThreshold tracking=3Ddst count=3D10 seconds=3D60 | gen-id=3D1 sig-id=3D3542 type=3DThreshold tracking=3Dsrc count=3D5 seconds=3D2 | gen-id=3D1 sig-id=3D2275 type=3DThreshold tracking=3Ddst count=3D5 seconds=3D60 | gen-id=3D1 sig-id=3D2523 type=3DBoth tracking=3Ddst count=3D10 seconds=3D10 | gen-id=3D1 sig-id=3D2494 type=3DBoth tracking=3Ddst count=3D20 seconds=3D60 | gen-id=3D1 sig-id=3D3273 type=3DThreshold tracking=3Dsrc count=3D5 seconds=3D2 | gen-id=3D1 sig-id=3D3543 type=3DThreshold tracking=3Dsrc count=3D5 seconds=3D2 | gen-id=3D1 sig-id=3D3152 type=3DThreshold tracking=3Dsrc count=3D5 seconds=3D2 +-----------------------[suppression]--------------------------------------= ---- | none ---------------------------------------------------------------------------= ---- Rule application order: ->activation->dynamic->drop->sdrop->reject->rejectboth->rejectsrc->rejectds= t->alert->pass->log Log directory =3D /var/log/snort -------------------- So if you any suggestion about this problem I'm interested because I 'm on this during a long time and I'm a little in despair. Thanks a lot for all you are doing. Cheers, Cyril --=20 CLOCHARD Cyril 12, rue du ch=E2teau 79300 Bressuire T=E8l: 06 73 86 43 33 |
|
From: Victor J. <vi...@nk...> - 2007-01-24 10:13:31
|
> Hello, > > First I'm sorry for my bad English but I need any help on snort inline. > I will explain the problem... > > I 've installed snort inline v.2.4.4.final on a Ubuntu 6.10 with mysql > option. > > I 've started ip_queue > I've add tose rules in iptables: > > iptables -I INPUT -p tcp --dport 80 -j QUEUE > iptables -I INPUT -p tcp --sport 80 -j QUEUE You need rules in the output chain as well. Try: iptables -I OUTPUT -p tcp --dport 80 -j QUEUE iptables -I INPUT -p tcp --sport 80 -j QUEUE This asumes you are running Snort_inline on the same host as you run the webbrowser on. Cheers, Victor |
|
From: Cyril C. <cyr...@gm...> - 2007-01-24 10:08:53
|
Hello,
First I'm sorry for my bad English but I need any help on snort inline.
I will explain the problem...
I 've installed snort inline v.2.4.4.final on a Ubuntu 6.10 with mysql opti=
on.
I 've started ip_queue
I've add tose rules in iptables:
iptables -I INPUT -p tcp --dport 80 -j QUEUE
iptables -I INPUT -p tcp --sport 80 -j QUEUE
The problem is when I load snort_inline the traffic on port 80
continue to be blocked.
I haven't specified any drop rules in snort_inline.
I paste the message when I load snort_inline
sudo snort_inline -Qvc /etc/snort_inline/snort_inline.conf
Password:
Reading from iptables
Running in IDS mode
Initializing Inline mode
--=3D=3D Initializing Snort =3D=3D--
Initializing Output Plugins!
Setting the Packet Processor to decode packets from iptables
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort_inline/snort_inline.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
,-----------[Flow Config]----------------------
| Stats Interval: 0
| Hash Method: 2
| Memcap: 10485760
| Rows : 4099
| Overhead Bytes: 16400(%0.16)
`----------------------------------------------
stream4inline mode enabled
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
Session count max: 8192 sessions
Session cleanup count: 5
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: INACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Enforce TCP State: ACTIVE
Midstream Drop Alerts: INACTIVE
Server Data Inspection Limit: -1
Inline-mode options:
Inline-mode enabled? (stream4inline): Yes
Sliding Windowsize (window_size): 7000 (max full conn: 1198)
Memcap reached method (truncate): Prune
Truncate percentage (truncate_percentage): 33
DROP out-of-window packets (drop_out_of_window): No
DROP data on unestablised session state (drop_data_on_unest): No
DROP no tcp-flags on establised packets (drop_no_tcp_on_est): No
DROP packet not within session limits (drop_not_in_limits): No
DROP ttl evasion (drop_ttl_evasion): No
Store/Load state from/to disk: No
WARNING /etc/snort_inline/snort_inline.conf(298) =3D> flush_behavior set
in config file, using old static flushpoints (0)
Stream4_reassemble config:
Server reassembly: ACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Zero out flushed packets: INACTIVE
Flush stream on alert: INACTIVE
flush_data_diff_size: 500
Reassembler Packet Preferance : Favor Old
Packet Sequence Overlap Limit: -1
Flush behavior: Small (<255 bytes)
Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 =
3306
Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445
513 1433 1521 3306
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: /etc/snort_inline/unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Ports: 80 8080 8180
Flow Depth: 300
Max Chunk Length: 500000
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES alert: YES
Base36: OFF
UTF 8: OFF
IIS Unicode: YES alert: YES
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: YES
Apache WhiteSpace: YES alert: NO
IIS Delimiter: YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: NONE
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
telnet_decode arguments:
Ports to decode telnet on: 21 23 25 119
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan distributed_portsc=
an
Sensitivity Level: Low
Memcap (in bytes): 10000000
Number of Nodes: 36900
2762 Snort rules read...
2762 Option Chains linked into 154 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
Warning: flowbits key 'dce.bind.veritas' is set but not ever checked.
Warning: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked.
Warning: flowbits key 'realplayer.playlist ' is checked but not ever set.
Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
InitInline stage 2: InitInlinePostConfig starting...
+-----------------------[thresholding-config]------------------------------=
----
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]------------------------------=
----
| none
+-----------------------[thresholding-local]-------------------------------=
----
| gen-id=3D1 sig-id=3D2924 type=3DThreshold tracking=3Ddst count=
=3D10
seconds=3D60
| gen-id=3D1 sig-id=3D2496 type=3DBoth tracking=3Ddst count=
=3D20
seconds=3D60
| gen-id=3D1 sig-id=3D2495 type=3DBoth tracking=3Ddst count=
=3D20
seconds=3D60
| gen-id=3D1 sig-id=3D3527 type=3DLimit tracking=3Ddst count=
=3D5
seconds=3D60
| gen-id=3D1 sig-id=3D2923 type=3DThreshold tracking=3Ddst count=
=3D10
seconds=3D60
| gen-id=3D1 sig-id=3D3542 type=3DThreshold tracking=3Dsrc count=
=3D5
seconds=3D2
| gen-id=3D1 sig-id=3D2275 type=3DThreshold tracking=3Ddst count=
=3D5
seconds=3D60
| gen-id=3D1 sig-id=3D2523 type=3DBoth tracking=3Ddst count=
=3D10
seconds=3D10
| gen-id=3D1 sig-id=3D2494 type=3DBoth tracking=3Ddst count=
=3D20
seconds=3D60
| gen-id=3D1 sig-id=3D3273 type=3DThreshold tracking=3Dsrc count=
=3D5
seconds=3D2
| gen-id=3D1 sig-id=3D3543 type=3DThreshold tracking=3Dsrc count=
=3D5
seconds=3D2
| gen-id=3D1 sig-id=3D3152 type=3DThreshold tracking=3Dsrc count=
=3D5
seconds=3D2
+-----------------------[suppression]--------------------------------------=
----
| none
---------------------------------------------------------------------------=
----
Rule application order:
->activation->dynamic->drop->sdrop->reject->rejectboth->rejectsrc->rejectds=
t->alert->pass->log
Log directory =3D /var/log/snort
--=3D=3D Initialization Complete =3D=3D--
,,_ -*> Snort_Inline! <*-
o" )~ Version 2.4.4-final (Build 28)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.htm=
l
(C) Copyright 1998-2005 Sourcefire Inc., et al.
Snort_Inline Mod by William Metcalf, Victor Julien, Nick Rogness=
,
Dave Remien, Rob McMillen and Jed Haile
NOTE: Snort's default output has changed in version 2.4.1!
The default logging mode is now PCAP, use "-K ascii" to activate
the old default logging mode.
So if you have an idea about what is wrong i'm interested.
Thanks a lot.
Bye.
--
CLOCHARD Cyril
12, rue du ch=E2teau
79300 Bressuire
T=E8l: 06 73 86 43 33
--=20
CLOCHARD Cyril
12, rue du ch=E2teau
79300 Bressuire
T=E8l: 06 73 86 43 33
|
|
From: David G. <gu...@in...> - 2006-12-21 15:59:46
|
Hello again, i have tested your little patch and it closely to solves
the problem. It sure seems like something with the timestamp is wrong.
After applying your patch it works with thresholds and sticky-drop
except that that all rules seems to trigger twice for some reason!
I have digged some further in to the code of snort_inline in inline.c
and some code in the cb-function seems wierd.
A nfqnl_msg_packet_timestamp is sent to nfq_get_timestamp even though it
should recieve a timeval according to specs.
...So i tried to use a timeval instead and it makes difference even
though not still fully correct.
another thing is "
iret = nfq_get_timestamp(nfa, &ts);
if(iret){ "
where iret according to specs is 0 on success and non-zero on failure,
this means that it only reaches inside the if on failure (and it seems
to always reach).
The specs I used are those from
http://archives.free.net.ph/message/20060208.171235.186dce08.en.html.
This is not really a solution i'm giving you here as you see but maybee
a little bit more pinpointing to where the error occours.
I hope this mail could be helpful for finding a solution to the problem
and not just spam! :)
Thanks for all the help so far!
regards and happy holidays David Gunnarsson
Will Metcalf wrote:
> Unless nf_queue is passing us bogus values for packet time this should
> work. Try applying the following diff which sets paket time to time
> since the unix epoch, no matter what nf_queue tells us packet time is.
>
> Regards,
>
> Will
> ------------------------------------------------------------------------
>
> --- snort_inline-2.4.5a/src/inline.c 2006-06-17 21:20:39.000000000 -0500
> +++ snort_inline-2.4.5agettime/src/inline.c 2006-12-19 08:36:04.000000000 -0600
> @@ -113,18 +113,10 @@
> void TranslateToPcap(ipq_packet_msg_t *m, struct pcap_pkthdr *phdr)
> {
> static struct timeval t;
> - if (!m->timestamp_sec)
> - {
> - memset (&t, 0, sizeof(struct timeval));
> - gettimeofday(&t, NULL);
> - phdr->ts.tv_sec = t.tv_sec;
> - phdr->ts.tv_usec = t.tv_usec;
> - }
> - else
> - {
> - phdr->ts.tv_sec = m->timestamp_sec;
> - phdr->ts.tv_usec = m->timestamp_usec;
> - }
> + memset (&t, 0, sizeof(struct timeval));
> + gettimeofday(&t, NULL);
> + phdr->ts.tv_sec = t.tv_sec;
> + phdr->ts.tv_usec = t.tv_usec;
> phdr->caplen = m->data_len;
> phdr->len = m->data_len;
> }
>
|
|
From: Will M. <wil...@gm...> - 2006-12-19 14:41:30
|
Unless nf_queue is passing us bogus values for packet time this should work. Try applying the following diff which sets paket time to time since the unix epoch, no matter what nf_queue tells us packet time is. Regards, Will |
|
From: David G. <gu...@in...> - 2006-12-19 12:34:05
|
I have kept on testing and fiddling and i think i have narrowed down the bug. sticky-drop only appears buggy with netfilter_queue, not with ip_queue. Even sticky-drop with thresholding as I planned to use it works fine with ip_queue! This do not help me as I need several queues and thus netfilter_queue, although it seemed like a good idea to report it, mayby it could save you guys some time of error searching. /David Gunnarsson Will Metcalf wrote: > yeah maybe the best way to handle this is to create a new rule type or > thresholding option as the idea behind thresholding is really to limit > the amount of alerts genereated. Maybe I'll create it before the > 2.6.0.2 <http://2.6.0.2> release, I promise nothing as I'm digging > into the mechanics of ssl/tls at the moment ;-). > > Regards, > > Will > On 12/14/06, *David Gunnarsson * <gu...@in... > <mailto:gu...@in...>> wrote: > > The problem still exist but I have kind of solved the problem at > least a > bit for my own sake i think. That is with a little workaround. > By using a combination of alert and sticky-drop i almost achieve > what i > want. > The almost part of it is that sticky-drop seem to drop forever and > not > any 30 seconds as it should but atleast now i can drop packets with > thresholding rules. > The example rule i got to work. > alert udp any any -> any any \ > (msg:"sticky drop p\uffff alla invite minsann"; content:"INVITE"; > depth:10; sticky-drop: 30,src; \ > threshold: type both , track by_src, count 5, seconds 30; \ > classtype:misc-attack; sid:5000101; rev:1;) > > Will Metcalf wrote: > > > > I will look into it when I get home tonight. btw we are looking > for > > 2.6.0.2 <http://2.6.0.2> <http://2.6.0.2> beta testers if anyone > is interested. Victor > > did a lot of work revamping the stream reassembler stream4inline in > > this release. > > > > Regards, > > > > Will > > On 12/13/06, *David Gunnarsson* < gu...@in... > <mailto:gu...@in...> > > <mailto:gu...@in... <mailto:gu...@in...>>> wrote: > > > > I am using snort/snort_inline 2.4.5 from > > http://snort-inline.sourceforge.net/. > > b.t.w. if it matters, I use netfilter_queue and not ip_queue. > > > > regards David Gunnarsson > > > > > > Will Metcalf wrote: > > > what version of the snort/snort_inline are you using? > > > > > > On 12/13/06, *David Gunnarsson* < gu...@in... > <mailto:gu...@in...> > > <mailto:gu...@in... <mailto:gu...@in...>> > > > <mailto: gu...@in... <mailto:gu...@in...> <mailto: > gu...@in... <mailto:gu...@in...>>>> wrote: > > > > > > I'm having a problem with DROP-rules containing > thresholds. > > It seems > > > like if the threshold is ignored when dropping. > > > > > > example problem rule: > > > drop udp any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \ > > > (msg:"a-INVITE message flooding"; content:"INVITE"; > depth:6; \ > > > threshold: type both , track by_src, count 5, seconds > 60; \ > > > sid:5000004; rev:1;) > > > > > > > > > This rule just drops all packets that content-matches > regardless > > > of how > > > many packet and in what time interval they come. > > > It is however logged as usual after 5 invites within a > > minute just as > > > with alert instead of drop. > > > Is it not possible to do inline protection/mitigation from > > flooding > > > attacks but just pure content matching? > > > regard David G > > > > > > > > > ------------------------------------------------------------------------- > > > > > > > > Take Surveys. Earn Cash. Influence the Future of IT > > > Join SourceForge.net 's Techsay panel and you'll get the > > chance to > > > share your > > > opinions on IT & business topics through brief surveys > - and > > earn cash > > > > > > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > <http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> > > < > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > <http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV>> > > > < > > > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > <http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> > > > <http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > <http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV>>> > > > _______________________________________________ > > > Snort-inline-users mailing list > > > Sno...@li... > <mailto:Sno...@li...> > > <mailto: Sno...@li... > <mailto:Sno...@li...>> > > > <mailto:Sno...@li... > <mailto:Sno...@li...> > > <mailto: Sno...@li... > <mailto:Sno...@li...>>> > > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > > > > > > > |
|
From: Will M. <wil...@gm...> - 2006-12-14 19:00:51
|
yeah maybe the best way to handle this is to create a new rule type or thresholding option as the idea behind thresholding is really to limit the amount of alerts genereated. Maybe I'll create it before the 2.6.0.2release, I promise nothing as I'm digging into the mechanics of ssl/tls at the moment ;-). Regards, Will On 12/14/06, David Gunnarsson <gu...@in...> wrote: > > The problem still exist but I have kind of solved the problem at least a > bit for my own sake i think. That is with a little workaround. > By using a combination of alert and sticky-drop i almost achieve what i > want. > The almost part of it is that sticky-drop seem to drop forever and not > any 30 seconds as it should but atleast now i can drop packets with > thresholding rules. > The example rule i got to work. > alert udp any any -> any any \ > (msg:"sticky drop p\uffff alla invite minsann"; content:"INVITE"; > depth:10; sticky-drop: 30,src; \ > threshold: type both , track by_src, count 5, seconds 30; \ > classtype:misc-attack; sid:5000101; rev:1;) > > Will Metcalf wrote: > > > > I will look into it when I get home tonight. btw we are looking for > > 2.6.0.2 <http://2.6.0.2> beta testers if anyone is interested. Victor > > did a lot of work revamping the stream reassembler stream4inline in > > this release. > > > > Regards, > > > > Will > > On 12/13/06, *David Gunnarsson* < gu...@in... > > <mailto:gu...@in...>> wrote: > > > > I am using snort/snort_inline 2.4.5 from > > http://snort-inline.sourceforge.net/. > > b.t.w. if it matters, I use netfilter_queue and not ip_queue. > > > > regards David Gunnarsson > > > > > > Will Metcalf wrote: > > > what version of the snort/snort_inline are you using? > > > > > > On 12/13/06, *David Gunnarsson* < gu...@in... > > <mailto:gu...@in...> > > > <mailto: gu...@in... <mailto:gu...@in...>>> wrote: > > > > > > I'm having a problem with DROP-rules containing thresholds. > > It seems > > > like if the threshold is ignored when dropping. > > > > > > example problem rule: > > > drop udp any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \ > > > (msg:"a-INVITE message flooding"; content:"INVITE"; depth:6; \ > > > threshold: type both , track by_src, count 5, seconds 60; \ > > > sid:5000004; rev:1;) > > > > > > > > > This rule just drops all packets that content-matches > regardless > > > of how > > > many packet and in what time interval they come. > > > It is however logged as usual after 5 invites within a > > minute just as > > > with alert instead of drop. > > > Is it not possible to do inline protection/mitigation from > > flooding > > > attacks but just pure content matching? > > > regard David G > > > > > > > > > ------------------------------------------------------------------------- > > > > > > > > Take Surveys. Earn Cash. Influence the Future of IT > > > Join SourceForge.net's Techsay panel and you'll get the > > chance to > > > share your > > > opinions on IT & business topics through brief surveys - and > > earn cash > > > > > > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > > < > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> > > > < > > > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > > < > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > >> > > > _______________________________________________ > > > Snort-inline-users mailing list > > > Sno...@li... > > <mailto:Sno...@li...> > > > <mailto:Sno...@li... > > <mailto:Sno...@li...>> > > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > > > > > > > |
|
From: David G. <gu...@in...> - 2006-12-14 11:39:30
|
The problem still exist but I have kind of solved the problem at least a bit for my own sake i think. That is with a little workaround. By using a combination of alert and sticky-drop i almost achieve what i want. The almost part of it is that sticky-drop seem to drop forever and not any 30 seconds as it should but atleast now i can drop packets with thresholding rules. The example rule i got to work. alert udp any any -> any any \ (msg:"sticky drop p\uffff alla invite minsann"; content:"INVITE"; depth:10; sticky-drop: 30,src; \ threshold: type both , track by_src, count 5, seconds 30; \ classtype:misc-attack; sid:5000101; rev:1;) Will Metcalf wrote: > > I will look into it when I get home tonight. btw we are looking for > 2.6.0.2 <http://2.6.0.2> beta testers if anyone is interested. Victor > did a lot of work revamping the stream reassembler stream4inline in > this release. > > Regards, > > Will > On 12/13/06, *David Gunnarsson* < gu...@in... > <mailto:gu...@in...>> wrote: > > I am using snort/snort_inline 2.4.5 from > http://snort-inline.sourceforge.net/. > b.t.w. if it matters, I use netfilter_queue and not ip_queue. > > regards David Gunnarsson > > > Will Metcalf wrote: > > what version of the snort/snort_inline are you using? > > > > On 12/13/06, *David Gunnarsson* < gu...@in... > <mailto:gu...@in...> > > <mailto: gu...@in... <mailto:gu...@in...>>> wrote: > > > > I'm having a problem with DROP-rules containing thresholds. > It seems > > like if the threshold is ignored when dropping. > > > > example problem rule: > > drop udp any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \ > > (msg:"a-INVITE message flooding"; content:"INVITE"; depth:6; \ > > threshold: type both , track by_src, count 5, seconds 60; \ > > sid:5000004; rev:1;) > > > > > > This rule just drops all packets that content-matches regardless > > of how > > many packet and in what time interval they come. > > It is however logged as usual after 5 invites within a > minute just as > > with alert instead of drop. > > Is it not possible to do inline protection/mitigation from > flooding > > attacks but just pure content matching? > > regard David G > > > > > ------------------------------------------------------------------------- > > > > > Take Surveys. Earn Cash. Influence the Future of IT > > Join SourceForge.net's Techsay panel and you'll get the > chance to > > share your > > opinions on IT & business topics through brief surveys - and > earn cash > > > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > <http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> > > < > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > <http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV>> > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > <mailto:Sno...@li...> > > <mailto:Sno...@li... > <mailto:Sno...@li...>> > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > |
|
From: Will M. <wil...@gm...> - 2006-12-13 19:59:03
|
I will look into it when I get home tonight. btw we are looking for 2.6.0.2beta testers if anyone is interested. Victor did a lot of work revamping the stream reassembler stream4inline in this release. Regards, Will On 12/13/06, David Gunnarsson <gu...@in...> wrote: > > I am using snort/snort_inline 2.4.5 from > http://snort-inline.sourceforge.net/. > b.t.w. if it matters, I use netfilter_queue and not ip_queue. > > regards David Gunnarsson > > > Will Metcalf wrote: > > what version of the snort/snort_inline are you using? > > > > On 12/13/06, *David Gunnarsson* <gu...@in... > > <mailto: gu...@in...>> wrote: > > > > I'm having a problem with DROP-rules containing thresholds. It seems > > like if the threshold is ignored when dropping. > > > > example problem rule: > > drop udp any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \ > > (msg:"a-INVITE message flooding"; content:"INVITE"; depth:6; \ > > threshold: type both , track by_src, count 5, seconds 60; \ > > sid:5000004; rev:1;) > > > > > > This rule just drops all packets that content-matches regardless > > of how > > many packet and in what time interval they come. > > It is however logged as usual after 5 invites within a minute just > as > > with alert instead of drop. > > Is it not possible to do inline protection/mitigation from flooding > > attacks but just pure content matching? > > regard David G > > > > > ------------------------------------------------------------------------- > > > > Take Surveys. Earn Cash. Influence the Future of IT > > Join SourceForge.net's Techsay panel and you'll get the chance to > > share your > > opinions on IT & business topics through brief surveys - and earn > cash > > > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > > <http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > > > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > <mailto:Sno...@li...> > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > |
|
From: David G. <gu...@in...> - 2006-12-13 14:51:26
|
I am using snort/snort_inline 2.4.5 from http://snort-inline.sourceforge.net/. b.t.w. if it matters, I use netfilter_queue and not ip_queue. regards David Gunnarsson Will Metcalf wrote: > what version of the snort/snort_inline are you using? > > On 12/13/06, *David Gunnarsson* <gu...@in... > <mailto:gu...@in...>> wrote: > > I'm having a problem with DROP-rules containing thresholds. It seems > like if the threshold is ignored when dropping. > > example problem rule: > drop udp any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \ > (msg:"a-INVITE message flooding"; content:"INVITE"; depth:6; \ > threshold: type both , track by_src, count 5, seconds 60; \ > sid:5000004; rev:1;) > > > This rule just drops all packets that content-matches regardless > of how > many packet and in what time interval they come. > It is however logged as usual after 5 invites within a minute just as > with alert instead of drop. > Is it not possible to do inline protection/mitigation from flooding > attacks but just pure content matching? > regard David G > > ------------------------------------------------------------------------- > > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to > share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > <http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > <mailto:Sno...@li...> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
|
From: Will M. <wil...@gm...> - 2006-12-13 14:13:08
|
what version of the snort/snort_inline are you using? On 12/13/06, David Gunnarsson <gu...@in...> wrote: > > I'm having a problem with DROP-rules containing thresholds. It seems > like if the threshold is ignored when dropping. > > example problem rule: > drop udp any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \ > (msg:"a-INVITE message flooding"; content:"INVITE"; depth:6; \ > threshold: type both , track by_src, count 5, seconds 60; \ > sid:5000004; rev:1;) > > > This rule just drops all packets that content-matches regardless of how > many packet and in what time interval they come. > It is however logged as usual after 5 invites within a minute just as > with alert instead of drop. > Is it not possible to do inline protection/mitigation from flooding > attacks but just pure content matching? > regard David G > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share > your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: David G. <gu...@in...> - 2006-12-13 08:18:08
|
I'm having a problem with DROP-rules containing thresholds. It seems like if the threshold is ignored when dropping. example problem rule: drop udp any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \ (msg:"a-INVITE message flooding"; content:"INVITE"; depth:6; \ threshold: type both , track by_src, count 5, seconds 60; \ sid:5000004; rev:1;) This rule just drops all packets that content-matches regardless of how many packet and in what time interval they come. It is however logged as usual after 5 invites within a minute just as with alert instead of drop. Is it not possible to do inline protection/mitigation from flooding attacks but just pure content matching? regard David G |
|
From: Will M. <wil...@gm...> - 2006-11-09 22:21:48
|
tmpfs works as well On 11/9/06, Will Metcalf <wil...@gm...> wrote: > try writing to ramdisk and see if you still get the same error. Ram > disk doesn't have to be that big. > > On 11/9/06, Bill Warren <bw...@op...> wrote: > > I am just running off the hard drive. This is the only problem that I > > know of with the machine. > > > > Thanks, > > Bill > > > > Will Metcalf wrote: > > > > > Are you writing file descriptors to ramdisk or to the hard drive? > > > Having any other disk I/O problems? > > > > > > Regards, > > > > > > Will > > > > > > On 11/8/06, Bill Warren <bw...@op...> wrote: > > > > > >> Hello, > > >> I am running Snort 2.4.5a on a Debian sarge box. It ran great for about > > >> 3 months and now ClamAV keeps stopping. This is my error > > >> > > >> "Nov 8 14:22:11 snortserver snort[8586]: FATAL ERROR: ClamAV scan error: > > >> Input/Output error." > > >> > > >> All the programs where pulled down from Debian packages. Anybody else > > >> have this problem? > > >> > > >> Thanks, > > >> Bill > > >> > > >> -- > > >> > > >> Bill Warren > > >> > > >> Network Systems Administrator > > >> Optivel, Inc. > > >> 317.275.2305 office > > >> 317.523.8468 cell > > >> www.optivel.com > > >> > > >> > > >> ------------------------------------------------------------------------- > > >> > > >> Using Tomcat but need to do more? Need to support web services, > > >> security? > > >> Get stuff done quickly with pre-integrated technology to make your > > >> job easier > > >> Download IBM WebSphere Application Server v.1.0.1 based on Apache > > >> Geronimo > > >> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > > >> _______________________________________________ > > >> Snort-inline-users mailing list > > >> Sno...@li... > > >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > >> > > > > > > -- > > > > Bill Warren > > > > Network Systems Administrator > > Optivel, Inc. > > 317.275.2305 office > > 317.523.8468 cell > > www.optivel.com > > > > > |
|
From: Mike P. <mg...@us...> - 2006-11-09 21:03:27
|
I will be out of the office starting 11/09/2006 and will not return until 11/14/2006. I will respond to your message when I return. |
|
From: Will M. <wil...@gm...> - 2006-11-09 15:03:45
|
try writing to ramdisk and see if you still get the same error. Ram disk doesn't have to be that big. On 11/9/06, Bill Warren <bw...@op...> wrote: > I am just running off the hard drive. This is the only problem that I > know of with the machine. > > Thanks, > Bill > > Will Metcalf wrote: > > > Are you writing file descriptors to ramdisk or to the hard drive? > > Having any other disk I/O problems? > > > > Regards, > > > > Will > > > > On 11/8/06, Bill Warren <bw...@op...> wrote: > > > >> Hello, > >> I am running Snort 2.4.5a on a Debian sarge box. It ran great for about > >> 3 months and now ClamAV keeps stopping. This is my error > >> > >> "Nov 8 14:22:11 snortserver snort[8586]: FATAL ERROR: ClamAV scan error: > >> Input/Output error." > >> > >> All the programs where pulled down from Debian packages. Anybody else > >> have this problem? > >> > >> Thanks, > >> Bill > >> > >> -- > >> > >> Bill Warren > >> > >> Network Systems Administrator > >> Optivel, Inc. > >> 317.275.2305 office > >> 317.523.8468 cell > >> www.optivel.com > >> > >> > >> ------------------------------------------------------------------------- > >> > >> Using Tomcat but need to do more? Need to support web services, > >> security? > >> Get stuff done quickly with pre-integrated technology to make your > >> job easier > >> Download IBM WebSphere Application Server v.1.0.1 based on Apache > >> Geronimo > >> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > >> _______________________________________________ > >> Snort-inline-users mailing list > >> Sno...@li... > >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users > >> > > > -- > > Bill Warren > > Network Systems Administrator > Optivel, Inc. > 317.275.2305 office > 317.523.8468 cell > www.optivel.com > > |
|
From: Bill W. <bw...@op...> - 2006-11-09 14:28:14
|
I am just running off the hard drive. This is the only problem that I know of with the machine. Thanks, Bill Will Metcalf wrote: > Are you writing file descriptors to ramdisk or to the hard drive? > Having any other disk I/O problems? > > Regards, > > Will > > On 11/8/06, Bill Warren <bw...@op...> wrote: > >> Hello, >> I am running Snort 2.4.5a on a Debian sarge box. It ran great for about >> 3 months and now ClamAV keeps stopping. This is my error >> >> "Nov 8 14:22:11 snortserver snort[8586]: FATAL ERROR: ClamAV scan error: >> Input/Output error." >> >> All the programs where pulled down from Debian packages. Anybody else >> have this problem? >> >> Thanks, >> Bill >> >> -- >> >> Bill Warren >> >> Network Systems Administrator >> Optivel, Inc. >> 317.275.2305 office >> 317.523.8468 cell >> www.optivel.com >> >> >> ------------------------------------------------------------------------- >> >> Using Tomcat but need to do more? Need to support web services, >> security? >> Get stuff done quickly with pre-integrated technology to make your >> job easier >> Download IBM WebSphere Application Server v.1.0.1 based on Apache >> Geronimo >> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 >> _______________________________________________ >> Snort-inline-users mailing list >> Sno...@li... >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> -- Bill Warren Network Systems Administrator Optivel, Inc. 317.275.2305 office 317.523.8468 cell www.optivel.com |
|
From: Will M. <wil...@gm...> - 2006-11-08 20:47:09
|
Are you writing file descriptors to ramdisk or to the hard drive? Having any other disk I/O problems? Regards, Will On 11/8/06, Bill Warren <bw...@op...> wrote: > Hello, > I am running Snort 2.4.5a on a Debian sarge box. It ran great for about > 3 months and now ClamAV keeps stopping. This is my error > > "Nov 8 14:22:11 snortserver snort[8586]: FATAL ERROR: ClamAV scan error: > Input/Output error." > > All the programs where pulled down from Debian packages. Anybody else > have this problem? > > Thanks, > Bill > > -- > > Bill Warren > > Network Systems Administrator > Optivel, Inc. > 317.275.2305 office > 317.523.8468 cell > www.optivel.com > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Bill W. <bw...@op...> - 2006-11-08 20:31:30
|
Hello, I am running Snort 2.4.5a on a Debian sarge box. It ran great for about 3 months and now ClamAV keeps stopping. This is my error "Nov 8 14:22:11 snortserver snort[8586]: FATAL ERROR: ClamAV scan error: Input/Output error." All the programs where pulled down from Debian packages. Anybody else have this problem? Thanks, Bill -- Bill Warren Network Systems Administrator Optivel, Inc. 317.275.2305 office 317.523.8468 cell www.optivel.com |
|
From: Nick R. <ni...@ro...> - 2006-11-06 21:51:01
|
FYI,
snort_inline has been updated to 2.4.3 in the FreeBSD ports tree.
Nick Rogness <ni...@ro...>
---------------------------- Original Message ----------------------------
Subject: Re: ports/104730: Port update to security/snort_inline
From: "Alejandro Pulver" <ale...@Fr...>
Date: Sun, November 5, 2006 11:14 am
To: ni...@ro...
ale...@Fr...
ale...@Fr...
--------------------------------------------------------------------------
Synopsis: Port update to security/snort_inline
State-Changed-From-To: open->closed
State-Changed-By: alepulver
State-Changed-When: Sun Nov 5 18:14:17 UTC 2006
State-Changed-Why:
Committed. Thanks!
http://www.freebsd.org/cgi/query-pr.cgi?pr=104730
|
|
From: <per...@gm...> - 2006-11-05 18:02:09
|
Now is fully working. I think "sh autojunk.sh" was the step i needed. Certainly i wasn't doing everything right. snort_inline --enable-debug was using 80%~97% CPU (single p4-2.4 w/1 GB RAM= ) now is using 4%~8% CPU most of the time. A BIG THANK YOU! On 11/5/06, Victor Julien <vi...@nk...> wrote: > > Francisco Mu=F1oz wrote: > > When i sent you the debug info, it was working. It was the very first > > time i get it to work. Ever. > > I saw snort_inline using clamav to scan packets. > > > > Now the funny part: i recompiled it without debugging information and > > it doesn't work. > > Can i use the snort_inline compiled with --enable-debug in production? > > > I wouldn't do that. It is slower, but more importantly it has a lot of > situations where it quits the program where non-debug wouldn't. Normally > these are situations that should not happen very often, but still. > > > The worst part is that i don't know what i'm doing wrong. > > I did step by step what you told me. > > > It all makes no sense to me. I looked at the code and see no reason it > would work in debug mode and not in normal mode. Are you willing to try > again from the start? If so, try the following: > > lets try with a fresh source > unpack the source > enter the source directory > run: 'sh autojunk.sh' this sets up the buildscripts for your system. > Most of the time it is not needed, but lets play safe. > run: './configure' does it work without the options --with-clamav-defdir > and --with-clamav-includes? If yes, don't use them. > run: 'make' > run: 'make install' > > Then try running snort_inline again to see if it makes a difference. > > Regards, > Victor > > > > -- > > Francisco > > --=20 Cheers, Francisco |
133 messages has been excluded from this view by a project administrator.
