snort-inline-users — The goal of this list is to help users debug/use snort_inline

Re: [Snort-inline-users] Bypassing a domain name using IPTABLES

[Alfredo O. <ao...@tu...>]

Tut: Thanks for the guidance. Changing IPs are indeed the problem. As you
suggest the DNS query that iptables uses get's a valid IP but this IP
changes quickly (likely bcs of load balancing) and thus the new packets with
the new IP go to QUEUE directly. Any ideas on how to solve this? In other
words, how to avoid a specific's domain traffic from going to QUEUE when all
we know is the domain name? Is this even possible given DNS resolution
limitations? Many thanks....Alfredo

ps: Here's the setting of why I'm trying to do this. We have snort_inline in
our office protecting all incoming and outgoing connections (all ports). We
also use a third party offsite server on dynamic DNS. I would like the
traffic to the offsite server to be bypassed from snort.

----- Original Message ----- 
From: "Tut" <tut...@pa...>
To: "Alfredo Osorio" <ao...@tu...>
Cc: <sno...@li...>
Sent: Tuesday, August 08, 2006 10:54 PM
Subject: Re: [Snort-inline-users] Bypassing a domain name using IPTABLES


> hmmm, That should work, my guess is that using a name in the rule is
> the problem. It's generally a bad idea to make iptables use DNS to
> resolve names in the rules. Only the ip address that is returned when
> you add the rule is included in the rule.
>
> If you use <iptables -L FORWARD -n -v> after adding the accept rule
> which specifies a name, you'll find that the rule iptables has added
> has resolved the name to an IP address, and saved that, not the
> name.This activity is hidden if you list the rules without the -n
> parameter, because the reverse lookup is resolving the IP back to
> the name. So the rule will only match when that particular IP is
> returned when you connect to it.
>
> tut.
>
> On Tue, 08 Aug 2006 20:51:57 -0400
> Alfredo Osorio <ao...@tu...> wrote:
>
> > Thanks Tut....That was my first thought too but no go...I tried...
> >
> > iptables -F
> > iptables -A FORWARD -d www.safedomain.com -j ACCEPT
> > iptables -A FORWARD -s www.safedomain.com -j ACCEPT
> > iptables -A FORWARD -j QUEUE
> >
> > However, everything is going to queue despite the two accept lines
> > above it....Clearly there's something about the sequencing of
> > iptables (or the FORWARD chain) that I don't understand.....Alfredo
> >
> > ----- Original Message ----- 
> > From: "Tut" <tut...@pa...>
> > To: <sno...@li...>
> > Sent: Tuesday, August 08, 2006 8:25 PM
> > Subject: Re: [Snort-inline-users] Bypassing a domain name using
> > IPTABLES
> >
> >
> > >
> > > Why would you use mangle and mark for this? Surely you could just
> > > insert a rule prior to your QUEUE target, for the traffic you want
> > > to bypass snort inline, and just ACCEPT it?
> > >
> > > tut.
> > >
> >
> -------------------------------------------------------------------------
> > > Using Tomcat but need to do more? Need to support web services,
> > > security? Get stuff done quickly with pre-integrated technology to
> > > make your job
> > easier
> > > Download IBM WebSphere Application Server v.1.0.1 based on Apache
> > > Geronimo
> > >
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > > _______________________________________________ Snort-inline-users
> > > mailing list Sno...@li...
> > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> > > On Tue, 08 Aug 2006 20:11:16 -0400
> > > Alfredo Osorio <ao...@tu...> wrote:
> > >
> > > > Hello everyone...
> > > >
> > > > Does anyone have any experience using iptables to detect traffic
> > > > from a specific domain and not send this traffic to QUEUE - so
> > > > effectively bypassing snort-inline only for this type of traffic?
> > > > I have tried multiple iptables commands (I'm new to iptables)
> > > > without success. The commands below are patterned after info I
> > > > found on previous postings.
> > > >
> > > > # Mark all New incoming traffic as 1
> > > > iptables -t mangle -A FORWARD -m state --state NEW -j MARK
> > > > --set-mark 1
> > > >
> > > > # Mark New traffic from/to target domain as 2
> > > > iptables -t mangle -A FORWARD -m state --state NEW -d
> > > > www.safedomain.com -j MARK --set-mark 2 iptables -t mangle -A
> > > > FORWARD -m state --state NEW -s www.safedomain.com -j MARK
> > > > --set-mark 2
> > > >
> > > > # Mark all Established  traffic as 1
> > > > iptables -t mangle -A FORWARD -m state --state ESTABLISHED  -j
> > > > MARK --set-mark 1
> > > >
> > > > # Mark Established traffic from/to target domain as 2
> > > > iptables -t mangle -A FORWARD -d www.safedomain.com -m state
> > > > --state ESTABLISHED -j MARK --set-mark 2 iptables -t mangle -A
> > > > FORWARD -s www.safedomain.com -m state --state ESTABLISHED -j
> > > > MARK --set-mark 2
> > > >
> > > > #Accept or send to QUEUE depending on mark
> > > > iptables -I FORWARD -m mark --mark 2 -j ACCEPT
> > > > iptables -I FORWARD -m mark --mark 1 -j QUEUE
> > > >
> > > > I'm not using whitelists within snort-inline to do this as I want
> > > > to avoid having to restart snort. Also the ip ranges for
> > > > www.safedomain.com may change constantly because of dynamic dns.
> > > >
> > > > Any thoughts would be greatly appreciated.....Regards,....Alfredo
> >
> >
>
> -------------------------------------------------------------------------
> > Using Tomcat but need to do more? Need to support web services,
> > security? Get stuff done quickly with pre-integrated technology to
> > make your job easier Download IBM WebSphere Application Server
> > v.1.0.1 based on Apache Geronimo
> > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > _______________________________________________ Snort-inline-users
> > mailing list Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users

Re: [Snort-inline-users] Bypassing a domain name using IPTABLES

[Tut <tut...@pa...>]

hmmm, That should work, my guess is that using a name in the rule is
the problem. It's generally a bad idea to make iptables use DNS to
resolve names in the rules. Only the ip address that is returned when
you add the rule is included in the rule.

If you use <iptables -L FORWARD -n -v> after adding the accept rule
which specifies a name, you'll find that the rule iptables has added
has resolved the name to an IP address, and saved that, not the
name.This activity is hidden if you list the rules without the -n
parameter, because the reverse lookup is resolving the IP back to
the name. So the rule will only match when that particular IP is
returned when you connect to it.

tut.

On Tue, 08 Aug 2006 20:51:57 -0400
Alfredo Osorio <ao...@tu...> wrote:

> Thanks Tut....That was my first thought too but no go...I tried...
> 
> iptables -F
> iptables -A FORWARD -d www.safedomain.com -j ACCEPT
> iptables -A FORWARD -s www.safedomain.com -j ACCEPT
> iptables -A FORWARD -j QUEUE
> 
> However, everything is going to queue despite the two accept lines
> above it....Clearly there's something about the sequencing of
> iptables (or the FORWARD chain) that I don't understand.....Alfredo
> 
> ----- Original Message ----- 
> From: "Tut" <tut...@pa...>
> To: <sno...@li...>
> Sent: Tuesday, August 08, 2006 8:25 PM
> Subject: Re: [Snort-inline-users] Bypassing a domain name using
> IPTABLES
> 
>
> >
> > Why would you use mangle and mark for this? Surely you could just
> > insert a rule prior to your QUEUE target, for the traffic you want
> > to bypass snort inline, and just ACCEPT it?
> >
> > tut.
> >
> > -------------------------------------------------------------------------
> > Using Tomcat but need to do more? Need to support web services,
> > security? Get stuff done quickly with pre-integrated technology to
> > make your job
> easier
> > Download IBM WebSphere Application Server v.1.0.1 based on Apache
> > Geronimo
> > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > _______________________________________________ Snort-inline-users
> > mailing list Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users 
> > On Tue, 08 Aug 2006 20:11:16 -0400
> > Alfredo Osorio <ao...@tu...> wrote:
> >
> > > Hello everyone...
> > >
> > > Does anyone have any experience using iptables to detect traffic
> > > from a specific domain and not send this traffic to QUEUE - so
> > > effectively bypassing snort-inline only for this type of traffic?
> > > I have tried multiple iptables commands (I'm new to iptables)
> > > without success. The commands below are patterned after info I
> > > found on previous postings.
> > >
> > > # Mark all New incoming traffic as 1
> > > iptables -t mangle -A FORWARD -m state --state NEW -j MARK
> > > --set-mark 1
> > >
> > > # Mark New traffic from/to target domain as 2
> > > iptables -t mangle -A FORWARD -m state --state NEW -d
> > > www.safedomain.com -j MARK --set-mark 2 iptables -t mangle -A
> > > FORWARD -m state --state NEW -s www.safedomain.com -j MARK
> > > --set-mark 2
> > >
> > > # Mark all Established  traffic as 1
> > > iptables -t mangle -A FORWARD -m state --state ESTABLISHED  -j
> > > MARK --set-mark 1
> > >
> > > # Mark Established traffic from/to target domain as 2
> > > iptables -t mangle -A FORWARD -d www.safedomain.com -m state
> > > --state ESTABLISHED -j MARK --set-mark 2 iptables -t mangle -A
> > > FORWARD -s www.safedomain.com -m state --state ESTABLISHED -j
> > > MARK --set-mark 2
> > >
> > > #Accept or send to QUEUE depending on mark
> > > iptables -I FORWARD -m mark --mark 2 -j ACCEPT
> > > iptables -I FORWARD -m mark --mark 1 -j QUEUE
> > >
> > > I'm not using whitelists within snort-inline to do this as I want
> > > to avoid having to restart snort. Also the ip ranges for
> > > www.safedomain.com may change constantly because of dynamic dns.
> > >
> > > Any thoughts would be greatly appreciated.....Regards,....Alfredo
> 
> 
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services,
> security? Get stuff done quickly with pre-integrated technology to
> make your job easier Download IBM WebSphere Application Server
> v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________ Snort-inline-users
> mailing list Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> 

Re: [Snort-inline-users] Bypassing a domain name using IPTABLES

[Alfredo O. <ao...@tu...>]

Thanks Tut....That was my first thought too but no go...I tried...

iptables -F
iptables -A FORWARD -d www.safedomain.com -j ACCEPT
iptables -A FORWARD -s www.safedomain.com -j ACCEPT
iptables -A FORWARD -j QUEUE

However, everything is going to queue despite the two accept lines above
it....Clearly there's something about the sequencing of iptables (or the
FORWARD chain) that I don't understand.....Alfredo

----- Original Message ----- 
From: "Tut" <tut...@pa...>
To: <sno...@li...>
Sent: Tuesday, August 08, 2006 8:25 PM
Subject: Re: [Snort-inline-users] Bypassing a domain name using IPTABLES


> On Tue, 08 Aug 2006 20:11:16 -0400
> Alfredo Osorio <ao...@tu...> wrote:
>
> > Hello everyone...
> >
> > Does anyone have any experience using iptables to detect traffic from
> > a specific domain and not send this traffic to QUEUE - so effectively
> > bypassing snort-inline only for this type of traffic? I have tried
> > multiple iptables commands (I'm new to iptables) without success. The
> > commands below are patterned after info I found on previous postings.
> >
> > # Mark all New incoming traffic as 1
> > iptables -t mangle -A FORWARD -m state --state NEW -j MARK --set-mark
> > 1
> >
> > # Mark New traffic from/to target domain as 2
> > iptables -t mangle -A FORWARD -m state --state NEW -d
> > www.safedomain.com -j MARK --set-mark 2 iptables -t mangle -A FORWARD
> > -m state --state NEW -s www.safedomain.com -j MARK --set-mark 2
> >
> > # Mark all Established  traffic as 1
> > iptables -t mangle -A FORWARD -m state --state ESTABLISHED  -j MARK
> > --set-mark 1
> >
> > # Mark Established traffic from/to target domain as 2
> > iptables -t mangle -A FORWARD -d www.safedomain.com -m state --state
> > ESTABLISHED -j MARK --set-mark 2 iptables -t mangle -A FORWARD -s
> > www.safedomain.com -m state --state ESTABLISHED -j MARK --set-mark 2
> >
> > #Accept or send to QUEUE depending on mark
> > iptables -I FORWARD -m mark --mark 2 -j ACCEPT
> > iptables -I FORWARD -m mark --mark 1 -j QUEUE
> >
> > I'm not using whitelists within snort-inline to do this as I want to
> > avoid having to restart snort. Also the ip ranges for
> > www.safedomain.com may change constantly because of dynamic dns.
> >
> > Any thoughts would be greatly appreciated.....Regards,....Alfredo
>
> Why would you use mangle and mark for this? Surely you could just
> insert a rule prior to your QUEUE target, for the traffic you want to
> bypass snort inline, and just ACCEPT it?
>
> tut.
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users

Re: [Snort-inline-users] Bypassing a domain name using IPTABLES

[Tut <tut...@pa...>]

On Tue, 08 Aug 2006 20:11:16 -0400
Alfredo Osorio <ao...@tu...> wrote:

> Hello everyone...
> 
> Does anyone have any experience using iptables to detect traffic from
> a specific domain and not send this traffic to QUEUE - so effectively
> bypassing snort-inline only for this type of traffic? I have tried
> multiple iptables commands (I'm new to iptables) without success. The
> commands below are patterned after info I found on previous postings. 
> 
> # Mark all New incoming traffic as 1
> iptables -t mangle -A FORWARD -m state --state NEW -j MARK --set-mark
> 1
> 
> # Mark New traffic from/to target domain as 2 
> iptables -t mangle -A FORWARD -m state --state NEW -d
> www.safedomain.com -j MARK --set-mark 2 iptables -t mangle -A FORWARD
> -m state --state NEW -s www.safedomain.com -j MARK --set-mark 2
> 
> # Mark all Established  traffic as 1
> iptables -t mangle -A FORWARD -m state --state ESTABLISHED  -j MARK
> --set-mark 1
> 
> # Mark Established traffic from/to target domain as 2 
> iptables -t mangle -A FORWARD -d www.safedomain.com -m state --state
> ESTABLISHED -j MARK --set-mark 2 iptables -t mangle -A FORWARD -s
> www.safedomain.com -m state --state ESTABLISHED -j MARK --set-mark 2
> 
> #Accept or send to QUEUE depending on mark
> iptables -I FORWARD -m mark --mark 2 -j ACCEPT
> iptables -I FORWARD -m mark --mark 1 -j QUEUE
> 
> I'm not using whitelists within snort-inline to do this as I want to
> avoid having to restart snort. Also the ip ranges for
> www.safedomain.com may change constantly because of dynamic dns.
> 
> Any thoughts would be greatly appreciated.....Regards,....Alfredo

Why would you use mangle and mark for this? Surely you could just
insert a rule prior to your QUEUE target, for the traffic you want to
bypass snort inline, and just ACCEPT it?

tut.

[Snort-inline-users] Bypassing a domain name using IPTABLES

[Alfredo O. <ao...@tu...>]

Hello everyone...

Does anyone have any experience using iptables to detect traffic from a =
specific domain and not send this traffic to QUEUE - so effectively =
bypassing snort-inline only for this type of traffic? I have tried =
multiple iptables commands (I'm new to iptables) without success. The =
commands below are patterned after info I found on previous postings.=20

# Mark all New incoming traffic as 1
iptables -t mangle -A FORWARD -m state --state NEW -j MARK --set-mark 1

# Mark New traffic from/to target domain as 2=20
iptables -t mangle -A FORWARD -m state --state NEW -d www.safedomain.com =
-j MARK --set-mark 2
iptables -t mangle -A FORWARD -m state --state NEW -s www.safedomain.com =
-j MARK --set-mark 2

# Mark all Established  traffic as 1
iptables -t mangle -A FORWARD -m state --state ESTABLISHED  -j MARK =
--set-mark 1

# Mark Established traffic from/to target domain as 2=20
iptables -t mangle -A FORWARD -d www.safedomain.com -m state --state =
ESTABLISHED -j MARK --set-mark 2
iptables -t mangle -A FORWARD -s www.safedomain.com -m state --state =
ESTABLISHED -j MARK --set-mark 2

#Accept or send to QUEUE depending on mark
iptables -I FORWARD -m mark --mark 2 -j ACCEPT
iptables -I FORWARD -m mark --mark 1 -j QUEUE

I'm not using whitelists within snort-inline to do this as I want to =
avoid having to restart snort. Also the ip ranges for www.safedomain.com =
may change constantly because of dynamic dns.

Any thoughts would be greatly appreciated.....Regards,....Alfredo

Re: [Snort-inline-users] How to integrate a preprocessor to snort inline?

[Victor J. <vi...@nk...>]

Did you do:

make distclean
sh autojunk.sh
./configure
make

?

This has solved similar problems for me in the past.

Cheers!
Victor


Imane G wrote:
> Hello all,
>=20
> =20
>=20
> I am trying to code a preprocesor for snort_inline.
>=20
> I tryed to integrate the sourec and the header file to snort_inline but=
=20
> it did not work L
>=20
> =20
>=20
> I explain the steps I followed (from the Snort Preprocessors Developmen=
t=20
> Kickstart"
>=20
> http://afrodita.unicauca.edu.co/~cbedon/snort/spp_kickstart.html )
>=20
> =20
>=20
> and I hope someone could tell me what=92s wrong.
>=20
> =20
>=20
> Here is the source file of the preprocessor. I called it *spp_poly.c*=20
> and for the moment it does absolutly nothing :
>=20
> =20
>=20
> /* spp_poly
>=20
>  *=20
>=20
>  * Arguments: None
>=20
>  */
>=20
> =20
>=20
> #ifdef HAVE_CONFIG_H
>=20
> #include "config.h"
>=20
> #endif
>=20
> =20
>=20
> #ifdef HAVE_STRING_H
>=20
> #include "string.h"
>=20
> #endif
>=20
> =20
>=20
> #include <sys/types.h>
>=20
> #include <stdlib.h>
>=20
> #include <ctype.h>
>=20
> #include <rpc/types.h>
>=20
> =20
>=20
> #include "generators.h"
>=20
> #include "event_wrapper.h"
>=20
> #include "util.h"
>=20
> #include "plugbase.h"
>=20
> #include "parser.h"
>=20
> #include "debug.h"
>=20
> #include "log.h"
>=20
> #include "decode.h"
>=20
> #include "mstring.h"
>=20
> #include "snort.h"
>=20
> #include "event_queue.h"
>=20
> #include "inline.h"            /* For dropping packets"*/
>=20
> =20
>=20
> /*
>=20
>  * your preprocessor header file goes here if necessary, don't forget
>=20
>  * to include the header file in plugbase.h too!   (I did nothing in th=
e=20
> plugbase.h! I don't know if the problem is here! I found no place where=
=20
> to add the header file!)
>=20
>  */
>=20
> #include "spp_poly.h"
>=20
> =20
>=20
> /* define any needed data structs for things like configuration */
>=20
> =20
>=20
> typedef struct _PolyData
>=20
> {
>=20
> } PolyData;
>=20
> =20
>=20
> PolyData SomeData;
>=20
> =20
>=20
> /* function prototypes go here */
>=20
> =20
>=20
> static void PolyInit(u_char *);
>=20
> static void PolyFunction(Packet *);
>=20
> static void PolyCleanExitFunction(int, void *);
>=20
> static void PolyRestartFunction(int, void *);
>=20
> =20
>=20
> /*
>=20
>  * Function: SetupPoly ()
>=20
>  *
>=20
>  * Purpose: Registers the preprocessor keyword and initialization
>=20
>  *          function into the preprocessor list.  This is the function =
that
>=20
>  *          gets called from InitPreprocessors() in plugbase.c.
>=20
>  */
>=20
> =20
>=20
> void SetupPoly()
>=20
> {
>=20
>     /* link the preprocessor keyword to the init function in
>=20
>      * the preproc list
>=20
>      */
>=20
>   RegisterPreprocessor("Poly", PolyInit);
>=20
> =20
>=20
>   DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Preprocessor: PolyShellcode=20
> Detection Engine is setup...\n"););
>=20
> }
>=20
> =20
>=20
> =20
>=20
> /*
>=20
>  * Function: PolyInit(u_char *)
>=20
>  *
>=20
>  * Purpose: Calls the argument parsing function, performs final setup o=
n=20
> data
>=20
>  *          structs, links the preproc function into the function list.
>=20
>  */
>=20
> =20
>=20
> static void PolyInit(u_char *args)
>=20
> {
>=20
> =20
>=20
>   DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Preprocessor: PolyShellcode=20
> detection engine Initialized\n"););
>=20
> =20
>=20
>     AddFuncToPreprocList(PolyFunction);
>=20
>     AddFuncToCleanExitList(PolyCleanExitFunction, NULL);
>=20
>     AddFuncToRestartList(PolyRestartFunction, NULL);
>=20
> }
>=20
> =20
>=20
> =20
>=20
> /*
>=20
>  * Function: PreprocFunction(Packet *)
>=20
>  *
>=20
>  * Purpose: Perform the preprocessor's intended function.=20
>=20
>  *
>=20
>  * Arguments: p =3D> pointer to the current packet data struct
>=20
>  *
>=20
>  */
>=20
> static void PolyFunction(Packet *p)
>=20
> {
>=20
>   printf("PolyShellcode Detection Engine Has recieced its first=20
> packet...:)\n");
>=20
>   =20
>=20
> }
>=20
> =20
>=20
> static void PolyCleanExitFunction(int signal, void *data)
>=20
> {
>=20
>        /* clean exit code goes here */
>=20
> }
>=20
> =20
>=20
> static void PolyRestartFunction(int signal, void *foo)
>=20
> {
>=20
>        /* restart code goes here */
>=20
> }
>=20
> ///////////////////////////////////////////////////////////////////////
>=20
> =20
>=20
> Now the header file *spp_poly.h* (Both spp_poly.c and spp_poly.h are in=
=20
> the /src/preprocessors/ directory ):
>=20
> =20
>=20
> #ifndef __SPP_POLY_H__
>=20
> #define __SPP_POLY_H__
>=20
> =20
>=20
> /* list of function prototypes to export for this preprocessor */
>=20
> =20
>=20
> void SetupPoly();
>=20
> =20
>=20
> #endif  /* __SPP_POLY_H__ */
>=20
> =20
>=20
> ///////////////////////////////////////////////////////////////////////=
//////
>=20
> =20
>=20
> I added the following lines to Makefile, Makefile.in and Makefile.am (t=
o=20
> be sure I forgot nothin=92 !!)
>=20
> =20
>=20
> =20
>=20
> am_libspp_a_OBJECTS =3D spp_arpspoof.$(OBJEXT) spp_bo.$(OBJEXT)\
>=20
>                       *spp_poly.$(OBJEXT) *spp_portscan.$(OBJEXT)\   =20
>=20
>                       =85
>=20
>                       spp_bait_and_switch.$(OBJEXT)
>=20
> =20
>=20
> libspp_a_SOURCES =3D spp_arpspoof.c spp_arpspoof.h\
>=20
>                    spp_bo.c spp_bo.h \
>=20
>                    *spp_poly.c spp_poly.h\*
>=20
>                    =85
>=20
>                    spp_bait_and_switch.c spp_bait_and_switch.h
>=20
> =20
>=20
> In the /src/ plubase.c  file I added the following :
>=20
> =20
>=20
> =20
>=20
> /* built-in preprocessors */
>=20
> #include "preprocessors/spp_portscan.h"
>=20
> #include "preprocessors/spp_rpc_decode.h"
>=20
> #include "preprocessors/spp_bo.h"
>=20
> *#include "preprocessors/spp_poly.h"*
>=20
> *=85*
>=20
> #ifdef GIDS
>=20
> #include "preprocessors/spp_stickydrop.h"
>=20
> #include "preprocessors/spp_bait_and_switch.h"
>=20
> #endif
>=20
> =20
>=20
> void InitPreprocessors()
>=20
> {
>=20
>     if(!pv.quiet_flag)
>=20
>     {
>=20
>         LogMessage("Initializing Preprocessors!\n");
>=20
>     }
>=20
>     SetupPortscan();
>=20
>     SetupPortscanIgnoreHosts();
>=20
>     SetupRpcDecode();
>=20
>     SetupBo();
>=20
>     *SetupPoly();*
>=20
>    =85
>=20
> #ifdef CLAMAV
>=20
>     SetupClamAV();
>=20
> #endif
>=20
> #ifdef GIDS
>=20
>     SetupStickyDrop();
>=20
> #ifndef IPFW
>=20
>     SetupBaitAndSwitch();
>=20
> #endif /* IPFW */
>=20
> #endif /* GIDS */
>=20
>   =20
>=20
> }
>=20
> =20
>=20
> ///////////////////////////////
>=20
> =20
>=20
> I went back to my snort_inline directory /usr/local/snort_inline2.4.5/=20
> and I compiled with the usual =AB *make* =BB
>=20
> =20
>=20
> I had no errors !!
>=20
> =20
>=20
> Then I added the preprocessor in the snort_inline.config file wich is=20
> located in another directory =AB /etc/snort_inline/snort_inline.conf =BB=
 :
>=20
> =20
>=20
> Preprocessor Poly
>=20
> =20
>=20
> I run Snort_inline :
>=20
> =20
>=20
> snort_inline -c /etc/snort_inline/snort_inline.conf -Q -N -l=20
> /var/log/snort_inline/ \ -t /var/log/snort_inline/ -v
>=20
> =20
>=20
> It initialized some components then it left with this :
>=20
> =20
>=20
> ERROR:  unknown preprocessor "Poly"
>=20
> Fatal Error, Quitting..   =20
>=20
> =20
>=20
> L  Please help me !
>=20
> =20
>=20
> Regards,
>=20
>=20
> -----------------------------------------------------------------------=
-
> MSN Messenger : appels gratuits de PC =E0 PC partout dans le monde !=20
> <http://g.msn.com/8HMAFR/2734??PS=3D47575>
>=20
>=20
> -----------------------------------------------------------------------=
-
>=20
> -----------------------------------------------------------------------=
--
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share=
 your
> opinions on IT & business topics through brief surveys -- and earn cash
> http://www.techsay.com/default.php?page=3Djoin.php&p=3Dsourceforge&CID=3D=
DEVDEV
>=20
>=20
> -----------------------------------------------------------------------=
-
>=20
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users

[Snort-inline-users] How to integrate a preprocessor to snort inline?

[Imane G <har...@ho...>]

<html><div style='background-color:'><P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>Hello all,</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>I am trying to code a preprocesor for snort_inline.</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New">I tryed to integrate the sourec and the header file to snort_inline but it did not work&nbsp;</FONT><SPAN style="FONT-FAMILY: Wingdings; mso-ascii-font-family: 'Courier New'; mso-hansi-font-family: 'Courier New'; mso-char-type: symbol; mso-symbol-font-family: Wingdings"><SPAN style="mso-char-type: symbol; mso-symbol-font-family: Wingdings">L</SPAN></SPAN></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>I explain the steps I followed (from the&nbsp;Snort Preprocessors Development Kickstart"</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2><A href="http://afrodita.unicauca.edu.co/~cbedon/snort/spp_kickstart.html">http://afrodita.unicauca.edu.co/~cbedon/snort/spp_kickstart.html</A>&nbsp;)</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>and I hope someone could tell me what’s wrong.</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>Here is the source file of the preprocessor. I called it <B style="mso-bidi-font-weight: normal">spp_poly.c</B> and for the moment it does absolutly nothing&nbsp;:</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>/* spp_poly</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;</SPAN>*<SPAN style="mso-spacerun: yes">&nbsp; </SPAN></FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;</SPAN>* Arguments: None</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;</SPAN>*/</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#ifdef HAVE_CONFIG_H</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#include "config.h"</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#endif</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#ifdef HAVE_STRING_H</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#include "string.h"</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#endif</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#include &lt;sys/types.h&gt;</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#include &lt;stdlib.h&gt;</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#include &lt;ctype.h&gt;</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#include &lt;rpc/types.h&gt;</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#include "generators.h"</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#include "event_wrapper.h"</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#include "util.h"</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#include "plugbase.h"</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#include "parser.h"</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#include "debug.h"</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#include "log.h"</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#include "decode.h"</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#include "mstring.h"</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#include "snort.h"</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#include "event_queue.h"</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#include "inline.h"<SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>/* For dropping packets"*/</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>/* </FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;</SPAN>* your preprocessor header file goes here if necessary, don't forget</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;</SPAN>* to include the header file in plugbase.h too!<SPAN style="mso-spacerun: yes">&nbsp;&nbsp; </SPAN><SPAN style="COLOR: #ff6600">(</SPAN><SPAN style="COLOR: #ff6633">I did nothing in the plugbase.h! I don't know if the problem is here! I found no place where to add the header file!)</SPAN></FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;</SPAN>*/</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#include "spp_poly.h"</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>/* define any needed data structs for things like configuration */</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>typedef struct _PolyData</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>{</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>} PolyData;</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>PolyData SomeData;</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>/* function prototypes go here */</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>static void PolyInit(u_char *);</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>static void PolyFunction(Packet *);</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>static void PolyCleanExitFunction(int, void *);</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>static void PolyRestartFunction(int, void *);</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>/*</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;</SPAN>* Function: SetupPoly ()</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;</SPAN>*</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;</SPAN>* Purpose: Registers the preprocessor keyword and initialization </FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;</SPAN>*<SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>function into the preprocessor list.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>This is the function that</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;</SPAN>*<SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>gets called from InitPreprocessors() in plugbase.c.</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;</SPAN>*/</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>void SetupPoly()</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>{</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>/* link the preprocessor keyword to the init function in </FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>* the preproc list </FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>*/</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp; </SPAN>RegisterPreprocessor("Poly", PolyInit);</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp; </SPAN>DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Preprocessor: PolyShellcode Detection Engine is setup...\n"););</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>}</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>/*</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;</SPAN>* Function: PolyInit(u_char *)</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;</SPAN>*</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;</SPAN>* Purpose: Calls the argument parsing function, performs final setup on data</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;</SPAN>*<SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>structs, links the preproc function into the function list.</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;</SPAN>*/</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>static void PolyInit(u_char *args)</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>{</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp; </SPAN>DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Preprocessor: PolyShellcode detection engine Initialized\n"););</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>AddFuncToPreprocList(PolyFunction);</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>AddFuncToCleanExitList(PolyCleanExitFunction, NULL);</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>AddFuncToRestartList(PolyRestartFunction, NULL);</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>}</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>/*</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;</SPAN>* Function: PreprocFunction(Packet *)</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;</SPAN>*</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;</SPAN>* Purpose: Perform the preprocessor's intended function.<SPAN style="mso-spacerun: yes">&nbsp; </SPAN></FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;</SPAN>*</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;</SPAN>* Arguments: p =&gt; pointer to the current packet data struct </FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;</SPAN>*</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;</SPAN>*/</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>static void PolyFunction(Packet *p)</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>{</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp; </SPAN>printf("PolyShellcode Detection Engine Has recieced its first packet...:)\n");</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><SPAN style="mso-spacerun: yes"><FONT face="Courier New" size=2>&nbsp;&nbsp;&nbsp; </FONT></SPAN></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>}</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>static void PolyCleanExitFunction(int signal, void *data)</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>{</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>/* clean exit code goes here */</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>}</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>static void PolyRestartFunction(int signal, void *foo)</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>{</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>/* restart code goes here */</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>}</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>///////////////////////////////////////////////////////////////////////</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><SPAN style="COLOR: #ff6600"><FONT size=2><FONT face="Courier New">Now the header file <B style="mso-bidi-font-weight: normal">spp_poly.h</B> (Both spp_poly.c and spp_poly.h are in the /src/preprocessors/ directory&nbsp;):<o:p></o:p></FONT></FONT></SPAN></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#ifndef __SPP_POLY_H__</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#define __SPP_POLY_H__</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>/* list of function prototypes to export for this preprocessor */</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>void SetupPoly();</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#endif<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>/* __SPP_POLY_H__ */</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>/////////////////////////////////////////////////////////////////////////////</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><SPAN style="COLOR: #ff6600"><FONT size=2><FONT face="Courier New">I added the following lines to Makefile, Makefile.in and Makefile.am (to be sure I forgot nothin’&nbsp;!!)<o:p></o:p></FONT></FONT></SPAN></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>am_libspp_a_OBJECTS = spp_arpspoof.$(OBJEXT) spp_bo.$(OBJEXT)\</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp;&nbsp;</SPAN><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</SPAN><SPAN style="mso-spacerun: yes">&nbsp;</SPAN><B style="mso-bidi-font-weight: normal">spp_poly.$(OBJEXT) </B>spp_portscan.$(OBJEXT)\ <SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp;</SPAN></FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</SPAN>…</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>spp_bait_and_switch.$(OBJEXT)</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>libspp_a_SOURCES = spp_arpspoof.c spp_arpspoof.h\</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>spp_bo.c spp_bo.h \</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><B style="mso-bidi-font-weight: normal">spp_poly.c spp_poly.h\<o:p></o:p></B></FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>…</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>spp_bait_and_switch.c spp_bait_and_switch.h</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="COLOR: #ff6600"><FONT size=3><FONT face="Times New Roman">In the /src/ plubase.c<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>file I added the following&nbsp;:<o:p></o:p></FONT></FONT></SPAN></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>/* built-in preprocessors */</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#include "preprocessors/spp_portscan.h"</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#include "preprocessors/spp_rpc_decode.h"</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#include "preprocessors/spp_bo.h"</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><B style="mso-bidi-font-weight: normal"><FONT size=2><FONT face="Courier New">#include "preprocessors/spp_poly.h"<o:p></o:p></FONT></FONT></B></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><B style="mso-bidi-font-weight: normal"><FONT face="Courier New" size=2>…</FONT></B></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#ifdef GIDS</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#include "preprocessors/spp_stickydrop.h"</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#include "preprocessors/spp_bait_and_switch.h"</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#endif</FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>void InitPreprocessors()</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>{</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>if(!pv.quiet_flag)</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>{</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>LogMessage("Initializing Preprocessors!\n");</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>}</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>SetupPortscan();</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>SetupPortscanIgnoreHosts();</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>SetupRpcDecode();</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>SetupBo();</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN><B style="mso-bidi-font-weight: normal">SetupPoly();<o:p></o:p></B></FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp; </SPAN>…</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#ifdef CLAMAV</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>SetupClamAV();</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#endif</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#ifdef GIDS</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>SetupStickyDrop();</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#ifndef IPFW</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT size=2><FONT face="Courier New"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>SetupBaitAndSwitch();</FONT></FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#endif /* IPFW */</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>#endif /* GIDS */</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><SPAN style="mso-spacerun: yes"><FONT face="Courier New" size=2>&nbsp;&nbsp;&nbsp; </FONT></SPAN></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>}</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><FONT face="Courier New" size=2>///////////////////////////////</FONT></P>
<P class=MsoPlainText style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Courier New" size=2>&nbsp;</FONT></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="COLOR: #ff6600">I went back to my snort_inline directory /usr/local/snort_inline2.4.5/ and I compiled with the usual</SPAN> «&nbsp;<B style="mso-bidi-font-weight: normal">make</B>&nbsp;»</FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="COLOR: #ff6600"><FONT size=3><FONT face="Times New Roman">I had no errors&nbsp;!!<o:p></o:p></FONT></FONT></SPAN></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="COLOR: #ff6600"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="COLOR: #ff6600"><FONT size=3><FONT face="Times New Roman">Then I added the preprocessor in the snort_inline.config file wich is located in another directory «&nbsp;/etc/snort_inline/snort_inline.conf&nbsp;»&nbsp;:<o:p></o:p></FONT></FONT></SPAN></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face="Times New Roman" size=3>Preprocessor Poly </FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="COLOR: #ff6600"><FONT size=3><FONT face="Times New Roman">I run Snort_inline&nbsp;:<o:p></o:p></FONT></FONT></SPAN></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="COLOR: #ff6600"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face="Times New Roman" size=3>snort_inline -c /etc/snort_inline/snort_inline.conf -Q -N -l /var/log/snort_inline/ \ -t /var/log/snort_inline/ -v</FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="COLOR: #ff6600"><FONT size=3><FONT face="Times New Roman">It initialized some components then it left with this&nbsp;:<o:p></o:p></FONT></FONT></SPAN></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face="Times New Roman" size=3>ERROR:<SPAN style="mso-spacerun: yes">&nbsp; </SPAN>unknown preprocessor "Poly"</FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT size=3><FONT face="Times New Roman">Fatal Error, Quitting..<SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT size=3><SPAN style="FONT-FAMILY: Wingdings; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'; mso-char-type: symbol; mso-symbol-font-family: Wingdings"><SPAN style="mso-char-type: symbol; mso-symbol-font-family: Wingdings">L</SPAN></SPAN><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes">&nbsp; </SPAN>Please help me&nbsp;!</FONT></FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face="Times New Roman" size=3>Regards,</FONT></P></div><br clear=all><hr>MSN Messenger  <a href="http://g.msn.com/8HMAFR/2734??PS=47575" target="_top">: appels gratuits de PC à PC partout dans le monde !</a> </html>

Re: [Snort-inline-users] A preprocessor for polymorphic shellcodes detection?

[Will M. <wil...@gm...>]

On 7/21/06, Imane G <har...@ho...> wrote:
>
>
>
> Hellow, I am a noobe at Snort.I also apologies for my bad english.
>
> I have to developpe a preprocessor for Snort-inline to detecte polymorphi=
c
> shellcodes by scaning the payload for 'Nop sleds' and 'Fake nop sled'
> (including those using multibyte instructions) and maybe also by looking =
for
> the jmp esp edrsses in the paquets payload.
>
> I have some questions and I am praying that someone could anser me:
>
> 1- I heard about the Fnord preprocessor for Snort. Why isn't it integrate=
d
> to snort inline?

I integrated this back into snort-inline once for testing.  There
proved to be way to many false positives to use in any production
environment.

> 2- I think about using a Neural Network and spectrum analysis (I am still
> far from it) to detecte the Sleds. will my preprocessor significently slo=
w
> down the systmem?

Not if you code it correctly ;-).....

> 3- Do anybody have any sugestions or remarks about what I am about to do?
>

Get working we will include it in our code, or if you want somebody to
test I will be more than happy to.

Regards,

Will
> Regards,
>
>
>
>
>
> ________________________________
> MSN Messenger : appels gratuits de PC =E0 PC partout dans le monde !
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share y=
our
> opinions on IT & business topics through brief surveys -- and earn cash
> http://www.techsay.com/default.php?page=3Djoin.php&p=3Dsourceforge&CID=3D=
DEVDEV
>
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
>

[Snort-inline-users] A preprocessor for polymorphic shellcodes detection?

[Imane G <har...@ho...>]

<html><div style='background-color:'><DIV class=RTE>
<P>Hellow, I am a noobe at Snort.I also apologies for my bad english.</P>
<P>I have to developpe a preprocessor for Snort-inline to detecte polymorphic shellcodes by scaning the payload for 'Nop sleds' and 'Fake nop sled' (including those using multibyte instructions) and maybe also by looking for the jmp esp edrsses in the paquets payload.</P>
<P>I have some questions and I am praying that someone could anser me:</P>
<P>1-&nbsp;I heard about the Fnord preprocessor for Snort. Why isn't it integrated to snort inline? </P>
<P>2- I think about using a Neural Network and spectrum analysis (I am still far from it) to detecte the Sleds.&nbsp;will my preprocessor significently slow down the systmem?</P>
<P>3- Do anybody have any sugestions or remarks about what I am about to do?<BR></P>
<P>Regards,</P>
<DIV></DIV><FONT color=#000000></DIV>
<DIV></DIV></FONT></div><br clear=all><hr>MSN Messenger  <a href="http://g.msn.com/8HMAFR/2737??PS=47575" target="_top">: appels gratuits de PC à PC partout dans le monde !</a> </html>

Re: [Snort-inline-users] Installing / configuring on Gentoo

[Brian A. <ba...@tl...>]

When I had the rule:

iptables -A OUTPUT -p tcp -j QUEUE

I was mostly seeing broadcasts:

07/19-12:24:19.874475 10.10.57.233:137 -> 10.255.255.255:137
UDP TTL:128 TOS:0x0 ID:10155 IpLen:20 DgmLen:78
Len: 50
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

But when I moved it to the INPUT, nada:

Snort processed 0 packets.
,----[ FLOWCACHE STATS ]----------
Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1)
Overhead blocks: 1 Could Hold: (0)
IPV4 count: 0 frees: 0
low_time: 0, high_time: 0, diff: 0h:00:00s
     finds: 0 reversed: 0(%0.000000)
     find_sucess: 0 find_fail: 0
percent_success: (%0.000000) new_flows: 0

and FORWARD produced:

07/21-11:38:24.500790 10.10.57.166:2291 -> 10.10.56.8:110
TCP TTL:128 TOS:0x0 ID:5408 IpLen:20 DgmLen:48 DF
******S* Seq: 0xA549230C  Ack: 0x0  Win: 0xFFFF  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

So, FORWARD seems to be the right place to put it, but I must still be 
missing something.

Brian Atkins
IT Department
The Library Corporation
http://TLCdelivers.com
Ph: 800.624.0559
Fx: 304.229.0295

"An adventure is never an adventure
when it's happening.  Challenging
experiences need time to ferment,
and an adventure is simply physical
and emotional discomfort recollected
in tranquility." -- Tim Cahill

Will Metcalf wrote:
> if start snort up with -v instead of -D do you see packets make it to 
> snort?
> 
> Regards,
> 
> Will
> 
> On 7/21/06, Brian Atkins <ba...@tl...> wrote:
>> Good morning. I am getting ready to implement a VPN (OpenVPN) server in
>> bridge mode. Before I open it up for employees to use, I wanted to
>> enable something that would block malicious activity because, frankly, I
>> don't trust them to have up-to-date virus and malware protection. Some
>> of them I just don't trust, period.
>>
>> I am using Snort in other areas around the facility, but only as an IDS,
>> not IPS. I was reading up on snort-inline and decided that it might be
>> my best option. I started installing it based on the docs I found out in
>> Google-land, including the Gentoo specific parameters (e.g.,
>> `USE="inline" emerge -v snort`). To test, I modified the rules from
>> 'alert' to 'drop', modprobed ip_queue, added `iptables -A FORWARD -p tcp
>> -j QUEUE` to iptables, and kicked off snort `snort -QDc
>> /etc/snort/snort.conf -l /var/log/snort` to get the ball rolling.
>>
>> Apparently, the instructions I had were incomplete because it appears
>> that nothing is getting through the firewall. It seems that packets are
>> getting queued up, but nothing is being handed off to Snort.
>>
>> Other than the network settings, snort.conf is pretty much vanilla. I
>> know that I am missing something somewhere, I just am not sure where as
>> the documentation is pretty sparse.
>>
>> Thanks,
>>
>> -- 
>> Brian
>>
>> IFCONFIG
>> --------
>> br0       Link encap:Ethernet  HWaddr 00:02:B3:BB:42:AC
>>            inet addr:10.10.56.200  Bcast:10.255.255.255  Mask:255.0.0.0
>>            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>            RX packets:2068751 errors:0 dropped:0 overruns:0 frame:0
>>            TX packets:56704 errors:0 dropped:0 overruns:0 carrier:0
>>            collisions:0 txqueuelen:0
>>            RX bytes:204211373 (194.7 Mb)  TX bytes:7467377 (7.1 Mb)
>>
>> eth0      Link encap:Ethernet  HWaddr 00:02:B3:BB:42:AC
>>            UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>>            RX packets:2117381 errors:0 dropped:0 overruns:0 frame:0
>>            TX packets:56716 errors:0 dropped:0 overruns:0 carrier:0
>>            collisions:0 txqueuelen:1000
>>            RX bytes:237952185 (226.9 Mb)  TX bytes:7468701 (7.1 Mb)
>>
>> tap0      Link encap:Ethernet  HWaddr B6:62:C8:12:0A:CD
>>            UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>>            RX packets:358 errors:0 dropped:0 overruns:0 frame:0
>>            TX packets:1911505 errors:0 dropped:30 overruns:0 carrier:0
>>            collisions:0 txqueuelen:100
>>            RX bytes:36958 (36.0 Kb)  TX bytes:197571258 (188.4 Mb)
>>
>>
>> SNORT.CONF
>> ----------
>> var HOME_NET 10.0.0.0/8
>> var EXTERNAL_NET !$HOME_NET
>> var DNS_SERVERS $HOME_NET
>> var SMTP_SERVERS $HOME_NET
>> var HTTP_SERVERS $HOME_NET
>> var SQL_SERVERS $HOME_NET
>> var TELNET_SERVERS $HOME_NET
>> var SNMP_SERVERS $HOME_NET
>> var HTTP_PORTS 80
>> var SHELLCODE_PORTS !80
>> var ORACLE_PORTS 1521
>> var SSH_PORTS 22
>> var AIM_SERVERS
>> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] 
>>
>> var RULE_PATH /etc/snort/rules
>> config disable_decode_alerts
>> preprocessor flow: stats_interval 0 hash 2
>> preprocessor frag3_global: max_frags 65536
>> preprocessor frag3_engine: policy first detect_anomalies
>> preprocessor stream4: disable_evasion_alerts
>> preprocessor stream4_reassemble
>> preprocessor http_inspect: global \
>>      iis_unicode_map unicode.map 1252
>> preprocessor http_inspect_server: server default \
>>      profile all ports { 80 8080 8180 } oversize_dir_length 500
>> preprocessor rpc_decode: 111 32771
>> preprocessor bo
>> preprocessor telnet_decode
>> preprocessor sfportscan: proto  { all } \
>>                           memcap { 10000000 } \
>>                           sense_level { low }
>> preprocessor xlink2state: ports { 25 691 }
>> include classification.config
>> include reference.config
>> include $RULE_PATH/local.rules
>> include $RULE_PATH/bad-traffic.rules
>> include $RULE_PATH/exploit.rules
>> include $RULE_PATH/scan.rules
>> include $RULE_PATH/finger.rules
>> include $RULE_PATH/ftp.rules
>> include $RULE_PATH/telnet.rules
>> include $RULE_PATH/rpc.rules
>> include $RULE_PATH/rservices.rules
>> include $RULE_PATH/dos.rules
>> include $RULE_PATH/ddos.rules
>> include $RULE_PATH/dns.rules
>> include $RULE_PATH/tftp.rules
>> include $RULE_PATH/web-cgi.rules
>> include $RULE_PATH/web-coldfusion.rules
>> include $RULE_PATH/web-iis.rules
>> include $RULE_PATH/web-frontpage.rules
>> include $RULE_PATH/web-misc.rules
>> include $RULE_PATH/web-client.rules
>> include $RULE_PATH/web-php.rules
>> include $RULE_PATH/sql.rules
>> include $RULE_PATH/x11.rules
>> include $RULE_PATH/icmp.rules
>> include $RULE_PATH/netbios.rules
>> include $RULE_PATH/misc.rules
>> include $RULE_PATH/attack-responses.rules
>> include $RULE_PATH/oracle.rules
>> include $RULE_PATH/mysql.rules
>> include $RULE_PATH/snmp.rules
>> include $RULE_PATH/smtp.rules
>> include $RULE_PATH/imap.rules
>> include $RULE_PATH/pop2.rules
>> include $RULE_PATH/pop3.rules
>> include $RULE_PATH/nntp.rules
>> include $RULE_PATH/other-ids.rules
>> include $RULE_PATH/virus.rules
>> include $RULE_PATH/experimental.rules
>> include $RULE_PATH/bleeding-attack_response.rules
>> include $RULE_PATH/bleeding-dos.rules
>> include $RULE_PATH/bleeding-drop-BLOCK.rules
>> include $RULE_PATH/bleeding-drop.rules
>> include $RULE_PATH/bleeding-dshield-BLOCK.rules
>> include $RULE_PATH/bleeding-dshield.rules
>> include $RULE_PATH/bleeding-exploit.rules
>> include $RULE_PATH/bleeding-game.rules
>> include $RULE_PATH/bleeding-inappropriate.rules
>> include $RULE_PATH/bleeding-malware.rules
>> include $RULE_PATH/bleeding-p2p.rules
>> include $RULE_PATH/bleeding-policy.rules
>> include $RULE_PATH/bleeding-scan.rules
>> include $RULE_PATH/bleeding-virus.rules
>> include $RULE_PATH/bleeding-web.rules
>> include $RULE_PATH/bleeding.conf
>> include $RULE_PATH/bleeding.rules
>>
>> -------------------------------------------------------------------------
>> Take Surveys. Earn Cash. Influence the Future of IT
>> Join SourceForge.net's Techsay panel and you'll get the chance to 
>> share your
>> opinions on IT & business topics through brief surveys -- and earn cash
>> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>> _______________________________________________
>> Snort-inline-users mailing list
>> Sno...@li...
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
> 

Re: [Snort-inline-users] Installing / configuring on Gentoo

[Brian A. <ba...@tl...>]

Yes, but most appear to be netbios traffic (broadcast). When I nmap, 
nessus, etc, against the server, those packets never seem to get logged, 
but it will give me successful returns.

Brian

Will Metcalf wrote:
> if start snort up with -v instead of -D do you see packets make it to 
> snort?
> 
> Regards,
> 
> Will
> 
> On 7/21/06, Brian Atkins <ba...@tl...> wrote:
>> Good morning. I am getting ready to implement a VPN (OpenVPN) server in
>> bridge mode. Before I open it up for employees to use, I wanted to
>> enable something that would block malicious activity because, frankly, I
>> don't trust them to have up-to-date virus and malware protection. Some
>> of them I just don't trust, period.
>>
>> I am using Snort in other areas around the facility, but only as an IDS,
>> not IPS. I was reading up on snort-inline and decided that it might be
>> my best option. I started installing it based on the docs I found out in
>> Google-land, including the Gentoo specific parameters (e.g.,
>> `USE="inline" emerge -v snort`). To test, I modified the rules from
>> 'alert' to 'drop', modprobed ip_queue, added `iptables -A FORWARD -p tcp
>> -j QUEUE` to iptables, and kicked off snort `snort -QDc
>> /etc/snort/snort.conf -l /var/log/snort` to get the ball rolling.
>>
>> Apparently, the instructions I had were incomplete because it appears
>> that nothing is getting through the firewall. It seems that packets are
>> getting queued up, but nothing is being handed off to Snort.
>>
>> Other than the network settings, snort.conf is pretty much vanilla. I
>> know that I am missing something somewhere, I just am not sure where as
>> the documentation is pretty sparse.
>>
>> Thanks,
>>
>> -- 
>> Brian
>>
>> IFCONFIG
>> --------
>> br0       Link encap:Ethernet  HWaddr 00:02:B3:BB:42:AC
>>            inet addr:10.10.56.200  Bcast:10.255.255.255  Mask:255.0.0.0
>>            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>            RX packets:2068751 errors:0 dropped:0 overruns:0 frame:0
>>            TX packets:56704 errors:0 dropped:0 overruns:0 carrier:0
>>            collisions:0 txqueuelen:0
>>            RX bytes:204211373 (194.7 Mb)  TX bytes:7467377 (7.1 Mb)
>>
>> eth0      Link encap:Ethernet  HWaddr 00:02:B3:BB:42:AC
>>            UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>>            RX packets:2117381 errors:0 dropped:0 overruns:0 frame:0
>>            TX packets:56716 errors:0 dropped:0 overruns:0 carrier:0
>>            collisions:0 txqueuelen:1000
>>            RX bytes:237952185 (226.9 Mb)  TX bytes:7468701 (7.1 Mb)
>>
>> tap0      Link encap:Ethernet  HWaddr B6:62:C8:12:0A:CD
>>            UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>>            RX packets:358 errors:0 dropped:0 overruns:0 frame:0
>>            TX packets:1911505 errors:0 dropped:30 overruns:0 carrier:0
>>            collisions:0 txqueuelen:100
>>            RX bytes:36958 (36.0 Kb)  TX bytes:197571258 (188.4 Mb)
>>
>>
>> SNORT.CONF
>> ----------
>> var HOME_NET 10.0.0.0/8
>> var EXTERNAL_NET !$HOME_NET
>> var DNS_SERVERS $HOME_NET
>> var SMTP_SERVERS $HOME_NET
>> var HTTP_SERVERS $HOME_NET
>> var SQL_SERVERS $HOME_NET
>> var TELNET_SERVERS $HOME_NET
>> var SNMP_SERVERS $HOME_NET
>> var HTTP_PORTS 80
>> var SHELLCODE_PORTS !80
>> var ORACLE_PORTS 1521
>> var SSH_PORTS 22
>> var AIM_SERVERS
>> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] 
>>
>> var RULE_PATH /etc/snort/rules
>> config disable_decode_alerts
>> preprocessor flow: stats_interval 0 hash 2
>> preprocessor frag3_global: max_frags 65536
>> preprocessor frag3_engine: policy first detect_anomalies
>> preprocessor stream4: disable_evasion_alerts
>> preprocessor stream4_reassemble
>> preprocessor http_inspect: global \
>>      iis_unicode_map unicode.map 1252
>> preprocessor http_inspect_server: server default \
>>      profile all ports { 80 8080 8180 } oversize_dir_length 500
>> preprocessor rpc_decode: 111 32771
>> preprocessor bo
>> preprocessor telnet_decode
>> preprocessor sfportscan: proto  { all } \
>>                           memcap { 10000000 } \
>>                           sense_level { low }
>> preprocessor xlink2state: ports { 25 691 }
>> include classification.config
>> include reference.config
>> include $RULE_PATH/local.rules
>> include $RULE_PATH/bad-traffic.rules
>> include $RULE_PATH/exploit.rules
>> include $RULE_PATH/scan.rules
>> include $RULE_PATH/finger.rules
>> include $RULE_PATH/ftp.rules
>> include $RULE_PATH/telnet.rules
>> include $RULE_PATH/rpc.rules
>> include $RULE_PATH/rservices.rules
>> include $RULE_PATH/dos.rules
>> include $RULE_PATH/ddos.rules
>> include $RULE_PATH/dns.rules
>> include $RULE_PATH/tftp.rules
>> include $RULE_PATH/web-cgi.rules
>> include $RULE_PATH/web-coldfusion.rules
>> include $RULE_PATH/web-iis.rules
>> include $RULE_PATH/web-frontpage.rules
>> include $RULE_PATH/web-misc.rules
>> include $RULE_PATH/web-client.rules
>> include $RULE_PATH/web-php.rules
>> include $RULE_PATH/sql.rules
>> include $RULE_PATH/x11.rules
>> include $RULE_PATH/icmp.rules
>> include $RULE_PATH/netbios.rules
>> include $RULE_PATH/misc.rules
>> include $RULE_PATH/attack-responses.rules
>> include $RULE_PATH/oracle.rules
>> include $RULE_PATH/mysql.rules
>> include $RULE_PATH/snmp.rules
>> include $RULE_PATH/smtp.rules
>> include $RULE_PATH/imap.rules
>> include $RULE_PATH/pop2.rules
>> include $RULE_PATH/pop3.rules
>> include $RULE_PATH/nntp.rules
>> include $RULE_PATH/other-ids.rules
>> include $RULE_PATH/virus.rules
>> include $RULE_PATH/experimental.rules
>> include $RULE_PATH/bleeding-attack_response.rules
>> include $RULE_PATH/bleeding-dos.rules
>> include $RULE_PATH/bleeding-drop-BLOCK.rules
>> include $RULE_PATH/bleeding-drop.rules
>> include $RULE_PATH/bleeding-dshield-BLOCK.rules
>> include $RULE_PATH/bleeding-dshield.rules
>> include $RULE_PATH/bleeding-exploit.rules
>> include $RULE_PATH/bleeding-game.rules
>> include $RULE_PATH/bleeding-inappropriate.rules
>> include $RULE_PATH/bleeding-malware.rules
>> include $RULE_PATH/bleeding-p2p.rules
>> include $RULE_PATH/bleeding-policy.rules
>> include $RULE_PATH/bleeding-scan.rules
>> include $RULE_PATH/bleeding-virus.rules
>> include $RULE_PATH/bleeding-web.rules
>> include $RULE_PATH/bleeding.conf
>> include $RULE_PATH/bleeding.rules
>>
>> -------------------------------------------------------------------------
>> Take Surveys. Earn Cash. Influence the Future of IT
>> Join SourceForge.net's Techsay panel and you'll get the chance to 
>> share your
>> opinions on IT & business topics through brief surveys -- and earn cash
>> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>> _______________________________________________
>> Snort-inline-users mailing list
>> Sno...@li...
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
> 

Re: [Snort-inline-users] bait-and-switch when snort is infrontoffirewall

[Will M. <wil...@gm...>]

No, because you are redirecting traffic that is part of an already
established tcp session

On 7/21/06, Alfredo Osorio <ao...@tu...> wrote:
> Thanks!!!!...It's working well now. The pre and post entries are there and
> the client is redirected. One question, is there any way for the redirect to
> work on the first packet that triggered it? Many thanks....Alfredo
>
>
> ----- Original Message -----
> From: "Will Metcalf" <wil...@gm...>
> To: "Alfredo Osorio" <ao...@tu...>
> Cc: <sno...@li...>
> Sent: Thursday, July 20, 2006 8:43 PM
> Subject: Re: [Snort-inline-users] bait-and-switch when snort is
> infrontoffirewall
>
>
> > Are the iptables rules added after the alert is fired?  You can check
> > by issueing the following command
> >
> > iptables -L -v -n -t nat
> >
> > You should have an entry in both prerouting and postrouting.  Also get
> > rid of the following...
> >
> > ifconfig br0 0.0.0.0 up -arp
> >
> >
> >
> > On 7/20/06, Alfredo Osorio <ao...@tu...> wrote:
> > > Could not make it work. I guess my knowledge of iptables is just way too
> > > low. Here's what I did...Sorry to bother the group with this but it's
> > > driving me crazy...
> > >
> > > #Build Bridge
> > > brctl addbr br0
> > > ifconfig eth0 0.0.0.0 up -arp
> > > ifconfig eth1 0.0.0.0 up -arp
> > > brctl addif br0 eth0
> > > brctl addif br0 eth1
> > > brctl stp br0 off
> > > ifconfig br0 0.0.0.0 up -arp
> > >
> > >  #Flush IpTables
> > >  iptables -F
> > >
> > >  #Forward Packets to QUEUE
> > >  iptables -A FORWARD -j QUEUE
> > >
> > > #Start snort (send packets to queue)
> > > snort_inline -A console -c
> > > /snort_inline-2.4.4-final/etc/snort_inline.conf -Q
> > >
> > > #Will's command sequence
> > > ifconfig eth2 down
> > > iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
> > > iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
> > > iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> > >
> > > ifconfig -a br0 192.168.1.2  netmask 255.255.255.0 broadcast
> 192.168.1.255
> > > route add default gw 192.168.1.1
> > >
> > > Results:
> > > snort runs well but when my bait-and-switch rule triggers I get the
> > > following:
> > >
> > > "adding packet to reroute tree because we have bands options"
> > >
> > > and the client is not redirected...
> > >
> > > Many thanks....Alfredo
> > >
> > > ----- Original Message -----
> > > From: "Will Metcalf" <wil...@gm...>
> > > To: "Alfredo Osorio" <ao...@tu...>
> > > Cc: <sno...@li...>
> > > Sent: Thursday, July 20, 2006 6:10 PM
> > > Subject: Re: [Snort-inline-users] bait-and-switch when snort is in
> > > frontoffirewall
> > >
> > >
> > > > ok so let's go the route of a management ip on the bridge interface
> > > > rather than eth2 because it will be a much shorter explaination ;-).
> > > >
> > > > pull your management ip off of eth2....
> > > > down the eth2 interface.....
> > > >
> > > > setup iptables to only permit your management traffic coming into the
> > > > br0 interface, all bridged traffic moves through the forward chain
> > > > that is not bound for the local ip stack.
> > > >
> > > >  iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
> > > >  iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
> > > >  iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> > > >
> > > > setup your management ip on the bridge interface
> > > >
> > > > ifconfig -a br0 192.168.0.1 netmask 255.255.255.0 broadcast
> 192.168.0.255
> > > > route add default gw 192.168.0.254
> > > >
> > > > and viola it should all work....
> > > >
> > > > Regards,
> > > >
> > > > Will
> > > > On 7/20/06, Alfredo Osorio <ao...@tu...> wrote:
> > > > > Thanks...I've been trying what you suggest without success. Can you
> give
> > > me
> > > > > a simple example?
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Will Metcalf" <wil...@gm...>
> > > > > To: "Alfredo Osorio" <ao...@tu...>
> > > > > Cc: <sno...@li...>
> > > > > Sent: Thursday, July 20, 2006 2:54 PM
> > > > > Subject: Re: [Snort-inline-users] bait-and-switch when snort is in
> front
> > > > > offirewall
> > > > >
> > > > >
> > > > > > You probably don't want to enable ip_forwarding, you can do one of
> two
> > > > > > things add a route for your internal networks to go out eth2 and
> add a
> > > > > > default route going to the bridge interface.  You can also assign
> your
> > > > > > management ip address to the bridge and handle access to the
> > > > > > management ip through INPUT/OUTPUT rules.
> > > > > >
> > > > > > http://ebtables.sourceforge.net/ebtables-faq.html
> > > > > >
> > > > > > On 7/20/06, Alfredo Osorio <ao...@tu...> wrote:
> > > > > > >
> > > > > > >
> > > > > > > Hello...
> > > > > > >
> > > > > > > I'm having a hard time getting bait-and-switch working. Would
> > > appreciate
> > > > > any
> > > > > > > simple examples as my knowledge is very limited (former windows
> > > > > > > user)....Here's what I'm getting when bait-and-switch is
> enabled...
> > > > > > >
> > > > > > > "Performing cross-bridge DNAT requires IP forwarding to be
> enabled"
> > > > > > >
> > > > > > > I have checked that ip_forwarding is enabled with...
> > > > > > >
> > > > > > > cat /proc/sys/net/ipv4/ip_forward and it does return 1.
> > > > > > >
> > > > > > > My Bridge set up looks like this...
> > > > > > >
> > > > > > > #----------------------------------------
> > > > > > > #Build Bridge
> > > > > > >  brctl addbr br0
> > > > > > >  ifconfig eth0 0.0.0.0 up -arp
> > > > > > >  ifconfig eth1 0.0.0.0 up -arp
> > > > > > >  brctl addif br0 eth0
> > > > > > >  brctl addif br0 eth1
> > > > > > >  brctl stp br0 off
> > > > > > >  ifconfig br0 0.0.0.0 up -arp
> > > > > > >
> > > > > > > #Flush IpTables
> > > > > > >  iptables -F
> > > > > > >
> > > > > > > #Forward Packets to QUEUE
> > > > > > >  iptables -A FORWARD -j QUEUE
> > > > > > >
> > > > > > >
> > > > > > > #start snort here...
> > > > > > > #-------------------------------------------------
> > > > > > >
> > > > > > >
> > > > > > > My eth2 is on 192.168.100.8
> > > > > > >
> > > > > > > My snort_inline.conf has this line....
> > > > > > >
> > > > > > > preprocessor bait-and-switch
> > > > > > >
> > > > > > > My test rule looks like this...(using pcre for content match)
> > > > > > >
> > > > > > > drop tcp any any -> any 80 (msg:"outbound traffic match"; flow:
> > > > > established;
> > > > > > > pcre:$pcrematch; bait-and-switch: 120,src,192.168.100.10;)
> > > > > > >
> > > > > > >
> > > > > > > I'm probably making a newbie mistake somewhere....snort_inline
> > > > > (2.4.4-final)
> > > > > > > runs great until I try to use bait-and-switch.
> > > > > > >
> > > > > > > Many thanks....Alfredo
> > > > > > >
> > > > > >
> > > > >
> > >
> > -------------------------------------------------------------------------
> > > > > > > Take Surveys. Earn Cash. Influence the Future of IT
> > > > > > > Join SourceForge.net's Techsay panel and you'll get the chance
> to
> > > share
> > > > > your
> > > > > > > opinions on IT & business topics through brief surveys -- and
> earn
> > > cash
> > > > > > >
> > > > >
> > >
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > Snort-inline-users mailing list
> > > > > > > Sno...@li...
> > > > > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > >
> > -------------------------------------------------------------------------
> > > > > > Take Surveys. Earn Cash. Influence the Future of IT
> > > > > > Join SourceForge.net's Techsay panel and you'll get the chance to
> > > share
> > > > > your
> > > > > > opinions on IT & business topics through brief surveys -- and earn
> > > cash
> > > > > >
> > >
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> > > > > > _______________________________________________
> > > > > > Snort-inline-users mailing list
> > > > > > Sno...@li...
> > > > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> > > > >
> > > > >
> > > >
> > >
> > -------------------------------------------------------------------------
> > > > Take Surveys. Earn Cash. Influence the Future of IT
> > > > Join SourceForge.net's Techsay panel and you'll get the chance to
> share
> > > your
> > > > opinions on IT & business topics through brief surveys -- and earn
> cash
> > > >
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> > > > _______________________________________________
> > > > Snort-inline-users mailing list
> > > > Sno...@li...
> > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> > >
> > >
> >
> > -------------------------------------------------------------------------
> > Take Surveys. Earn Cash. Influence the Future of IT
> > Join SourceForge.net's Techsay panel and you'll get the chance to share
> your
> > opinions on IT & business topics through brief surveys -- and earn cash
> > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>

Re: [Snort-inline-users] bait-and-switch when snort is infrontoffirewall

[Alfredo O. <ao...@tu...>]

Thanks!!!!...It's working well now. The pre and post entries are there and
the client is redirected. One question, is there any way for the redirect to
work on the first packet that triggered it? Many thanks....Alfredo


----- Original Message ----- 
From: "Will Metcalf" <wil...@gm...>
To: "Alfredo Osorio" <ao...@tu...>
Cc: <sno...@li...>
Sent: Thursday, July 20, 2006 8:43 PM
Subject: Re: [Snort-inline-users] bait-and-switch when snort is
infrontoffirewall


> Are the iptables rules added after the alert is fired?  You can check
> by issueing the following command
>
> iptables -L -v -n -t nat
>
> You should have an entry in both prerouting and postrouting.  Also get
> rid of the following...
>
> ifconfig br0 0.0.0.0 up -arp
>
>
>
> On 7/20/06, Alfredo Osorio <ao...@tu...> wrote:
> > Could not make it work. I guess my knowledge of iptables is just way too
> > low. Here's what I did...Sorry to bother the group with this but it's
> > driving me crazy...
> >
> > #Build Bridge
> > brctl addbr br0
> > ifconfig eth0 0.0.0.0 up -arp
> > ifconfig eth1 0.0.0.0 up -arp
> > brctl addif br0 eth0
> > brctl addif br0 eth1
> > brctl stp br0 off
> > ifconfig br0 0.0.0.0 up -arp
> >
> >  #Flush IpTables
> >  iptables -F
> >
> >  #Forward Packets to QUEUE
> >  iptables -A FORWARD -j QUEUE
> >
> > #Start snort (send packets to queue)
> > snort_inline -A console -c
> > /snort_inline-2.4.4-final/etc/snort_inline.conf -Q
> >
> > #Will's command sequence
> > ifconfig eth2 down
> > iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
> > iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
> > iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> >
> > ifconfig -a br0 192.168.1.2  netmask 255.255.255.0 broadcast
192.168.1.255
> > route add default gw 192.168.1.1
> >
> > Results:
> > snort runs well but when my bait-and-switch rule triggers I get the
> > following:
> >
> > "adding packet to reroute tree because we have bands options"
> >
> > and the client is not redirected...
> >
> > Many thanks....Alfredo
> >
> > ----- Original Message -----
> > From: "Will Metcalf" <wil...@gm...>
> > To: "Alfredo Osorio" <ao...@tu...>
> > Cc: <sno...@li...>
> > Sent: Thursday, July 20, 2006 6:10 PM
> > Subject: Re: [Snort-inline-users] bait-and-switch when snort is in
> > frontoffirewall
> >
> >
> > > ok so let's go the route of a management ip on the bridge interface
> > > rather than eth2 because it will be a much shorter explaination ;-).
> > >
> > > pull your management ip off of eth2....
> > > down the eth2 interface.....
> > >
> > > setup iptables to only permit your management traffic coming into the
> > > br0 interface, all bridged traffic moves through the forward chain
> > > that is not bound for the local ip stack.
> > >
> > >  iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
> > >  iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
> > >  iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> > >
> > > setup your management ip on the bridge interface
> > >
> > > ifconfig -a br0 192.168.0.1 netmask 255.255.255.0 broadcast
192.168.0.255
> > > route add default gw 192.168.0.254
> > >
> > > and viola it should all work....
> > >
> > > Regards,
> > >
> > > Will
> > > On 7/20/06, Alfredo Osorio <ao...@tu...> wrote:
> > > > Thanks...I've been trying what you suggest without success. Can you
give
> > me
> > > > a simple example?
> > > >
> > > > ----- Original Message -----
> > > > From: "Will Metcalf" <wil...@gm...>
> > > > To: "Alfredo Osorio" <ao...@tu...>
> > > > Cc: <sno...@li...>
> > > > Sent: Thursday, July 20, 2006 2:54 PM
> > > > Subject: Re: [Snort-inline-users] bait-and-switch when snort is in
front
> > > > offirewall
> > > >
> > > >
> > > > > You probably don't want to enable ip_forwarding, you can do one of
two
> > > > > things add a route for your internal networks to go out eth2 and
add a
> > > > > default route going to the bridge interface.  You can also assign
your
> > > > > management ip address to the bridge and handle access to the
> > > > > management ip through INPUT/OUTPUT rules.
> > > > >
> > > > > http://ebtables.sourceforge.net/ebtables-faq.html
> > > > >
> > > > > On 7/20/06, Alfredo Osorio <ao...@tu...> wrote:
> > > > > >
> > > > > >
> > > > > > Hello...
> > > > > >
> > > > > > I'm having a hard time getting bait-and-switch working. Would
> > appreciate
> > > > any
> > > > > > simple examples as my knowledge is very limited (former windows
> > > > > > user)....Here's what I'm getting when bait-and-switch is
enabled...
> > > > > >
> > > > > > "Performing cross-bridge DNAT requires IP forwarding to be
enabled"
> > > > > >
> > > > > > I have checked that ip_forwarding is enabled with...
> > > > > >
> > > > > > cat /proc/sys/net/ipv4/ip_forward and it does return 1.
> > > > > >
> > > > > > My Bridge set up looks like this...
> > > > > >
> > > > > > #----------------------------------------
> > > > > > #Build Bridge
> > > > > >  brctl addbr br0
> > > > > >  ifconfig eth0 0.0.0.0 up -arp
> > > > > >  ifconfig eth1 0.0.0.0 up -arp
> > > > > >  brctl addif br0 eth0
> > > > > >  brctl addif br0 eth1
> > > > > >  brctl stp br0 off
> > > > > >  ifconfig br0 0.0.0.0 up -arp
> > > > > >
> > > > > > #Flush IpTables
> > > > > >  iptables -F
> > > > > >
> > > > > > #Forward Packets to QUEUE
> > > > > >  iptables -A FORWARD -j QUEUE
> > > > > >
> > > > > >
> > > > > > #start snort here...
> > > > > > #-------------------------------------------------
> > > > > >
> > > > > >
> > > > > > My eth2 is on 192.168.100.8
> > > > > >
> > > > > > My snort_inline.conf has this line....
> > > > > >
> > > > > > preprocessor bait-and-switch
> > > > > >
> > > > > > My test rule looks like this...(using pcre for content match)
> > > > > >
> > > > > > drop tcp any any -> any 80 (msg:"outbound traffic match"; flow:
> > > > established;
> > > > > > pcre:$pcrematch; bait-and-switch: 120,src,192.168.100.10;)
> > > > > >
> > > > > >
> > > > > > I'm probably making a newbie mistake somewhere....snort_inline
> > > > (2.4.4-final)
> > > > > > runs great until I try to use bait-and-switch.
> > > > > >
> > > > > > Many thanks....Alfredo
> > > > > >
> > > > >
> > > >
> >
> -------------------------------------------------------------------------
> > > > > > Take Surveys. Earn Cash. Influence the Future of IT
> > > > > > Join SourceForge.net's Techsay panel and you'll get the chance
to
> > share
> > > > your
> > > > > > opinions on IT & business topics through brief surveys -- and
earn
> > cash
> > > > > >
> > > >
> >
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> > > > > >
> > > > > > _______________________________________________
> > > > > > Snort-inline-users mailing list
> > > > > > Sno...@li...
> > > > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> >
> -------------------------------------------------------------------------
> > > > > Take Surveys. Earn Cash. Influence the Future of IT
> > > > > Join SourceForge.net's Techsay panel and you'll get the chance to
> > share
> > > > your
> > > > > opinions on IT & business topics through brief surveys -- and earn
> > cash
> > > > >
> >
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> > > > > _______________________________________________
> > > > > Snort-inline-users mailing list
> > > > > Sno...@li...
> > > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> > > >
> > > >
> > >
> >
> -------------------------------------------------------------------------
> > > Take Surveys. Earn Cash. Influence the Future of IT
> > > Join SourceForge.net's Techsay panel and you'll get the chance to
share
> > your
> > > opinions on IT & business topics through brief surveys -- and earn
cash
> > >
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> > > _______________________________________________
> > > Snort-inline-users mailing list
> > > Sno...@li...
> > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >
> >
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share
your
> opinions on IT & business topics through brief surveys -- and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users

Re: [Snort-inline-users] Installing / configuring on Gentoo

[Will M. <wil...@gm...>]

if start snort up with -v instead of -D do you see packets make it to snort?

Regards,

Will

On 7/21/06, Brian Atkins <ba...@tl...> wrote:
> Good morning. I am getting ready to implement a VPN (OpenVPN) server in
> bridge mode. Before I open it up for employees to use, I wanted to
> enable something that would block malicious activity because, frankly, I
> don't trust them to have up-to-date virus and malware protection. Some
> of them I just don't trust, period.
>
> I am using Snort in other areas around the facility, but only as an IDS,
> not IPS. I was reading up on snort-inline and decided that it might be
> my best option. I started installing it based on the docs I found out in
> Google-land, including the Gentoo specific parameters (e.g.,
> `USE="inline" emerge -v snort`). To test, I modified the rules from
> 'alert' to 'drop', modprobed ip_queue, added `iptables -A FORWARD -p tcp
> -j QUEUE` to iptables, and kicked off snort `snort -QDc
> /etc/snort/snort.conf -l /var/log/snort` to get the ball rolling.
>
> Apparently, the instructions I had were incomplete because it appears
> that nothing is getting through the firewall. It seems that packets are
> getting queued up, but nothing is being handed off to Snort.
>
> Other than the network settings, snort.conf is pretty much vanilla. I
> know that I am missing something somewhere, I just am not sure where as
> the documentation is pretty sparse.
>
> Thanks,
>
> --
> Brian
>
> IFCONFIG
> --------
> br0       Link encap:Ethernet  HWaddr 00:02:B3:BB:42:AC
>            inet addr:10.10.56.200  Bcast:10.255.255.255  Mask:255.0.0.0
>            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>            RX packets:2068751 errors:0 dropped:0 overruns:0 frame:0
>            TX packets:56704 errors:0 dropped:0 overruns:0 carrier:0
>            collisions:0 txqueuelen:0
>            RX bytes:204211373 (194.7 Mb)  TX bytes:7467377 (7.1 Mb)
>
> eth0      Link encap:Ethernet  HWaddr 00:02:B3:BB:42:AC
>            UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>            RX packets:2117381 errors:0 dropped:0 overruns:0 frame:0
>            TX packets:56716 errors:0 dropped:0 overruns:0 carrier:0
>            collisions:0 txqueuelen:1000
>            RX bytes:237952185 (226.9 Mb)  TX bytes:7468701 (7.1 Mb)
>
> tap0      Link encap:Ethernet  HWaddr B6:62:C8:12:0A:CD
>            UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>            RX packets:358 errors:0 dropped:0 overruns:0 frame:0
>            TX packets:1911505 errors:0 dropped:30 overruns:0 carrier:0
>            collisions:0 txqueuelen:100
>            RX bytes:36958 (36.0 Kb)  TX bytes:197571258 (188.4 Mb)
>
>
> SNORT.CONF
> ----------
> var HOME_NET 10.0.0.0/8
> var EXTERNAL_NET !$HOME_NET
> var DNS_SERVERS $HOME_NET
> var SMTP_SERVERS $HOME_NET
> var HTTP_SERVERS $HOME_NET
> var SQL_SERVERS $HOME_NET
> var TELNET_SERVERS $HOME_NET
> var SNMP_SERVERS $HOME_NET
> var HTTP_PORTS 80
> var SHELLCODE_PORTS !80
> var ORACLE_PORTS 1521
> var SSH_PORTS 22
> var AIM_SERVERS
> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
> var RULE_PATH /etc/snort/rules
> config disable_decode_alerts
> preprocessor flow: stats_interval 0 hash 2
> preprocessor frag3_global: max_frags 65536
> preprocessor frag3_engine: policy first detect_anomalies
> preprocessor stream4: disable_evasion_alerts
> preprocessor stream4_reassemble
> preprocessor http_inspect: global \
>      iis_unicode_map unicode.map 1252
> preprocessor http_inspect_server: server default \
>      profile all ports { 80 8080 8180 } oversize_dir_length 500
> preprocessor rpc_decode: 111 32771
> preprocessor bo
> preprocessor telnet_decode
> preprocessor sfportscan: proto  { all } \
>                           memcap { 10000000 } \
>                           sense_level { low }
> preprocessor xlink2state: ports { 25 691 }
> include classification.config
> include reference.config
> include $RULE_PATH/local.rules
> include $RULE_PATH/bad-traffic.rules
> include $RULE_PATH/exploit.rules
> include $RULE_PATH/scan.rules
> include $RULE_PATH/finger.rules
> include $RULE_PATH/ftp.rules
> include $RULE_PATH/telnet.rules
> include $RULE_PATH/rpc.rules
> include $RULE_PATH/rservices.rules
> include $RULE_PATH/dos.rules
> include $RULE_PATH/ddos.rules
> include $RULE_PATH/dns.rules
> include $RULE_PATH/tftp.rules
> include $RULE_PATH/web-cgi.rules
> include $RULE_PATH/web-coldfusion.rules
> include $RULE_PATH/web-iis.rules
> include $RULE_PATH/web-frontpage.rules
> include $RULE_PATH/web-misc.rules
> include $RULE_PATH/web-client.rules
> include $RULE_PATH/web-php.rules
> include $RULE_PATH/sql.rules
> include $RULE_PATH/x11.rules
> include $RULE_PATH/icmp.rules
> include $RULE_PATH/netbios.rules
> include $RULE_PATH/misc.rules
> include $RULE_PATH/attack-responses.rules
> include $RULE_PATH/oracle.rules
> include $RULE_PATH/mysql.rules
> include $RULE_PATH/snmp.rules
> include $RULE_PATH/smtp.rules
> include $RULE_PATH/imap.rules
> include $RULE_PATH/pop2.rules
> include $RULE_PATH/pop3.rules
> include $RULE_PATH/nntp.rules
> include $RULE_PATH/other-ids.rules
> include $RULE_PATH/virus.rules
> include $RULE_PATH/experimental.rules
> include $RULE_PATH/bleeding-attack_response.rules
> include $RULE_PATH/bleeding-dos.rules
> include $RULE_PATH/bleeding-drop-BLOCK.rules
> include $RULE_PATH/bleeding-drop.rules
> include $RULE_PATH/bleeding-dshield-BLOCK.rules
> include $RULE_PATH/bleeding-dshield.rules
> include $RULE_PATH/bleeding-exploit.rules
> include $RULE_PATH/bleeding-game.rules
> include $RULE_PATH/bleeding-inappropriate.rules
> include $RULE_PATH/bleeding-malware.rules
> include $RULE_PATH/bleeding-p2p.rules
> include $RULE_PATH/bleeding-policy.rules
> include $RULE_PATH/bleeding-scan.rules
> include $RULE_PATH/bleeding-virus.rules
> include $RULE_PATH/bleeding-web.rules
> include $RULE_PATH/bleeding.conf
> include $RULE_PATH/bleeding.rules
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys -- and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

[Snort-inline-users] Installing / configuring on Gentoo

[Brian A. <ba...@TL...>]

Good morning. I am getting ready to implement a VPN (OpenVPN) server in 
bridge mode. Before I open it up for employees to use, I wanted to 
enable something that would block malicious activity because, frankly, I 
don't trust them to have up-to-date virus and malware protection. Some 
of them I just don't trust, period.

I am using Snort in other areas around the facility, but only as an IDS, 
not IPS. I was reading up on snort-inline and decided that it might be 
my best option. I started installing it based on the docs I found out in 
Google-land, including the Gentoo specific parameters (e.g., 
`USE="inline" emerge -v snort`). To test, I modified the rules from 
'alert' to 'drop', modprobed ip_queue, added `iptables -A FORWARD -p tcp 
-j QUEUE` to iptables, and kicked off snort `snort -QDc 
/etc/snort/snort.conf -l /var/log/snort` to get the ball rolling.

Apparently, the instructions I had were incomplete because it appears 
that nothing is getting through the firewall. It seems that packets are 
getting queued up, but nothing is being handed off to Snort.

Other than the network settings, snort.conf is pretty much vanilla. I 
know that I am missing something somewhere, I just am not sure where as 
the documentation is pretty sparse.

Thanks,

-- 
Brian

IFCONFIG
--------
br0       Link encap:Ethernet  HWaddr 00:02:B3:BB:42:AC
           inet addr:10.10.56.200  Bcast:10.255.255.255  Mask:255.0.0.0
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:2068751 errors:0 dropped:0 overruns:0 frame:0
           TX packets:56704 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:204211373 (194.7 Mb)  TX bytes:7467377 (7.1 Mb)

eth0      Link encap:Ethernet  HWaddr 00:02:B3:BB:42:AC
           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
           RX packets:2117381 errors:0 dropped:0 overruns:0 frame:0
           TX packets:56716 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:237952185 (226.9 Mb)  TX bytes:7468701 (7.1 Mb)

tap0      Link encap:Ethernet  HWaddr B6:62:C8:12:0A:CD
           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
           RX packets:358 errors:0 dropped:0 overruns:0 frame:0
           TX packets:1911505 errors:0 dropped:30 overruns:0 carrier:0
           collisions:0 txqueuelen:100
           RX bytes:36958 (36.0 Kb)  TX bytes:197571258 (188.4 Mb)


SNORT.CONF
----------
var HOME_NET 10.0.0.0/8
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var SSH_PORTS 22
var AIM_SERVERS 
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH /etc/snort/rules
config disable_decode_alerts
preprocessor flow: stats_interval 0 hash 2
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global \
     iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
     profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor sfportscan: proto  { all } \
                          memcap { 10000000 } \
                          sense_level { low }
preprocessor xlink2state: ports { 25 691 }
include classification.config
include reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/bleeding-attack_response.rules
include $RULE_PATH/bleeding-dos.rules
include $RULE_PATH/bleeding-drop-BLOCK.rules
include $RULE_PATH/bleeding-drop.rules
include $RULE_PATH/bleeding-dshield-BLOCK.rules
include $RULE_PATH/bleeding-dshield.rules
include $RULE_PATH/bleeding-exploit.rules
include $RULE_PATH/bleeding-game.rules
include $RULE_PATH/bleeding-inappropriate.rules
include $RULE_PATH/bleeding-malware.rules
include $RULE_PATH/bleeding-p2p.rules
include $RULE_PATH/bleeding-policy.rules
include $RULE_PATH/bleeding-scan.rules
include $RULE_PATH/bleeding-virus.rules
include $RULE_PATH/bleeding-web.rules
include $RULE_PATH/bleeding.conf
include $RULE_PATH/bleeding.rules

Re: [Snort-inline-users] bait-and-switch when snort is in frontoffirewall

[Will M. <wil...@gm...>]

Are the iptables rules added after the alert is fired?  You can check
by issueing the following command

iptables -L -v -n -t nat

You should have an entry in both prerouting and postrouting.  Also get
rid of the following...

ifconfig br0 0.0.0.0 up -arp



On 7/20/06, Alfredo Osorio <ao...@tu...> wrote:
> Could not make it work. I guess my knowledge of iptables is just way too
> low. Here's what I did...Sorry to bother the group with this but it's
> driving me crazy...
>
> #Build Bridge
> brctl addbr br0
> ifconfig eth0 0.0.0.0 up -arp
> ifconfig eth1 0.0.0.0 up -arp
> brctl addif br0 eth0
> brctl addif br0 eth1
> brctl stp br0 off
> ifconfig br0 0.0.0.0 up -arp
>
>  #Flush IpTables
>  iptables -F
>
>  #Forward Packets to QUEUE
>  iptables -A FORWARD -j QUEUE
>
> #Start snort (send packets to queue)
> snort_inline -A console -c
> /snort_inline-2.4.4-final/etc/snort_inline.conf -Q
>
> #Will's command sequence
> ifconfig eth2 down
> iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> ifconfig -a br0 192.168.1.2  netmask 255.255.255.0 broadcast 192.168.1.255
> route add default gw 192.168.1.1
>
> Results:
> snort runs well but when my bait-and-switch rule triggers I get the
> following:
>
> "adding packet to reroute tree because we have bands options"
>
> and the client is not redirected...
>
> Many thanks....Alfredo
>
> ----- Original Message -----
> From: "Will Metcalf" <wil...@gm...>
> To: "Alfredo Osorio" <ao...@tu...>
> Cc: <sno...@li...>
> Sent: Thursday, July 20, 2006 6:10 PM
> Subject: Re: [Snort-inline-users] bait-and-switch when snort is in
> frontoffirewall
>
>
> > ok so let's go the route of a management ip on the bridge interface
> > rather than eth2 because it will be a much shorter explaination ;-).
> >
> > pull your management ip off of eth2....
> > down the eth2 interface.....
> >
> > setup iptables to only permit your management traffic coming into the
> > br0 interface, all bridged traffic moves through the forward chain
> > that is not bound for the local ip stack.
> >
> >  iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
> >  iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
> >  iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> >
> > setup your management ip on the bridge interface
> >
> > ifconfig -a br0 192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.255
> > route add default gw 192.168.0.254
> >
> > and viola it should all work....
> >
> > Regards,
> >
> > Will
> > On 7/20/06, Alfredo Osorio <ao...@tu...> wrote:
> > > Thanks...I've been trying what you suggest without success. Can you give
> me
> > > a simple example?
> > >
> > > ----- Original Message -----
> > > From: "Will Metcalf" <wil...@gm...>
> > > To: "Alfredo Osorio" <ao...@tu...>
> > > Cc: <sno...@li...>
> > > Sent: Thursday, July 20, 2006 2:54 PM
> > > Subject: Re: [Snort-inline-users] bait-and-switch when snort is in front
> > > offirewall
> > >
> > >
> > > > You probably don't want to enable ip_forwarding, you can do one of two
> > > > things add a route for your internal networks to go out eth2 and add a
> > > > default route going to the bridge interface.  You can also assign your
> > > > management ip address to the bridge and handle access to the
> > > > management ip through INPUT/OUTPUT rules.
> > > >
> > > > http://ebtables.sourceforge.net/ebtables-faq.html
> > > >
> > > > On 7/20/06, Alfredo Osorio <ao...@tu...> wrote:
> > > > >
> > > > >
> > > > > Hello...
> > > > >
> > > > > I'm having a hard time getting bait-and-switch working. Would
> appreciate
> > > any
> > > > > simple examples as my knowledge is very limited (former windows
> > > > > user)....Here's what I'm getting when bait-and-switch is enabled...
> > > > >
> > > > > "Performing cross-bridge DNAT requires IP forwarding to be enabled"
> > > > >
> > > > > I have checked that ip_forwarding is enabled with...
> > > > >
> > > > > cat /proc/sys/net/ipv4/ip_forward and it does return 1.
> > > > >
> > > > > My Bridge set up looks like this...
> > > > >
> > > > > #----------------------------------------
> > > > > #Build Bridge
> > > > >  brctl addbr br0
> > > > >  ifconfig eth0 0.0.0.0 up -arp
> > > > >  ifconfig eth1 0.0.0.0 up -arp
> > > > >  brctl addif br0 eth0
> > > > >  brctl addif br0 eth1
> > > > >  brctl stp br0 off
> > > > >  ifconfig br0 0.0.0.0 up -arp
> > > > >
> > > > > #Flush IpTables
> > > > >  iptables -F
> > > > >
> > > > > #Forward Packets to QUEUE
> > > > >  iptables -A FORWARD -j QUEUE
> > > > >
> > > > >
> > > > > #start snort here...
> > > > > #-------------------------------------------------
> > > > >
> > > > >
> > > > > My eth2 is on 192.168.100.8
> > > > >
> > > > > My snort_inline.conf has this line....
> > > > >
> > > > > preprocessor bait-and-switch
> > > > >
> > > > > My test rule looks like this...(using pcre for content match)
> > > > >
> > > > > drop tcp any any -> any 80 (msg:"outbound traffic match"; flow:
> > > established;
> > > > > pcre:$pcrematch; bait-and-switch: 120,src,192.168.100.10;)
> > > > >
> > > > >
> > > > > I'm probably making a newbie mistake somewhere....snort_inline
> > > (2.4.4-final)
> > > > > runs great until I try to use bait-and-switch.
> > > > >
> > > > > Many thanks....Alfredo
> > > > >
> > > >
> > >
> > -------------------------------------------------------------------------
> > > > > Take Surveys. Earn Cash. Influence the Future of IT
> > > > > Join SourceForge.net's Techsay panel and you'll get the chance to
> share
> > > your
> > > > > opinions on IT & business topics through brief surveys -- and earn
> cash
> > > > >
> > >
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> > > > >
> > > > > _______________________________________________
> > > > > Snort-inline-users mailing list
> > > > > Sno...@li...
> > > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> > > > >
> > > > >
> > > > >
> > > >
> > >
> > -------------------------------------------------------------------------
> > > > Take Surveys. Earn Cash. Influence the Future of IT
> > > > Join SourceForge.net's Techsay panel and you'll get the chance to
> share
> > > your
> > > > opinions on IT & business topics through brief surveys -- and earn
> cash
> > > >
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> > > > _______________________________________________
> > > > Snort-inline-users mailing list
> > > > Sno...@li...
> > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> > >
> > >
> >
> > -------------------------------------------------------------------------
> > Take Surveys. Earn Cash. Influence the Future of IT
> > Join SourceForge.net's Techsay panel and you'll get the chance to share
> your
> > opinions on IT & business topics through brief surveys -- and earn cash
> > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>

Re: [Snort-inline-users] bait-and-switch when snort is in frontoffirewall

[Alfredo O. <ao...@tu...>]

Could not make it work. I guess my knowledge of iptables is just way too
low. Here's what I did...Sorry to bother the group with this but it's
driving me crazy...

#Build Bridge
brctl addbr br0
ifconfig eth0 0.0.0.0 up -arp
ifconfig eth1 0.0.0.0 up -arp
brctl addif br0 eth0
brctl addif br0 eth1
brctl stp br0 off
ifconfig br0 0.0.0.0 up -arp

 #Flush IpTables
 iptables -F

 #Forward Packets to QUEUE
 iptables -A FORWARD -j QUEUE

#Start snort (send packets to queue)
snort_inline -A console -c
/snort_inline-2.4.4-final/etc/snort_inline.conf -Q

#Will's command sequence
ifconfig eth2 down
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

ifconfig -a br0 192.168.1.2  netmask 255.255.255.0 broadcast 192.168.1.255
route add default gw 192.168.1.1

Results:
snort runs well but when my bait-and-switch rule triggers I get the
following:

"adding packet to reroute tree because we have bands options"

and the client is not redirected...

Many thanks....Alfredo

----- Original Message ----- 
From: "Will Metcalf" <wil...@gm...>
To: "Alfredo Osorio" <ao...@tu...>
Cc: <sno...@li...>
Sent: Thursday, July 20, 2006 6:10 PM
Subject: Re: [Snort-inline-users] bait-and-switch when snort is in
frontoffirewall


> ok so let's go the route of a management ip on the bridge interface
> rather than eth2 because it will be a much shorter explaination ;-).
>
> pull your management ip off of eth2....
> down the eth2 interface.....
>
> setup iptables to only permit your management traffic coming into the
> br0 interface, all bridged traffic moves through the forward chain
> that is not bound for the local ip stack.
>
>  iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
>  iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
>  iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> setup your management ip on the bridge interface
>
> ifconfig -a br0 192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.255
> route add default gw 192.168.0.254
>
> and viola it should all work....
>
> Regards,
>
> Will
> On 7/20/06, Alfredo Osorio <ao...@tu...> wrote:
> > Thanks...I've been trying what you suggest without success. Can you give
me
> > a simple example?
> >
> > ----- Original Message -----
> > From: "Will Metcalf" <wil...@gm...>
> > To: "Alfredo Osorio" <ao...@tu...>
> > Cc: <sno...@li...>
> > Sent: Thursday, July 20, 2006 2:54 PM
> > Subject: Re: [Snort-inline-users] bait-and-switch when snort is in front
> > offirewall
> >
> >
> > > You probably don't want to enable ip_forwarding, you can do one of two
> > > things add a route for your internal networks to go out eth2 and add a
> > > default route going to the bridge interface.  You can also assign your
> > > management ip address to the bridge and handle access to the
> > > management ip through INPUT/OUTPUT rules.
> > >
> > > http://ebtables.sourceforge.net/ebtables-faq.html
> > >
> > > On 7/20/06, Alfredo Osorio <ao...@tu...> wrote:
> > > >
> > > >
> > > > Hello...
> > > >
> > > > I'm having a hard time getting bait-and-switch working. Would
appreciate
> > any
> > > > simple examples as my knowledge is very limited (former windows
> > > > user)....Here's what I'm getting when bait-and-switch is enabled...
> > > >
> > > > "Performing cross-bridge DNAT requires IP forwarding to be enabled"
> > > >
> > > > I have checked that ip_forwarding is enabled with...
> > > >
> > > > cat /proc/sys/net/ipv4/ip_forward and it does return 1.
> > > >
> > > > My Bridge set up looks like this...
> > > >
> > > > #----------------------------------------
> > > > #Build Bridge
> > > >  brctl addbr br0
> > > >  ifconfig eth0 0.0.0.0 up -arp
> > > >  ifconfig eth1 0.0.0.0 up -arp
> > > >  brctl addif br0 eth0
> > > >  brctl addif br0 eth1
> > > >  brctl stp br0 off
> > > >  ifconfig br0 0.0.0.0 up -arp
> > > >
> > > > #Flush IpTables
> > > >  iptables -F
> > > >
> > > > #Forward Packets to QUEUE
> > > >  iptables -A FORWARD -j QUEUE
> > > >
> > > >
> > > > #start snort here...
> > > > #-------------------------------------------------
> > > >
> > > >
> > > > My eth2 is on 192.168.100.8
> > > >
> > > > My snort_inline.conf has this line....
> > > >
> > > > preprocessor bait-and-switch
> > > >
> > > > My test rule looks like this...(using pcre for content match)
> > > >
> > > > drop tcp any any -> any 80 (msg:"outbound traffic match"; flow:
> > established;
> > > > pcre:$pcrematch; bait-and-switch: 120,src,192.168.100.10;)
> > > >
> > > >
> > > > I'm probably making a newbie mistake somewhere....snort_inline
> > (2.4.4-final)
> > > > runs great until I try to use bait-and-switch.
> > > >
> > > > Many thanks....Alfredo
> > > >
> > >
> >
> -------------------------------------------------------------------------
> > > > Take Surveys. Earn Cash. Influence the Future of IT
> > > > Join SourceForge.net's Techsay panel and you'll get the chance to
share
> > your
> > > > opinions on IT & business topics through brief surveys -- and earn
cash
> > > >
> >
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> > > >
> > > > _______________________________________________
> > > > Snort-inline-users mailing list
> > > > Sno...@li...
> > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> > > >
> > > >
> > > >
> > >
> >
> -------------------------------------------------------------------------
> > > Take Surveys. Earn Cash. Influence the Future of IT
> > > Join SourceForge.net's Techsay panel and you'll get the chance to
share
> > your
> > > opinions on IT & business topics through brief surveys -- and earn
cash
> > >
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> > > _______________________________________________
> > > Snort-inline-users mailing list
> > > Sno...@li...
> > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >
> >
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share
your
> opinions on IT & business topics through brief surveys -- and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users

Re: [Snort-inline-users] bait-and-switch when snort is in frontoffirewall

[Alfredo O. <ao...@tu...>]

Thanks Will.....I will go step by step as you have outlined...Many
thanks...Regards,...Alfredo

----- Original Message ----- 
From: "Will Metcalf" <wil...@gm...>
To: "Alfredo Osorio" <ao...@tu...>
Cc: <sno...@li...>
Sent: Thursday, July 20, 2006 6:10 PM
Subject: Re: [Snort-inline-users] bait-and-switch when snort is in
frontoffirewall


> ok so let's go the route of a management ip on the bridge interface
> rather than eth2 because it will be a much shorter explaination ;-).
>
> pull your management ip off of eth2....
> down the eth2 interface.....
>
> setup iptables to only permit your management traffic coming into the
> br0 interface, all bridged traffic moves through the forward chain
> that is not bound for the local ip stack.
>
>  iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
>  iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
>  iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> setup your management ip on the bridge interface
>
> ifconfig -a br0 192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.255
> route add default gw 192.168.0.254
>
> and viola it should all work....
>
> Regards,
>
> Will
> On 7/20/06, Alfredo Osorio <ao...@tu...> wrote:
> > Thanks...I've been trying what you suggest without success. Can you give
me
> > a simple example?
> >
> > ----- Original Message -----
> > From: "Will Metcalf" <wil...@gm...>
> > To: "Alfredo Osorio" <ao...@tu...>
> > Cc: <sno...@li...>
> > Sent: Thursday, July 20, 2006 2:54 PM
> > Subject: Re: [Snort-inline-users] bait-and-switch when snort is in front
> > offirewall
> >
> >
> > > You probably don't want to enable ip_forwarding, you can do one of two
> > > things add a route for your internal networks to go out eth2 and add a
> > > default route going to the bridge interface.  You can also assign your
> > > management ip address to the bridge and handle access to the
> > > management ip through INPUT/OUTPUT rules.
> > >
> > > http://ebtables.sourceforge.net/ebtables-faq.html
> > >
> > > On 7/20/06, Alfredo Osorio <ao...@tu...> wrote:
> > > >
> > > >
> > > > Hello...
> > > >
> > > > I'm having a hard time getting bait-and-switch working. Would
appreciate
> > any
> > > > simple examples as my knowledge is very limited (former windows
> > > > user)....Here's what I'm getting when bait-and-switch is enabled...
> > > >
> > > > "Performing cross-bridge DNAT requires IP forwarding to be enabled"
> > > >
> > > > I have checked that ip_forwarding is enabled with...
> > > >
> > > > cat /proc/sys/net/ipv4/ip_forward and it does return 1.
> > > >
> > > > My Bridge set up looks like this...
> > > >
> > > > #----------------------------------------
> > > > #Build Bridge
> > > >  brctl addbr br0
> > > >  ifconfig eth0 0.0.0.0 up -arp
> > > >  ifconfig eth1 0.0.0.0 up -arp
> > > >  brctl addif br0 eth0
> > > >  brctl addif br0 eth1
> > > >  brctl stp br0 off
> > > >  ifconfig br0 0.0.0.0 up -arp
> > > >
> > > > #Flush IpTables
> > > >  iptables -F
> > > >
> > > > #Forward Packets to QUEUE
> > > >  iptables -A FORWARD -j QUEUE
> > > >
> > > >
> > > > #start snort here...
> > > > #-------------------------------------------------
> > > >
> > > >
> > > > My eth2 is on 192.168.100.8
> > > >
> > > > My snort_inline.conf has this line....
> > > >
> > > > preprocessor bait-and-switch
> > > >
> > > > My test rule looks like this...(using pcre for content match)
> > > >
> > > > drop tcp any any -> any 80 (msg:"outbound traffic match"; flow:
> > established;
> > > > pcre:$pcrematch; bait-and-switch: 120,src,192.168.100.10;)
> > > >
> > > >
> > > > I'm probably making a newbie mistake somewhere....snort_inline
> > (2.4.4-final)
> > > > runs great until I try to use bait-and-switch.
> > > >
> > > > Many thanks....Alfredo
> > > >
> > >
> >
> -------------------------------------------------------------------------
> > > > Take Surveys. Earn Cash. Influence the Future of IT
> > > > Join SourceForge.net's Techsay panel and you'll get the chance to
share
> > your
> > > > opinions on IT & business topics through brief surveys -- and earn
cash
> > > >
> >
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> > > >
> > > > _______________________________________________
> > > > Snort-inline-users mailing list
> > > > Sno...@li...
> > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> > > >
> > > >
> > > >
> > >
> >
> -------------------------------------------------------------------------
> > > Take Surveys. Earn Cash. Influence the Future of IT
> > > Join SourceForge.net's Techsay panel and you'll get the chance to
share
> > your
> > > opinions on IT & business topics through brief surveys -- and earn
cash
> > >
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> > > _______________________________________________
> > > Snort-inline-users mailing list
> > > Sno...@li...
> > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >
> >
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share
your
> opinions on IT & business topics through brief surveys -- and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users

Re: [Snort-inline-users] bait-and-switch when snort is in front offirewall

[Will M. <wil...@gm...>]

ok so let's go the route of a management ip on the bridge interface
rather than eth2 because it will be a much shorter explaination ;-).

pull your management ip off of eth2....
down the eth2 interface.....

setup iptables to only permit your management traffic coming into the
br0 interface, all bridged traffic moves through the forward chain
that is not bound for the local ip stack.

 iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
 iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
 iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

setup your management ip on the bridge interface

ifconfig -a br0 192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.255
route add default gw 192.168.0.254

and viola it should all work....

Regards,

Will
On 7/20/06, Alfredo Osorio <ao...@tu...> wrote:
> Thanks...I've been trying what you suggest without success. Can you give me
> a simple example?
>
> ----- Original Message -----
> From: "Will Metcalf" <wil...@gm...>
> To: "Alfredo Osorio" <ao...@tu...>
> Cc: <sno...@li...>
> Sent: Thursday, July 20, 2006 2:54 PM
> Subject: Re: [Snort-inline-users] bait-and-switch when snort is in front
> offirewall
>
>
> > You probably don't want to enable ip_forwarding, you can do one of two
> > things add a route for your internal networks to go out eth2 and add a
> > default route going to the bridge interface.  You can also assign your
> > management ip address to the bridge and handle access to the
> > management ip through INPUT/OUTPUT rules.
> >
> > http://ebtables.sourceforge.net/ebtables-faq.html
> >
> > On 7/20/06, Alfredo Osorio <ao...@tu...> wrote:
> > >
> > >
> > > Hello...
> > >
> > > I'm having a hard time getting bait-and-switch working. Would appreciate
> any
> > > simple examples as my knowledge is very limited (former windows
> > > user)....Here's what I'm getting when bait-and-switch is enabled...
> > >
> > > "Performing cross-bridge DNAT requires IP forwarding to be enabled"
> > >
> > > I have checked that ip_forwarding is enabled with...
> > >
> > > cat /proc/sys/net/ipv4/ip_forward and it does return 1.
> > >
> > > My Bridge set up looks like this...
> > >
> > > #----------------------------------------
> > > #Build Bridge
> > >  brctl addbr br0
> > >  ifconfig eth0 0.0.0.0 up -arp
> > >  ifconfig eth1 0.0.0.0 up -arp
> > >  brctl addif br0 eth0
> > >  brctl addif br0 eth1
> > >  brctl stp br0 off
> > >  ifconfig br0 0.0.0.0 up -arp
> > >
> > > #Flush IpTables
> > >  iptables -F
> > >
> > > #Forward Packets to QUEUE
> > >  iptables -A FORWARD -j QUEUE
> > >
> > >
> > > #start snort here...
> > > #-------------------------------------------------
> > >
> > >
> > > My eth2 is on 192.168.100.8
> > >
> > > My snort_inline.conf has this line....
> > >
> > > preprocessor bait-and-switch
> > >
> > > My test rule looks like this...(using pcre for content match)
> > >
> > > drop tcp any any -> any 80 (msg:"outbound traffic match"; flow:
> established;
> > > pcre:$pcrematch; bait-and-switch: 120,src,192.168.100.10;)
> > >
> > >
> > > I'm probably making a newbie mistake somewhere....snort_inline
> (2.4.4-final)
> > > runs great until I try to use bait-and-switch.
> > >
> > > Many thanks....Alfredo
> > >
> >
> > -------------------------------------------------------------------------
> > > Take Surveys. Earn Cash. Influence the Future of IT
> > > Join SourceForge.net's Techsay panel and you'll get the chance to share
> your
> > > opinions on IT & business topics through brief surveys -- and earn cash
> > >
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> > >
> > > _______________________________________________
> > > Snort-inline-users mailing list
> > > Sno...@li...
> > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> > >
> > >
> > >
> >
> > -------------------------------------------------------------------------
> > Take Surveys. Earn Cash. Influence the Future of IT
> > Join SourceForge.net's Techsay panel and you'll get the chance to share
> your
> > opinions on IT & business topics through brief surveys -- and earn cash
> > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>

Re: [Snort-inline-users] bait-and-switch when snort is in front offirewall

[Alfredo O. <ao...@tu...>]

Thanks...I've been trying what you suggest without success. Can you give me
a simple example?

----- Original Message ----- 
From: "Will Metcalf" <wil...@gm...>
To: "Alfredo Osorio" <ao...@tu...>
Cc: <sno...@li...>
Sent: Thursday, July 20, 2006 2:54 PM
Subject: Re: [Snort-inline-users] bait-and-switch when snort is in front
offirewall


> You probably don't want to enable ip_forwarding, you can do one of two
> things add a route for your internal networks to go out eth2 and add a
> default route going to the bridge interface.  You can also assign your
> management ip address to the bridge and handle access to the
> management ip through INPUT/OUTPUT rules.
>
> http://ebtables.sourceforge.net/ebtables-faq.html
>
> On 7/20/06, Alfredo Osorio <ao...@tu...> wrote:
> >
> >
> > Hello...
> >
> > I'm having a hard time getting bait-and-switch working. Would appreciate
any
> > simple examples as my knowledge is very limited (former windows
> > user)....Here's what I'm getting when bait-and-switch is enabled...
> >
> > "Performing cross-bridge DNAT requires IP forwarding to be enabled"
> >
> > I have checked that ip_forwarding is enabled with...
> >
> > cat /proc/sys/net/ipv4/ip_forward and it does return 1.
> >
> > My Bridge set up looks like this...
> >
> > #----------------------------------------
> > #Build Bridge
> >  brctl addbr br0
> >  ifconfig eth0 0.0.0.0 up -arp
> >  ifconfig eth1 0.0.0.0 up -arp
> >  brctl addif br0 eth0
> >  brctl addif br0 eth1
> >  brctl stp br0 off
> >  ifconfig br0 0.0.0.0 up -arp
> >
> > #Flush IpTables
> >  iptables -F
> >
> > #Forward Packets to QUEUE
> >  iptables -A FORWARD -j QUEUE
> >
> >
> > #start snort here...
> > #-------------------------------------------------
> >
> >
> > My eth2 is on 192.168.100.8
> >
> > My snort_inline.conf has this line....
> >
> > preprocessor bait-and-switch
> >
> > My test rule looks like this...(using pcre for content match)
> >
> > drop tcp any any -> any 80 (msg:"outbound traffic match"; flow:
established;
> > pcre:$pcrematch; bait-and-switch: 120,src,192.168.100.10;)
> >
> >
> > I'm probably making a newbie mistake somewhere....snort_inline
(2.4.4-final)
> > runs great until I try to use bait-and-switch.
> >
> > Many thanks....Alfredo
> >
>
> -------------------------------------------------------------------------
> > Take Surveys. Earn Cash. Influence the Future of IT
> > Join SourceForge.net's Techsay panel and you'll get the chance to share
your
> > opinions on IT & business topics through brief surveys -- and earn cash
> >
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> >
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >
> >
> >
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share
your
> opinions on IT & business topics through brief surveys -- and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users

Re: [Snort-inline-users] bait-and-switch when snort is in front of firewall

[Will M. <wil...@gm...>]

You probably don't want to enable ip_forwarding, you can do one of two
things add a route for your internal networks to go out eth2 and add a
default route going to the bridge interface.  You can also assign your
management ip address to the bridge and handle access to the
management ip through INPUT/OUTPUT rules.

http://ebtables.sourceforge.net/ebtables-faq.html

On 7/20/06, Alfredo Osorio <ao...@tu...> wrote:
>
>
> Hello...
>
> I'm having a hard time getting bait-and-switch working. Would appreciate any
> simple examples as my knowledge is very limited (former windows
> user)....Here's what I'm getting when bait-and-switch is enabled...
>
> "Performing cross-bridge DNAT requires IP forwarding to be enabled"
>
> I have checked that ip_forwarding is enabled with...
>
> cat /proc/sys/net/ipv4/ip_forward and it does return 1.
>
> My Bridge set up looks like this...
>
> #----------------------------------------
> #Build Bridge
>  brctl addbr br0
>  ifconfig eth0 0.0.0.0 up -arp
>  ifconfig eth1 0.0.0.0 up -arp
>  brctl addif br0 eth0
>  brctl addif br0 eth1
>  brctl stp br0 off
>  ifconfig br0 0.0.0.0 up -arp
>
> #Flush IpTables
>  iptables -F
>
> #Forward Packets to QUEUE
>  iptables -A FORWARD -j QUEUE
>
>
> #start snort here...
> #-------------------------------------------------
>
>
> My eth2 is on 192.168.100.8
>
> My snort_inline.conf has this line....
>
> preprocessor bait-and-switch
>
> My test rule looks like this...(using pcre for content match)
>
> drop tcp any any -> any 80 (msg:"outbound traffic match"; flow: established;
> pcre:$pcrematch; bait-and-switch: 120,src,192.168.100.10;)
>
>
> I'm probably making a newbie mistake somewhere....snort_inline (2.4.4-final)
> runs great until I try to use bait-and-switch.
>
> Many thanks....Alfredo
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys -- and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
>

[Snort-inline-users] bait-and-switch when snort is in front of firewall

[Alfredo O. <ao...@tu...>]

Hello...

I'm having a hard time getting bait-and-switch working. Would appreciate =
any simple examples as my knowledge is very limited (former windows =
user)....Here's what I'm getting when bait-and-switch is enabled...

"Performing cross-bridge DNAT requires IP forwarding to be enabled"

I have checked that ip_forwarding is enabled with...

cat /proc/sys/net/ipv4/ip_forward and it does return 1.

My Bridge set up looks like this...

#----------------------------------------
#Build Bridge
 brctl addbr br0
 ifconfig eth0 0.0.0.0 up -arp
 ifconfig eth1 0.0.0.0 up -arp
 brctl addif br0 eth0
 brctl addif br0 eth1
 brctl stp br0 off
 ifconfig br0 0.0.0.0 up -arp

#Flush IpTables
 iptables -F

#Forward Packets to QUEUE
 iptables -A FORWARD -j QUEUE

#start snort here...
#-------------------------------------------------


My eth2 is on 192.168.100.8

My snort_inline.conf has this line....

preprocessor bait-and-switch

My test rule looks like this...(using pcre for content match)=20

drop tcp any any -> any 80 (msg:"outbound traffic match"; flow: =
established; pcre:$pcrematch; bait-and-switch: 120,src,192.168.100.10;)=20


I'm probably making a newbie mistake somewhere....snort_inline =
(2.4.4-final) runs great until I try to use bait-and-switch.

Many thanks....Alfredo

[Snort-inline-users] Anyone ever use Strata Guard from StillSecure?

[Richard C. <ric...@gm...>]

Looks like it's an ISO/VMware image of Linux with snort-inline and a web
front-end.

http://www.stillsecure.org/

>From the site:
Strata Guard Free is a feature-rich intrusion detection/prevention system
(IDS/IPS) that leverages the SNORT=99 IDS engine. Beyond SNORT functionalit=
y,
Strata Guard Free offers:

   - An award winning easy-to-use interface
   - A GUI-driven installation and configuration process
   - Attack rule updates (immediately available as rules are released)
   - Configurable per-attack response based on business logic
   - Ability to prioritize and view attacks based on severity
   - Multiple intrusion prevention methods, including with the ability to
   drop individual attack packets



--=20
Thanks,
Rich Compton

Re: [Snort-inline-users] FreeBSD with snort_inline and Bridging

[Michael S. <sch...@se...>]

> -----Original Message-----
> From: sno...@li...=20
> [mailto:sno...@li...] On=20
> Behalf Of Nick Rogness
> Sent: Monday, July 17, 2006 11:26 PM
> To: sno...@li...
> Subject: [Snort-inline-users] FreeBSD with snort_inline and Bridging
>=20
>=20
>=20
> For those of you that have emailed me off list about bridging=20
> with FreeBSD and snort_inline, the answer is that FreeBSD can=20
> not be bridging and running the current version of=20
> snort_inline.  Therefore, you can not have your kernel=20
> configed with 'options  BRIDGE' and still work.  snort_inline=20
> will not see the traffic.

Do you know if anyone has tried the 5.5 and 6.0 if_bridge?

I think it is supposed to be replacing bridge anyway.

[Snort-inline-users] FreeBSD with snort_inline and Bridging

[Nick R. <ni...@ro...>]

For those of you that have emailed me off list about bridging with FreeBSD
and snort_inline, the answer is that FreeBSD can not be bridging and
running the current version of snort_inline.  Therefore, you can not have
your kernel configed with 'options  BRIDGE' and still work.  snort_inline
will not see the traffic.

I am working on a different way to make this work using netgraph, but for
now, consider yourselves informed.

I really wish the PF guys would make something that would work with
snort_inline that acutally sits inline and not an after-the-fact logging
interface...

Nick Rogness <ni...@ro...>