Menu
▾
▴
snort-inline-users — The goal of this list is to help users debug/use snort_inline
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(15) |
Jun
(23) |
Jul
(54) |
Aug
(20) |
Sep
(18) |
Oct
(19) |
Nov
(36) |
Dec
(30) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(48) |
Feb
(16) |
Mar
(36) |
Apr
(36) |
May
(45) |
Jun
(47) |
Jul
(93) |
Aug
(29) |
Sep
(28) |
Oct
(42) |
Nov
(45) |
Dec
(53) |
| 2005 |
Jan
(62) |
Feb
(51) |
Mar
(65) |
Apr
(28) |
May
(57) |
Jun
(23) |
Jul
(24) |
Aug
(72) |
Sep
(16) |
Oct
(53) |
Nov
(53) |
Dec
(3) |
| 2006 |
Jan
(56) |
Feb
(6) |
Mar
(15) |
Apr
(14) |
May
(35) |
Jun
(57) |
Jul
(35) |
Aug
(7) |
Sep
(22) |
Oct
(16) |
Nov
(18) |
Dec
(9) |
| 2007 |
Jan
(8) |
Feb
(3) |
Mar
(11) |
Apr
(35) |
May
(6) |
Jun
(10) |
Jul
(26) |
Aug
(4) |
Sep
|
Oct
(29) |
Nov
|
Dec
(7) |
| 2008 |
Jan
(1) |
Feb
(2) |
Mar
(2) |
Apr
(13) |
May
(8) |
Jun
(3) |
Jul
(19) |
Aug
(20) |
Sep
(6) |
Oct
(5) |
Nov
|
Dec
(4) |
| 2009 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(10) |
Jul
(2) |
Aug
(5) |
Sep
|
Oct
(1) |
Nov
|
Dec
(5) |
| 2010 |
Jan
(10) |
Feb
(10) |
Mar
(2) |
Apr
|
May
(7) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2011 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Nick R. <ni...@ro...> - 2006-07-18 03:19:25
|
> Hi all, > > > > I recently compiled freebsd 6.1 with IPFW with snort inline. Is there > any way to have a snmp rule that says any packet with a string matching > "arcsight" redirect it to another server. > > > > Compiled my freebsd kernel with the following options: > > > > options IPFIREWALL > > options IPFIREWALL_FORWARD > > options IPFIREWALL_FORWARD_EXTENDED > > options IPFIREWALL_VERBOSE > > options IPFIREWALL_VERBOSE_LIMIT=5 > > options IPFIREWALL_DEFAULT_TO_ACCEPT > > options IPDIVERT > > options IPFILTER > > options IPFILTER_LOG > > > > > > > > > > How do you tell IPFW or snort_inline to redirect based on that rule. > [Below is the conversation I sent off list to you. Including in mailing list so everyone who is interested can see the solution] > Hi Nick, > > I removed the options BRIDGE and seems to be working. Thanks a million. > Now I'm not sure if this can be accomplished as to why I started this > test in the beginning. With snort_inline/snort rules and IPFW "talking" > to one another, is it possible to have a rule saying any snmp packet > with a message of "foo" redirect all these packets to some other server? > Yes! You can do such a thing with a redirect statement and a little bit of black magic firewalling. Here's how: First, make sure you are running the snort_inline-2.4.5 code. Older code will not work. Next, add 'options IPFIREWALL_FORWARD' to your kernel and reboot. Next, add the following snort rule to your snort rules: reinject udp any any -> any 161 (msg: "SNMP hit"; content:"foo") You also need to have the following option turned on in the snort_inline.conf file: config ipfw_reinject_rule: 65005 Then, in your IPFW firewall add the following rules: ipfw add 65001 skipto 65535 ip from any to any ipfw add 65005 fwd X.X.X.X ip from any to any Where X.X.X.X is the machine you want to forward the requests to. > > Thanks. > Monah > > > -----Original Message----- > From: Nick Rogness [mailto:ni...@ro...] > Sent: Saturday, July 15, 2006 2:32 PM > To: Baki, Monah non Unisys > Subject: Re: Questionabout snort inline > > >> Hello Nick, >> >> >> >> First I'll like to say thank you for posting the snort_inline doc. I'm >> trying to implement it using FreeBSD 6.1. >> >> I compiled the kernel using the following options: >> >> >> >> ptions IPFIREWALL >> >> options IPFIREWALL_VERBOSE >> >> options IPFIREWALL_VERBOSE_LIMIT=5 >> >> options IPFIREWALL_DEFAULT_TO_ACCEPT >> >> options IPDIVERT >> >> options BRIDGE >> > > You do not want to have BRIDGE turned on, that may cause problems. > > >> >> >> >> >> and per your example I installed snort inline: >> >> ./configure --enable-inline --enable-ipfw >> >> make && make install >> >> >> >> >> >> >> >> my ipfw list shows the following: >> >> >> >> 00100 check-state >> >> 00200 allow tcp from any to me dst-port 22 in via em0 keep-state >> >> 00201 allow tcp from any to any out via em0 keep-state >> >> 00202 allow tcp from any to me dst-port 80 in via em0 >> >> 65000 divert 8100 ip from any to any >> >> 65535 allow ip from any to any >> >> >> >> I ran snort inline with: >> >> >> >> /usr/local/bin/snort_inline -J 8100 -c >> /etc/snort_inline/snort_inline.conf -l /var/log/snort >> >> >> >> >> >> However I do not see any traffic. Am I missing anything? >> >> > > > Are counters increasing on the 65000 ipfw rule (ipfw -a l)? What do > your snort rules look like? > > Try adding an 'alert' rule in snort for all traffic and see if you see > anything. > >> >> >> Nick Rogness <ni...@ro...> Nick Rogness <ni...@ro...> |
|
From: Will M. <wil...@gm...> - 2006-07-17 22:25:05
|
You could use bait-and-switch for this if you were running linux but even then It would probably not have the desired effect, as it would reroute all traffic from the host that triggered the alert bound for the original source for a user specified amount of time. Regards, Will On 7/17/06, Baki, Monah non Unisys <Mon...@un...> wrote: > > > > > Hi all, > > > > I recently compiled freebsd 6.1 with IPFW with snort inline. Is there any > way to have a snmp rule that says any packet with a string matching > "arcsight" redirect it to another server. > > > > Compiled my freebsd kernel with the following options: > > > > options IPFIREWALL > > options IPFIREWALL_FORWARD > > options IPFIREWALL_FORWARD_EXTENDED > > options IPFIREWALL_VERBOSE > > options IPFIREWALL_VERBOSE_LIMIT=5 > > options IPFIREWALL_DEFAULT_TO_ACCEPT > > options IPDIVERT > > options IPFILTER > > options IPFILTER_LOG > > > > > > > > > > How do you tell IPFW or snort_inline to redirect based on that rule. > > > > > > Thanks > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > |
|
From: Baki, M. n. U. <Mon...@un...> - 2006-07-17 20:10:50
|
Hi all, =20 I recently compiled freebsd 6.1 with IPFW with snort inline. Is there any way to have a snmp rule that says any packet with a string matching "arcsight" redirect it to another server. =20 Compiled my freebsd kernel with the following options: =20 options IPFIREWALL options IPFIREWALL_FORWARD options IPFIREWALL_FORWARD_EXTENDED options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=3D5 options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT options IPFILTER options IPFILTER_LOG =20 =20 =20 =20 How do you tell IPFW or snort_inline to redirect based on that rule. =20 =20 Thanks |
|
From: biotechisgodzilla.wifebeater <bio...@gm...> - 2006-07-16 10:34:43
|
hi Ozgur! uninstall libdnet* (with apt-get) and reinstall libdnet from sources On Sun, 2006-07-16 at 05:32 +0300, ozgur uncuoglu wrote: > Hi, > > I'm getting this following error, > > checking dnet.h usability... yes > checking dnet.h presence... yes > checking for dnet.h... yes > checking for eth_set in -ldnet... no > > > ERROR! Libdnet header not found, go get it from > http://libdnet.sourceforge.net or use the --with-dnet-* > options, if you have it installed in an unusual place > > > libdnet-1.11 is installed from source and the following packets also > installed (debian sarge) > > > ii libnet1 1.1.2.1-2 library for the construction and > handling of > ii libnet1-dev 1.1.2.1-2 development files for libnet > ii libdnet 2.29 DECnet Libraries > ii libdnet-dev 2.29 DECnet development libraries & Headers > > > thanks > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
|
From: ozgur u. <oun...@is...> - 2006-07-16 02:33:24
|
Hi, I'm getting this following error, checking dnet.h usability... yes checking dnet.h presence... yes checking for dnet.h... yes checking for eth_set in -ldnet... no ERROR! Libdnet header not found, go get it from http://libdnet.sourceforge.net or use the --with-dnet-* options, if you have it installed in an unusual place libdnet-1.11 is installed from source and the following packets also installed (debian sarge) ii libnet1 1.1.2.1-2 library for the construction and handling of ii libnet1-dev 1.1.2.1-2 development files for libnet ii libdnet 2.29 DECnet Libraries ii libdnet-dev 2.29 DECnet development libraries & Headers thanks |
|
From: Will M. <wil...@gm...> - 2006-07-15 12:40:08
|
No formal documentation ;-) Just look at the .h file it is pretty straight forward adding something to the BlockTree ;-). Also take a look at the doc/README.INLINE in the source. Regards, Will On 7/13/06, Sylvain Bonfardin <bon...@ro...> wrote: > Hi Guys, > I'd like to you if you got any docs related to: > - stickydrop design and mode of actions > - inter preprocessor workflow (akka how sfportscan pass the data to stickydrop) > Well...i can read the source, just wondering if there is any design/diagram > stuff around :) > > My main goal is to integrate a DoS detection plugin and make it work with > stickydrop. I hope to drop dos packet and allow legitimate traffic... > > cheers, > Sly- > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Mike P. <mg...@us...> - 2006-07-14 20:07:23
|
I will be out of the office starting 07/14/2006 and will not return until 07/24/2006. I will respond to your message when I return. |
|
From: biotechisgodzilla.wifebeater <bio...@gm...> - 2006-07-14 09:48:24
|
aha ok this explains it all ! thank you Victor ! have a nice day .mike On Fri, 2006-07-14 at 08:24 +0200, Victor Julien wrote: > biotechisgodzilla.wifebeater wrote: > > Hi all ! > > ok that's a stupid question: > > it is possible to compile snort-inline without having dnet ? > > in my understanding dnet is required to make snort-inline act as a > > bridge, > > thus being transparent, > > am i wrong ? > > Yes, wrong ;-) > > Libdnet is used for sending the rst packets for the reject action. We > did this to get rid of the dependency to libnet 1.02a. Snort is also > (slowly) moving to libdnet and away from libnet. > > Cheers! > Victor > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
|
From: Victor J. <vi...@nk...> - 2006-07-14 06:23:13
|
biotechisgodzilla.wifebeater wrote: > Hi all ! > ok that's a stupid question: > it is possible to compile snort-inline without having dnet ? > in my understanding dnet is required to make snort-inline act as a > bridge, > thus being transparent, > am i wrong ? Yes, wrong ;-) Libdnet is used for sending the rst packets for the reject action. We did this to get rid of the dependency to libnet 1.02a. Snort is also (slowly) moving to libdnet and away from libnet. Cheers! Victor |
|
From: Sylvain B. <bon...@ro...> - 2006-07-14 03:28:00
|
Hi Guys, I'd like to you if you got any docs related to: - stickydrop design and mode of actions - inter preprocessor workflow (akka how sfportscan pass the data to stickydrop) Well...i can read the source, just wondering if there is any design/diagram stuff around :) My main goal is to integrate a DoS detection plugin and make it work with stickydrop. I hope to drop dos packet and allow legitimate traffic... cheers, Sly- __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com |
|
From: biotechisgodzilla.wifebeater <bio...@gm...> - 2006-07-13 23:22:03
|
Hi all ! ok that's a stupid question: it is possible to compile snort-inline without having dnet ? in my understanding dnet is required to make snort-inline act as a bridge, thus being transparent, am i wrong ? thank you very much for your time ! .mike |
|
From: biotechisgodzilla.wifebeater <bio...@gm...> - 2006-07-13 20:29:55
|
understood ! thank you very much for your support ! regards .mike On Thu, 2006-07-13 at 14:02 -0600, Nick Rogness wrote: > > Hi all, hi Will ! > > the latest stable version of snort_inline is snort_inline-2.4.5a or > > snort_inline-2.4.5 ? > > thank you very much ! > > 2.4.5a just has a compiler fix in it so it will compile with older > versions of gcc. Other than that, I think the code is the same, IIRC. > > > Nick Rogness <ni...@ro...> > |
|
From: Nick R. <ni...@ro...> - 2006-07-13 20:03:06
|
> Hi all, hi Will ! > the latest stable version of snort_inline is snort_inline-2.4.5a or > snort_inline-2.4.5 ? > thank you very much ! 2.4.5a just has a compiler fix in it so it will compile with older versions of gcc. Other than that, I think the code is the same, IIRC. Nick Rogness <ni...@ro...> |
|
From: biotechisgodzilla.wifebeater <bio...@gm...> - 2006-07-13 17:36:32
|
Hi all, hi Will ! the latest stable version of snort_inline is snort_inline-2.4.5a or snort_inline-2.4.5 ? thank you very much ! .mike |
|
From: Nick R. <ni...@ro...> - 2006-07-07 23:13:27
|
> Hi Nick. > According to README.INLINE, the indev interface must have an IP assigned > to it in order for snort_inline to work properly. > With iptables, there is the layer2_resets options. I think that there is > no equivalent option on FreeBSD. > Do you have any suggestions? > My bad. I have not red README.INLINE before. > Thanks. FreeBSD snort_inline doesn't support layer2_resets because it can never operate in a bridging configuration. Nick Rogness <ni...@ro...> |
|
From: biotechisgodzilla.wifebeater <bio...@gm...> - 2006-06-30 15:06:37
|
good holidays to you ! On Fri, 2006-06-30 at 10:00 -0500, bfi...@kc... wrote: > I will be out of the office starting 06/28/2006 and will not return until > 07/05/2006. > > I will respond to your message when I return. If you need immediate > assistance, please contact Patt Sweet at 816-997-3062 > > > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
|
From: <bfi...@kc...> - 2006-06-30 15:00:32
|
I will be out of the office starting 06/28/2006 and will not return until 07/05/2006. I will respond to your message when I return. If you need immediate assistance, please contact Patt Sweet at 816-997-3062 |
|
From: Carlos E G. <ceg...@if...> - 2006-06-30 13:34:01
|
Hi Nick. According to README.INLINE, the indev interface must have an IP assigned to it in order for snort_inline to work properly. With iptables, there is the layer2_resets options. I think that there is no equivalent option on FreeBSD. Do you have any suggestions? My bad. I have not red README.INLINE before. Thanks. Nick Rogness wrote: >>Hi. >> >>Does anyone else have already setup snort_inline with ipfw on a FreeBSD >>box? I'm getting the following error: >> >>IpfwLoop: write to divert socket failed >> >> > > What do your IPFW rules look like (ipfw -a l)? This error indicates >that snort_inline is trying to write the packet back to kernel (via a >divert socket). snort_inline hasn't been tested on 6.X yet. I will >look into it to see if something has changed in 6.X. > > > > >>I have no idea of what's happening. My box is as following: >> >>FreeBSD 6.1-STABLE FreeBSD 6.1-STABLE #0 >> >>Kernel build options: >> >>device if_bridge >>options IPFIREWALL >>options IPFIREWALL_VERBOSE >>options IPDIVERT >> >>IPFW divert rule: >> >>divert 8000 all from machine1 to machine2 via if1 >> >>where if1 is one of the members interfaces of bridge, machine1 is on the >>bridge and machine2 is an external machine. Observe that I am not >>filtering on layer2, because ipfw does not divert bridged packets. >> >>net.link.bridge.pfil_onlyip: 0 >>net.link.bridge.pfil_member: 1 >>net.link.bridge.pfil_bridge: 0 >>net.link.bridge.ipfw: 0 >>net.link.ether.ipfw: 0 >> >>Config file is default snort_inline.conf. I've also tried layer2resets >>with no success (using bridge interface mac). >> >>command line options: >>snort_inline -v -J 8000 -d -s -h xxx.xxx.xxx.xxx/xx -l >>/var/log/snort_inline -c /usr/local/etc/snort_inline.conf >> >>snort_inline versions 2.4.4-final and 2.3.0 from FreeBSD ports. >> >> > > > >Nick Rogness <ni...@ro...> > > >Using Tomcat but need to do more? Need to support web services, security? >Get stuff done quickly with pre-integrated technology to make your job easier >Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo >http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 >_______________________________________________ >Snort-inline-users mailing list >Sno...@li... >https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
|
From: Nick R. <ni...@ro...> - 2006-06-24 22:03:43
|
> Hi. > > Does anyone else have already setup snort_inline with ipfw on a FreeBSD > box? I'm getting the following error: > > IpfwLoop: write to divert socket failed What do your IPFW rules look like (ipfw -a l)? This error indicates that snort_inline is trying to write the packet back to kernel (via a divert socket). snort_inline hasn't been tested on 6.X yet. I will look into it to see if something has changed in 6.X. > > I have no idea of what's happening. My box is as following: > > FreeBSD 6.1-STABLE FreeBSD 6.1-STABLE #0 > > Kernel build options: > > device if_bridge > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPDIVERT > > IPFW divert rule: > > divert 8000 all from machine1 to machine2 via if1 > > where if1 is one of the members interfaces of bridge, machine1 is on the > bridge and machine2 is an external machine. Observe that I am not > filtering on layer2, because ipfw does not divert bridged packets. > > net.link.bridge.pfil_onlyip: 0 > net.link.bridge.pfil_member: 1 > net.link.bridge.pfil_bridge: 0 > net.link.bridge.ipfw: 0 > net.link.ether.ipfw: 0 > > Config file is default snort_inline.conf. I've also tried layer2resets > with no success (using bridge interface mac). > > command line options: > snort_inline -v -J 8000 -d -s -h xxx.xxx.xxx.xxx/xx -l > /var/log/snort_inline -c /usr/local/etc/snort_inline.conf > > snort_inline versions 2.4.4-final and 2.3.0 from FreeBSD ports. Nick Rogness <ni...@ro...> |
|
From: Jun I. <jh...@os...> - 2006-06-23 13:06:03
|
Hello Victor, > Combining iptables and snort_inline is exactly what i do as well. It > makes great sense because there is no need to bother snort_inline with > packets to/from ports or hosts you want to drop anyway. > > You have to be careful about one thing though: make sure that > snort_inline sees all packets from a connection. In the rules you show > above only the initial SYN packet is send to snort_inline. Make sure > that the relevant NEW and ESTABLISHED traffic from both directions go > through snort_inline. Thank you for reply. I'll follow your advice. Have a nice weekend. Jun |
|
From: Victor J. <vi...@nk...> - 2006-06-23 10:55:02
|
Jun Inamori wrote: > Hello, > > I've been used Arno's IPTABLES firewall script on a single-homed machines: > http://rocky.eld.leidenuniv.nl/ > And I also have interest in snort_inline, because it seems to have > additional rules. > The documentation of snort_inline include the iptables' rule that > forwards all the packets to snort_inline. > In this strategy, iptables is nothing more than the pass-through > interface between the kernel and snort_inline. > But, I'd like to use both of Arno's IPTABLES firewall script and > snort_inline. > My arno-iptables-firewall.conf (1.8.6c) defines OPEN_TCP with 25 80 443. > The packets to these ports are subjects of: > $IPTABLES -A EXT_INPUT_CHAIN -p tcp --syn --dport $port -j ACCEPT > in Arno's IPTABLES firewall script. > Before those packets are accepted, I'd like to check them by snort_inline. > To make it possible, I placed: > $IPTABLES -A EXT_INPUT_CHAIN -p tcp --syn --dport $port -j QUEUE > before: > $IPTABLES -A EXT_INPUT_CHAIN -p tcp --syn --dport $port -j ACCEPT > I confirmed snort_inline works well. > > Do you think it is good idea to use both of them? > Or, do you find the substantial problems in my strategy? Combining iptables and snort_inline is exactly what i do as well. It makes great sense because there is no need to bother snort_inline with packets to/from ports or hosts you want to drop anyway. You have to be careful about one thing though: make sure that snort_inline sees all packets from a connection. In the rules you show above only the initial SYN packet is send to snort_inline. Make sure that the relevant NEW and ESTABLISHED traffic from both directions go through snort_inline. Cheers! Victor |
|
From: Jun I. <jh...@os...> - 2006-06-23 10:36:04
|
Hello, I've been used Arno's IPTABLES firewall script on a single-homed machines: http://rocky.eld.leidenuniv.nl/ And I also have interest in snort_inline, because it seems to have additional rules. The documentation of snort_inline include the iptables' rule that forwards all the packets to snort_inline. In this strategy, iptables is nothing more than the pass-through interface between the kernel and snort_inline. But, I'd like to use both of Arno's IPTABLES firewall script and snort_inline. My arno-iptables-firewall.conf (1.8.6c) defines OPEN_TCP with 25 80 443. The packets to these ports are subjects of: $IPTABLES -A EXT_INPUT_CHAIN -p tcp --syn --dport $port -j ACCEPT in Arno's IPTABLES firewall script. Before those packets are accepted, I'd like to check them by snort_inline. To make it possible, I placed: $IPTABLES -A EXT_INPUT_CHAIN -p tcp --syn --dport $port -j QUEUE before: $IPTABLES -A EXT_INPUT_CHAIN -p tcp --syn --dport $port -j ACCEPT I confirmed snort_inline works well. Do you think it is good idea to use both of them? Or, do you find the substantial problems in my strategy? Jun |
|
From: Bill W. <bw...@op...> - 2006-06-21 14:26:42
|
Using dselect I removed dnet-common dnet-progs libdnet libdnet-dev Then then reinstalled from http://libdnet.sourceforge.net then Snort installed. Thanks for the help. Bill Will Metcalf wrote: > That's so weird, it builds fine on Sarge for me with the latest > libdnet. You didn't happen to install the libdnet-dev package in > Sarge did you? Note to all the libdnet in debian is libDECNet and > they share the same .so names...... > > Regards, > > Will > > On 6/20/06, Bill Warren <bw...@op...> wrote: > >> I am running Debian Sarge and this is what I get with the download of >> the lasted ver >> >> >> Run: dnet-config --libs >> >> Gives me: -L/usr/local/lib -ldnet >> >> Run: >> ./configure --with-dnet-includes=/usr/local/lib >> ./configure --with-dnet-libraries=/usr/local/lib >> >> Both give me: >> checking for dnet.h... yes >> checking for eth_set in -ldnet... no >> >> ERROR! Libdnet header not found, go get it from >> http://libdnet.sourceforge.net or use the --with-dnet-* >> options, if you have it installed in an unusual place >> >> Any ideas? >> >> >> >> Will Metcalf wrote: >> >> >run dnet-config --libs. Is it blank? find the dnet-config file and >> >see if the line that resembles what is below edit if necessary. I >> >think we will have another 2.4.5 release this weekend that actually >> >contains the --with-dnet stuff in the configure ;-). I have a couple >> >of other bug fixes as well. >> > >> >prefix=/usr/local >> >exec_prefix=/usr/local >> > >> >Regards, >> > >> >Will >> >On 6/17/06, int eighty <xc...@gm...> wrote: >> > >> > >> >>The ./configure for snort_inline is consistently failing with the >> >>following message: >> >> >> >>checking dnet.h usability... yes >> >>checking dnet.h presence... yes >> >>checking for dnet.h... yes >> >>checking for eth_set in -ldnet... no >> >> >> >> ERROR! Libdnet header not found, go get it from >> >> http://libdnet.sourceforge.net or use the --with-dnet-* >> >> options, if you have it installed in an unusual place >> >> >> >>The system is running Debian (unstable) and has the libdnet and >> >>libdnet-dev packages installed through apt-get. This error still >> >>occurred after using apt-get so libdnet was downloaded from >> >>sourceforge, compiled, and installed. >> >> >> >>The /etc/ld.so.conf was also updated to include the paths of dnet.h >> >>and dnet.so/dnet.a (these are symbolic links from libdnet.so and >> >>libdnet.a, respectively). Configure was also run with the following >> >>options: >> >> >> >>./configure --with-dnet-includes=/usr/local/include >> >>--with-dnet-libraries=/usr/lib >> >> >> >>Still the error persists, and there are not many solutions provided >> >>through Google (I've tried everything in the search results). >> >> >> >> >> >>_______________________________________________ >> >>Snort-inline-users mailing list >> >>Sno...@li... >> >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> >> >> >> >> >> >> > >> > >> >_______________________________________________ >> >Snort-inline-users mailing list >> >Sno...@li... >> >https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> > >> > >> >> >> -- >> >> Bill Warren >> >> Network Systems Administrator >> Optivel, Inc. >> 317.275.2305 office >> 317.523.8468 cell >> www.optivel.com >> >> >> >> _______________________________________________ >> Snort-inline-users mailing list >> Sno...@li... >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> -- Bill Warren Network Systems Administrator Optivel, Inc. 317.275.2305 office 317.523.8468 cell www.optivel.com |
|
From: Will M. <wil...@gm...> - 2006-06-21 00:17:12
|
yeah get rid of them you don't need them and this is probably what is messing you guy's up. Well that is of course you guy's are working with DECnet ;-). Regards, Will On 6/21/06, biotechisgodzilla.wifebeater <bio...@gm...> wrote: > yep, on debian sarge i have the following packages installed > > dnet-common > dnet-progs > libdnet > libdnet-dev > > note that probably not all of them are necessary > > seeya > .mike > > > > On Tue, 2006-06-20 at 18:57 -0500, Will Metcalf wrote: > > That's so weird, it builds fine on Sarge for me with the latest > > libdnet. You didn't happen to install the libdnet-dev package in > > Sarge did you? Note to all the libdnet in debian is libDECNet and > > they share the same .so names...... > > > > Regards, > > > > Will > > > > On 6/20/06, Bill Warren <bw...@op...> wrote: > > > I am running Debian Sarge and this is what I get with the download of > > > the lasted ver > > > > > > > > > Run: dnet-config --libs > > > > > > Gives me: -L/usr/local/lib -ldnet > > > > > > Run: > > > ./configure --with-dnet-includes=/usr/local/lib > > > ./configure --with-dnet-libraries=/usr/local/lib > > > > > > Both give me: > > > checking for dnet.h... yes > > > checking for eth_set in -ldnet... no > > > > > > ERROR! Libdnet header not found, go get it from > > > http://libdnet.sourceforge.net or use the --with-dnet-* > > > options, if you have it installed in an unusual place > > > > > > Any ideas? > > > > > > > > > > > > Will Metcalf wrote: > > > > > > >run dnet-config --libs. Is it blank? find the dnet-config file and > > > >see if the line that resembles what is below edit if necessary. I > > > >think we will have another 2.4.5 release this weekend that actually > > > >contains the --with-dnet stuff in the configure ;-). I have a couple > > > >of other bug fixes as well. > > > > > > > >prefix=/usr/local > > > >exec_prefix=/usr/local > > > > > > > >Regards, > > > > > > > >Will > > > >On 6/17/06, int eighty <xc...@gm...> wrote: > > > > > > > > > > > >>The ./configure for snort_inline is consistently failing with the > > > >>following message: > > > >> > > > >>checking dnet.h usability... yes > > > >>checking dnet.h presence... yes > > > >>checking for dnet.h... yes > > > >>checking for eth_set in -ldnet... no > > > >> > > > >> ERROR! Libdnet header not found, go get it from > > > >> http://libdnet.sourceforge.net or use the --with-dnet-* > > > >> options, if you have it installed in an unusual place > > > >> > > > >>The system is running Debian (unstable) and has the libdnet and > > > >>libdnet-dev packages installed through apt-get. This error still > > > >>occurred after using apt-get so libdnet was downloaded from > > > >>sourceforge, compiled, and installed. > > > >> > > > >>The /etc/ld.so.conf was also updated to include the paths of dnet.h > > > >>and dnet.so/dnet.a (these are symbolic links from libdnet.so and > > > >>libdnet.a, respectively). Configure was also run with the following > > > >>options: > > > >> > > > >>./configure --with-dnet-includes=/usr/local/include > > > >>--with-dnet-libraries=/usr/lib > > > >> > > > >>Still the error persists, and there are not many solutions provided > > > >>through Google (I've tried everything in the search results). > > > >> > > > >> > > > >>_______________________________________________ > > > >>Snort-inline-users mailing list > > > >>Sno...@li... > > > >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > >> > > > >> > > > >> > > > > > > > > > > > >_______________________________________________ > > > >Snort-inline-users mailing list > > > >Sno...@li... > > > >https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > > > > > > > > > > > > -- > > > > > > Bill Warren > > > > > > Network Systems Administrator > > > Optivel, Inc. > > > 317.275.2305 office > > > 317.523.8468 cell > > > www.optivel.com > > > > > > > > > > > > _______________________________________________ > > > Snort-inline-users mailing list > > > Sno...@li... > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > > > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: biotechisgodzilla.wifebeater <bio...@gm...> - 2006-06-21 00:08:43
|
yep, on debian sarge i have the following packages installed dnet-common dnet-progs libdnet libdnet-dev note that probably not all of them are necessary seeya .mike On Tue, 2006-06-20 at 18:57 -0500, Will Metcalf wrote: > That's so weird, it builds fine on Sarge for me with the latest > libdnet. You didn't happen to install the libdnet-dev package in > Sarge did you? Note to all the libdnet in debian is libDECNet and > they share the same .so names...... > > Regards, > > Will > > On 6/20/06, Bill Warren <bw...@op...> wrote: > > I am running Debian Sarge and this is what I get with the download of > > the lasted ver > > > > > > Run: dnet-config --libs > > > > Gives me: -L/usr/local/lib -ldnet > > > > Run: > > ./configure --with-dnet-includes=/usr/local/lib > > ./configure --with-dnet-libraries=/usr/local/lib > > > > Both give me: > > checking for dnet.h... yes > > checking for eth_set in -ldnet... no > > > > ERROR! Libdnet header not found, go get it from > > http://libdnet.sourceforge.net or use the --with-dnet-* > > options, if you have it installed in an unusual place > > > > Any ideas? > > > > > > > > Will Metcalf wrote: > > > > >run dnet-config --libs. Is it blank? find the dnet-config file and > > >see if the line that resembles what is below edit if necessary. I > > >think we will have another 2.4.5 release this weekend that actually > > >contains the --with-dnet stuff in the configure ;-). I have a couple > > >of other bug fixes as well. > > > > > >prefix=/usr/local > > >exec_prefix=/usr/local > > > > > >Regards, > > > > > >Will > > >On 6/17/06, int eighty <xc...@gm...> wrote: > > > > > > > > >>The ./configure for snort_inline is consistently failing with the > > >>following message: > > >> > > >>checking dnet.h usability... yes > > >>checking dnet.h presence... yes > > >>checking for dnet.h... yes > > >>checking for eth_set in -ldnet... no > > >> > > >> ERROR! Libdnet header not found, go get it from > > >> http://libdnet.sourceforge.net or use the --with-dnet-* > > >> options, if you have it installed in an unusual place > > >> > > >>The system is running Debian (unstable) and has the libdnet and > > >>libdnet-dev packages installed through apt-get. This error still > > >>occurred after using apt-get so libdnet was downloaded from > > >>sourceforge, compiled, and installed. > > >> > > >>The /etc/ld.so.conf was also updated to include the paths of dnet.h > > >>and dnet.so/dnet.a (these are symbolic links from libdnet.so and > > >>libdnet.a, respectively). Configure was also run with the following > > >>options: > > >> > > >>./configure --with-dnet-includes=/usr/local/include > > >>--with-dnet-libraries=/usr/lib > > >> > > >>Still the error persists, and there are not many solutions provided > > >>through Google (I've tried everything in the search results). > > >> > > >> > > >>_______________________________________________ > > >>Snort-inline-users mailing list > > >>Sno...@li... > > >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > >> > > >> > > >> > > > > > > > > >_______________________________________________ > > >Snort-inline-users mailing list > > >Sno...@li... > > >https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > > > > > > > -- > > > > Bill Warren > > > > Network Systems Administrator > > Optivel, Inc. > > 317.275.2305 office > > 317.523.8468 cell > > www.optivel.com > > > > > > > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
133 messages has been excluded from this view by a project administrator.
