snort-inline-users — The goal of this list is to help users debug/use snort_inline

Fw: [Snort-inline-users] React Keyword and Msg not displaying on IE6

[Alfredo O. <ao...@tu...>]

Have been trying to get the flexresp page to paint without success. From my
tests it does not work on WinXP (IE6 or Firefox) but it does in Knoppix. Any
ideas/thoughts? Many thanks....Alfredo


----- Original Message ----- 
From: "Alfredo Osorio" <ao...@tu...>
To: "Will Metcalf" <wil...@gm...>
Cc: <sno...@li...>
Sent: Thursday, April 27, 2006 9:58 PM
Subject: Fw: [Snort-inline-users] React Keyword and Msg not displaying on
IE6


> Hi Will.... I just loaded ethereal and repeated the test on a windows xp
> machine. Ethereal did capture several tcp packets with the flexresp block
> message. The IE6 client, however, did not display them. 5 packets are sent
> from snort_inline to the client with the flexresp message.
>
> packet (1) [tcp retransmission] Continuation or non-http traffic
> packets (2-4) [tcp acked lost segement] Continuation or non-http traffic
>
> Any thoughts?
>
> thanks....Alfredo
>
>
> ----- Original Message ----- 
> From: "Alfredo Osorio" <ao...@tu...>
> To: "Will Metcalf" <wil...@gm...>
> Cc: <sno...@li...>
> Sent: Wednesday, April 26, 2006 11:09 PM
> Subject: Re: [Snort-inline-users] React Keyword and Msg not displaying on
> IE6
>
>
> > Thanks Will....I'm pretty sure the page is being sent back but will
double
> > check tomorrow. Here's a little more detail on what I did...
> >
> > (1) Set up two test clients - one with knoppix and one with Windows XP
> > (2) The Knoppix client running firefox works flawlessly - flexresp page
is
> > displayed without problems.
> > (3) The Windows XP client running IE6, however, either hangs (i.e.
> > connecting...) when the rule uses DROP or repaints with "server not
found"
> > when using REJECT.
> >
> > I will load ethereal on the Windows machine tomorrow and check for
traffic
> > but my guess is that is the page is being sent back but somehow IE6 is
> > deciding not to repaint.....Regards,...Alfredo
> >
> >
> >
> >
> > ----- Original Message ----- 
> > From: "Will Metcalf" <wil...@gm...>
> > To: "Alfredo Osorio" <ao...@tu...>
> > Cc: <sno...@li...>
> > Sent: Wednesday, April 26, 2006 10:32 PM
> > Subject: Re: [Snort-inline-users] React Keyword and Msg not displaying
on
> > IE6
> >
> >
> > > errrr what do you get? nothing at all?  if watch the traffic via
> > > tcpdump is it sending the page back to the client?
> > >
> > > Regards,
> > >
> > > Will
> > >
> > > On 4/26/06, Alfredo Osorio <ao...@tu...> wrote:
> > > >
> > > >
> > > >
> > > > Hello Everyone...(My apologies as I sent this note before from a
> > non-member
> > > > email address - my work address)
> > > >
> > > > I'm currently running snort_inline.2.4.4-final with clamav and
> flexresp
> > on
> > > > my home network. Everything works really well with one interesting
> > exception
> > > > - when using "react:block,msg" to block access to inappropriate web
> > sites
> > > > the warning message only appears if one is using mozilla or
conqueror
> > but
> > > > not on IE6.  I have tried "drop", "rejectboth", "rejectsrc",
> "rejectdst"
> > and
> > > > even "alert" with the same results. Has anyone encountered this
> problem?
> > I'm
> > > > new to Linux and would welcome any
> > > > thoughts/ideas....Regards,....Alfredo
> > > >
> > > >
> > >
> > >
> > > -------------------------------------------------------
> > > Using Tomcat but need to do more? Need to support web services,
> security?
> > > Get stuff done quickly with pre-integrated technology to make your job
> > easier
> > > Download IBM WebSphere Application Server v.1.0.1 based on Apache
> Geronimo
> > >
> >
>
http://sel.as-us.falkag.net/sel?cmd_______________________________________________
> > > Snort-inline-users mailing list
> > > Sno...@li...
> > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >
>

Re: [Snort-inline-users] Redirect traffic

[Will M. <wil...@gm...>]

you shouldn't have to patch anything, just look at the README.INLINE.
This functionality is already built into the snort_inline source code.
 The patch you are talking about is for the bns project from the
violating.us guy's.  You don't need to apply this patch you only need
to download snort-inline-2.4.4-final and see the README.INLINE and the
snort_inline.conf to see how to use bait-and-switch.

download the source from

http://snort-inline.sourceforge.net/download.html

Regards,

Will

On 5/7/06, ikami <ik...@ya...> wrote:
>
> One question: Bait and Switch HoneyPot only works with snort.1.9.1?
> When I tried to install it (on step 3) it asks for the archive bns.diff. =
I
> write the path of the bns.diff and an ERRO occurs
> Copy of the ERRO:
>
> 1) Set Up Routing Tables. (**RUN ONCE PER MACHINE**)
>  2) Configuration
>  3) Patch Snort (ONLY AFTER OPTION 2)
>  4) Exit
>  Your Choice: 3
>
>  Path to bns.diff (ie: /root/bns/snort/bns.diff)
> /usr/local/ids/bns/snort/bns.diff
> patching file src/Makefile.in
> Hunk #1 FAILED at 170.
> 1 out of 1 hunk FAILED -- saving rejects to file src/Makefile.in.rej
> patching file src/output-plugins/Makefile.am
> Hunk #1 FAILED at 9.
> 1 out of 1 hunk FAILED -- saving rejects to file
> src/output-plugins/Makefile.am.rej
> patching file src/output-plugins/Makefile.in
> Hunk #1 FAILED at 90.
> Hunk #2 FAILED at 106.
> 2 out of 2 hunks FAILED -- saving rejects to file
> src/output-plugins/Makefile.in.rej
> patching file src/output-plugins/spo_alert_bns.c
> patching file src/output-plugins/spo_alert_bns.h
> patching file src/plugbase.c
> Hunk #1 succeeded at 110 with fuzz 2 (offset 7 lines).
> Hunk #2 FAILED at 153.
> 1 out of 2 hunks FAILED -- saving rejects to file src/plugbase.c.rej
>  done patching...
>  exit or menu [e/m]:
>
> I am asking on version of snort because there is a directory called 'snor=
t',
> where the bns.diff is located. In that directory ,snort, there is another
> direcrory called ' non-production' and inside of it are the following
> archives:
> bns-snort-1.9.0.diff
> bns-snort.1.9.1.diff
> spo_alert_bns.c
> spo_alert_bns.h
>
> I have the snort-2.4.4.
>
> Again, sorry for the errors of English.
>
> Thanks
>
>
> Will Metcalf <wil...@gm...> escreveu:
>
> download the tarball, look at the doc/README.INLINE in the source
> file. It discusses how to use bait-and-switch to accomplish this.
>
> Regards,
>
> Will
>
> On 5/6/06, ikami wrote:
> >
> > Hi guys,
> > Sorry for my english but I`m good on it. I just know to read in english
> and
> > thus very badly.
> > I have 2 weeks to finish a project and I don`t know how to do one thing=
. I
> > have a network with 3 machines. 1) Router with snort and iptables, 2) W=
eb
> > server 3) honeypot.
> > My problem is: I want to redirect all the malicious traffic to the
> honeypot
> > insted of the web server. Searching for a solution on GOOGLE I found th=
e
> > snort_inline project. My doubt now is: Snort_inline can do this redirec=
t?
> If
> > yes any one can explain me how?
> >
> > Thanks
> >
> >
> >
> >
> > ________________________________
> > Yahoo! Search
> > Imposto de Renda 2006: o prazo est=E1 acabando. Fa=E7a j=E1 a sua decla=
ra=E7=E3o no
> > site da Receita Federal.
> >
> >
>
>
>
>
>  ________________________________
>  Abra sua conta no Yahoo! Mail - 1GB de espa=E7o, alertas de e-mail no ce=
lular
> e anti-spam realmente eficaz.
>
>

Re: [Snort-inline-users] Snort-inline / ipfw and freebsd

[Will M. <wil...@gm...>]

We are at snort_inline-2.4.4.... I have not looked at snort-2.6.0 to
see if the freebsd fixes are in there but they were not as of
snort-2.4.4.

Regards,

Will

On 5/7/06, Michael Scheidell <sch...@se...> wrote:
> My questions are FREEBSD/snort inline and ipfw specific.
>
> Is the freebsd snort_linline port for ipfw support not needed anymore?
>
> I noticed it still at 2.3RC1 as the base source being imported by port.
>
> Attempting to compare the 2.4.4 main code vs the 2.3RC1 snort_inline
> stretched what is left of my neurons to the breaking point.
>
> Changelogs both only seem to have mostly sourcefire.com changes
> documented, nothing inline specific.
>
> The README.INLINE could contain difference between snort with inline and
> snort_inline, or contain differences between snort 2.3 and snort 2.4.
>
> There is inline_state vs enable_state, and looks like there is a
> 'stickydrop' option to snort_inline that is not mentioned in snort with
> inline, but that is all I see mentioned in README.INLINE.
>
> This patch would allow user to enable the inline ipfw support
> (maybe add a sed or two in for snort.sh.in?
> sed "s/-Dq/-Dq -J 8000/" snort.sh.in
>
> --- Makefile.orig       Fri May  5 20:08:00 2006
> +++ Makefile    Sun May  7 08:09:22 2006
> @@ -7,7 +7,7 @@
>
>  PORTNAME=3D      snort
>  PORTVERSION=3D   2.4.4
> -PORTREVISION=3D  1
> +PORTREVISION=3D  2
>  CATEGORIES=3D    security
>  MASTER_SITES=3D  http://www.snort.org/dl/current/
>
> @@ -20,7 +20,8 @@
>                 MYSQL "Enable MySQL support" off \
>                 ODBC "Enable ODBC support" off \
>                 POSTGRESQL "Enable PostgreSQL support" off \
> -               PRELUDE "Enable Prelude NIDS integration" off
> +               PRELUDE "Enable Prelude NIDS integration" off \
> +               INLINE "Enable inline with ipfw divert support" off \
>
>  USE_GPG=3D       yes
>  SIG_SUFFIX=3D    .sig
> @@ -80,6 +81,10 @@
>  .else
>  CONFIGURE_ARGS+=3D       --disable-prelude
>  PLIST_SUB+=3D            PRELUDE=3D"@comment "
> +.endif
> +
> +.if defined(WITH_INLINE)
> +CONFIGURE_ARGS+=3D       --enable-ipfw --enable-inline
>  .endif
>
>  post-patch:
>
>
> -------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job ea=
sier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronim=
o
> http://sel.as-us.falkag.net/sel?cmdlnk&kid=120709&bid&3057&dat=121642
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

Re: [Snort-inline-users] Redirect traffic

[ikami <ik...@ya...>]

One question: Bait and Switch HoneyPot only works with snort.1.9.1?
  When I tried to install it (on step 3) it asks for the archive bns.diff. I write the path of the bns.diff and an ERRO occurs
  Copy of the ERRO:
   
  1) Set Up Routing Tables. (**RUN ONCE PER MACHINE**)
 2) Configuration 
 3) Patch Snort (ONLY AFTER OPTION 2)
 4) Exit 
   Your Choice: 3
  
 Path to bns.diff (ie: /root/bns/snort/bns.diff) /usr/local/ids/bns/snort/bns.diff
patching file src/Makefile.in
Hunk #1 FAILED at 170.
1 out of 1 hunk FAILED -- saving rejects to file src/Makefile.in.rej
patching file src/output-plugins/Makefile.am
Hunk #1 FAILED at 9.
1 out of 1 hunk FAILED -- saving rejects to file src/output-plugins/Makefile.am.rej
patching file src/output-plugins/Makefile.in
Hunk #1 FAILED at 90.
Hunk #2 FAILED at 106.
2 out of 2 hunks FAILED -- saving rejects to file src/output-plugins/Makefile.in.rej
patching file src/output-plugins/spo_alert_bns.c
patching file src/output-plugins/spo_alert_bns.h
patching file src/plugbase.c
Hunk #1 succeeded at 110 with fuzz 2 (offset 7 lines).
Hunk #2 FAILED at 153.
1 out of 2 hunks FAILED -- saving rejects to file src/plugbase.c.rej
 done patching...
   exit or menu [e/m]: 
   
  I am asking on version of snort because there is a directory called 'snort', where the bns.diff is located. In that directory ,snort, there is another direcrory called ' non-production' and inside of it are the following archives: 
  bns-snort-1.9.0.diff
  bns-snort.1.9.1.diff
  spo_alert_bns.c
  spo_alert_bns.h
   
  I have the snort-2.4.4. 
   
  Again, sorry for the errors of English.
   
  Thanks
  
Will Metcalf <wil...@gm...> escreveu:
  download the tarball, look at the doc/README.INLINE in the source
file. It discusses how to use bait-and-switch to accomplish this.

Regards,

Will

On 5/6/06, ikami wrote:
>
> Hi guys,
> Sorry for my english but I`m good on it. I just know to read in english and
> thus very badly.
> I have 2 weeks to finish a project and I don`t know how to do one thing. I
> have a network with 3 machines. 1) Router with snort and iptables, 2) Web
> server 3) honeypot.
> My problem is: I want to redirect all the malicious traffic to the honeypot
> insted of the web server. Searching for a solution on GOOGLE I found the
> snort_inline project. My doubt now is: Snort_inline can do this redirect? If
> yes any one can explain me how?
>
> Thanks
>
>
>
>
> ________________________________
> Yahoo! Search
> Imposto de Renda 2006: o prazo está acabando. Faça já a sua declaração no
> site da Receita Federal.
>
>


				
---------------------------------
 Abra sua conta no Yahoo! Mail - 1GB de espaço, alertas de e-mail no celular e anti-spam realmente eficaz.

[Snort-inline-users] Snort-inline / ipfw and freebsd

[Michael S. <sch...@se...>]

My questions are FREEBSD/snort inline and ipfw specific.

Is the freebsd snort_linline port for ipfw support not needed anymore?

I noticed it still at 2.3RC1 as the base source being imported by port.

Attempting to compare the 2.4.4 main code vs the 2.3RC1 snort_inline
stretched what is left of my neurons to the breaking point.

Changelogs both only seem to have mostly sourcefire.com changes
documented, nothing inline specific.

The README.INLINE could contain difference between snort with inline and
snort_inline, or contain differences between snort 2.3 and snort 2.4.

There is inline_state vs enable_state, and looks like there is a
'stickydrop' option to snort_inline that is not mentioned in snort with
inline, but that is all I see mentioned in README.INLINE.

This patch would allow user to enable the inline ipfw support
(maybe add a sed or two in for snort.sh.in?
sed "s/-Dq/-Dq -J 8000/" snort.sh.in

--- Makefile.orig       Fri May  5 20:08:00 2006
+++ Makefile    Sun May  7 08:09:22 2006
@@ -7,7 +7,7 @@

 PORTNAME=3D      snort
 PORTVERSION=3D   2.4.4
-PORTREVISION=3D  1
+PORTREVISION=3D  2
 CATEGORIES=3D    security
 MASTER_SITES=3D  http://www.snort.org/dl/current/

@@ -20,7 +20,8 @@
                MYSQL "Enable MySQL support" off \
                ODBC "Enable ODBC support" off \
                POSTGRESQL "Enable PostgreSQL support" off \
-               PRELUDE "Enable Prelude NIDS integration" off
+               PRELUDE "Enable Prelude NIDS integration" off \
+               INLINE "Enable inline with ipfw divert support" off \

 USE_GPG=3D       yes
 SIG_SUFFIX=3D    .sig
@@ -80,6 +81,10 @@
 .else
 CONFIGURE_ARGS+=3D       --disable-prelude
 PLIST_SUB+=3D            PRELUDE=3D"@comment "
+.endif
+
+.if defined(WITH_INLINE)
+CONFIGURE_ARGS+=3D       --enable-ipfw --enable-inline
 .endif

 post-patch:

Re: [Snort-inline-users] Redirect traffic

[Will M. <wil...@gm...>]

download the tarball, look at the doc/README.INLINE in the source
file. It discusses how to use bait-and-switch to accomplish this.

Regards,

Will

On 5/6/06, ikami <ik...@ya...> wrote:
>
> Hi guys,
> Sorry for my english but I`m good on it. I just know to read in english a=
nd
> thus very badly.
> I have 2 weeks to finish a project and I don`t know how to do one thing. =
I
> have a network with 3 machines. 1) Router with snort and iptables, 2) Web
> server 3) honeypot.
> My problem is: I want to redirect all the malicious traffic to the honeyp=
ot
> insted of the web server. Searching for a solution on GOOGLE I found  the
> snort_inline project. My doubt now is: Snort_inline can do this redirect?=
 If
> yes any one can explain me how?
>
> Thanks
>
>
>
>
>  ________________________________
>  Yahoo! Search
>  Imposto de Renda 2006: o prazo est=E1 acabando. Fa=E7a j=E1 a sua declar=
a=E7=E3o no
> site da Receita Federal.
>
>

[Snort-inline-users] Redirect traffic

[ikami <ik...@ya...>]

Hi guys,
  Sorry for my english but I`m good on it. I just know to read in english and thus very badly.
  I have 2 weeks to finish a project and I don`t know how to do one thing. I have a network with 3 machines. 1) Router with snort and iptables, 2) Web server 3) honeypot.
  My problem is: I want to redirect all the malicious traffic to the honeypot insted of the web server. Searching for a solution on GOOGLE I found  the snort_inline project. My doubt now is: Snort_inline can do this redirect? If yes any one can explain me how?
   
  Thanks
   
   

		
---------------------------------
 Yahoo! Search
 Imposto de Renda 2006: o prazo está acabando. Faça já a sua declaração no site da Receita Federal.

Fw: [Snort-inline-users] React Keyword and Msg not displaying on IE6

[Alfredo O. <ao...@tu...>]

Hi Will.... I just loaded ethereal and repeated the test on a windows xp
machine. Ethereal did capture several tcp packets with the flexresp block
message. The IE6 client, however, did not display them. 5 packets are sent
from snort_inline to the client with the flexresp message.

packet (1) [tcp retransmission] Continuation or non-http traffic
packets (2-4) [tcp acked lost segement] Continuation or non-http traffic

Any thoughts?

thanks....Alfredo


----- Original Message ----- 
From: "Alfredo Osorio" <ao...@tu...>
To: "Will Metcalf" <wil...@gm...>
Cc: <sno...@li...>
Sent: Wednesday, April 26, 2006 11:09 PM
Subject: Re: [Snort-inline-users] React Keyword and Msg not displaying on
IE6


> Thanks Will....I'm pretty sure the page is being sent back but will double
> check tomorrow. Here's a little more detail on what I did...
>
> (1) Set up two test clients - one with knoppix and one with Windows XP
> (2) The Knoppix client running firefox works flawlessly - flexresp page is
> displayed without problems.
> (3) The Windows XP client running IE6, however, either hangs (i.e.
> connecting...) when the rule uses DROP or repaints with "server not found"
> when using REJECT.
>
> I will load ethereal on the Windows machine tomorrow and check for traffic
> but my guess is that is the page is being sent back but somehow IE6 is
> deciding not to repaint.....Regards,...Alfredo
>
>
>
>
> ----- Original Message ----- 
> From: "Will Metcalf" <wil...@gm...>
> To: "Alfredo Osorio" <ao...@tu...>
> Cc: <sno...@li...>
> Sent: Wednesday, April 26, 2006 10:32 PM
> Subject: Re: [Snort-inline-users] React Keyword and Msg not displaying on
> IE6
>
>
> > errrr what do you get? nothing at all?  if watch the traffic via
> > tcpdump is it sending the page back to the client?
> >
> > Regards,
> >
> > Will
> >
> > On 4/26/06, Alfredo Osorio <ao...@tu...> wrote:
> > >
> > >
> > >
> > > Hello Everyone...(My apologies as I sent this note before from a
> non-member
> > > email address - my work address)
> > >
> > > I'm currently running snort_inline.2.4.4-final with clamav and
flexresp
> on
> > > my home network. Everything works really well with one interesting
> exception
> > > - when using "react:block,msg" to block access to inappropriate web
> sites
> > > the warning message only appears if one is using mozilla or conqueror
> but
> > > not on IE6.  I have tried "drop", "rejectboth", "rejectsrc",
"rejectdst"
> and
> > > even "alert" with the same results. Has anyone encountered this
problem?
> I'm
> > > new to Linux and would welcome any
> > > thoughts/ideas....Regards,....Alfredo
> > >
> > >
> >
> >
> > -------------------------------------------------------
> > Using Tomcat but need to do more? Need to support web services,
security?
> > Get stuff done quickly with pre-integrated technology to make your job
> easier
> > Download IBM WebSphere Application Server v.1.0.1 based on Apache
Geronimo
> >
>
http://sel.as-us.falkag.net/sel?cmd_______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

Re: [Snort-inline-users] React Keyword and Msg not displaying on IE6

[Alfredo O. <ao...@tu...>]

Thanks Will....I'm pretty sure the page is being sent back but will double
check tomorrow. Here's a little more detail on what I did...

(1) Set up two test clients - one with knoppix and one with Windows XP
(2) The Knoppix client running firefox works flawlessly - flexresp page is
displayed without problems.
(3) The Windows XP client running IE6, however, either hangs (i.e.
connecting...) when the rule uses DROP or repaints with "server not found"
when using REJECT.

I will load ethereal on the Windows machine tomorrow and check for traffic
but my guess is that is the page is being sent back but somehow IE6 is
deciding not to repaint.....Regards,...Alfredo




----- Original Message ----- 
From: "Will Metcalf" <wil...@gm...>
To: "Alfredo Osorio" <ao...@tu...>
Cc: <sno...@li...>
Sent: Wednesday, April 26, 2006 10:32 PM
Subject: Re: [Snort-inline-users] React Keyword and Msg not displaying on
IE6


> errrr what do you get? nothing at all?  if watch the traffic via
> tcpdump is it sending the page back to the client?
>
> Regards,
>
> Will
>
> On 4/26/06, Alfredo Osorio <ao...@tu...> wrote:
> >
> >
> >
> > Hello Everyone...(My apologies as I sent this note before from a
non-member
> > email address - my work address)
> >
> > I'm currently running snort_inline.2.4.4-final with clamav and flexresp
on
> > my home network. Everything works really well with one interesting
exception
> > - when using "react:block,msg" to block access to inappropriate web
sites
> > the warning message only appears if one is using mozilla or conqueror
but
> > not on IE6.  I have tried "drop", "rejectboth", "rejectsrc", "rejectdst"
and
> > even "alert" with the same results. Has anyone encountered this problem?
I'm
> > new to Linux and would welcome any
> > thoughts/ideas....Regards,....Alfredo
> >
> >
>
>
> -------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>
http://sel.as-us.falkag.net/sel?cmd_______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users

Re: [Snort-inline-users] React Keyword and Msg not displaying on IE6

[Will M. <wil...@gm...>]

errrr what do you get? nothing at all?  if watch the traffic via
tcpdump is it sending the page back to the client?

Regards,

Will

On 4/26/06, Alfredo Osorio <ao...@tu...> wrote:
>
>
>
> Hello Everyone...(My apologies as I sent this note before from a non-memb=
er
> email address - my work address)
>
> I'm currently running snort_inline.2.4.4-final with clamav and flexresp o=
n
> my home network. Everything works really well with one interesting except=
ion
> - when using "react:block,msg" to block access to inappropriate web sites
> the warning message only appears if one is using mozilla or conqueror but
> not on IE6.  I have tried "drop", "rejectboth", "rejectsrc", "rejectdst" =
and
> even "alert" with the same results. Has anyone encountered this problem? =
I'm
> new to Linux and would welcome any
> thoughts/ideas....Regards,....Alfredo
>
>

[Snort-inline-users] React Keyword and Msg not displaying on IE6

[Alfredo O. <ao...@tu...>]

Hello Everyone...(My apologies as I sent this note before from a =
non-member email address - my work address)

I'm currently running snort_inline.2.4.4-final with clamav and flexresp =
on my home network. Everything works really well with one interesting =
exception - when using "react:block,msg" to block access to =
inappropriate web sites the warning message only appears if one is using =
mozilla or conqueror but not on IE6.  I have tried "drop", "rejectboth", =
"rejectsrc", "rejectdst" and even "alert" with the same results. Has =
anyone encountered this problem? I'm new to Linux and would welcome any =
thoughts/ideas....Regards,....Alfredo

Re: [Snort-inline-users] SOS!!

[Will M. <wil...@gm...>]

your not taking a class with John Smith are you?  You have to replace
the content match with exactly the same amount of data.  It would be
rather trivial to write a preproc to do what you are trying to
accomplish i.e.  if string xyz not first three bytes of payload,
create new buff of payload size, fill will crap, replace payload
packet->p with newly generated one,  calculate new checksum, call
InlineReplace();

Regards,

Will

On 4/24/06, Amit Bagree <ab...@an...> wrote:
> Hi all,
>          I am having a project deadline pretty soon and have stumbled int=
o a fundamental issue here.
>
> Scenario: I am trying to rewrite/"replace" the entire data feild of an ic=
mp packet with 0's. There isn't a "any" wildcard for content keyword, so i =
thought that i will check for the data feild filled by different OS's and i=
 figured out they are always the same. So now my plan was to use something =
like:
>
> content: !"whatever garbage filled by different OS's"; replace "000..."
> But this doenst seem to work.
>
> Now what i want to know is can i overwirte the data field of an ICMP pack=
et when i get it anyhow?
>
> Responses highly appreciated!!
>
> Thanks a lot,
> Amit
>
>
>
> -------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job ea=
sier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronim=
o
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D120709&bid=3D263057&dat=
=3D121642
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

[Snort-inline-users] SOS!!

[Amit B. <ab...@an...>]

Hi all,
         I am having a project deadline pretty soon and have stumbled into a fundamental issue here. 

Scenario: I am trying to rewrite/"replace" the entire data feild of an icmp packet with 0's. There isn't a "any" wildcard for content keyword, so i thought that i will check for the data feild filled by different OS's and i figured out they are always the same. So now my plan was to use something like:

content: !"whatever garbage filled by different OS's"; replace "000..."
But this doenst seem to work.

Now what i want to know is can i overwirte the data field of an ICMP packet when i get it anyhow?

Responses highly appreciated!!

Thanks a lot,
Amit

[Snort-inline-users] replace keyword?

[Marco F. <m.f...@gm...>]

Hi,

I'm working with snort_inline version 2.3.0-RC1, and I would like to know
how can I write a preprocessor to modify the packets.
I have to modify a packet payload (SIP protocol) inside a snort_inline
preprocessor written by myself.

How can I replace a string (e.g. marco) with some other string (e.g. XXXX)
inside a preprocessor?
Is there a function call I can use?

I guess I have to use the 'replace' keyword, but the example in the file
README.INLINE is not explaining how to do what I need: it is explaining how
to modify a packet using the rules while I need to modify the packet more
dynamically in a preprocessor.
(I am also dropping packets inside the preprocessor and I use the function
InlineDrop(), is there something
similar to replace strings?)

Thanks in advance,
 Marco

Re: [Snort-inline-users] Re: Snort-inline-users digest, Vol 1 #478 - 1 msg

[James B. <jl...@bo...>]

Thanks Will.

I allowed Nick to SSH into my machine to try and get it working under  
Mac OS X. Unfortunately the latency was too high for him to be very  
productive on it.

On 28/10/2005, at 2:54 PM, Nick Rogness wrote:
>
> On the status of running snort_inline on Mac OS X:
>
> There appears to be a problem with MacOS and mangling the packet in
> inline mode.  Snort_inline is working and passing packets OK  
> through the
> firewall...it just appears that there is something wrong with the
> packets after inline inspects them.
>
> Also, rejects cause bus error's (which is bad!). Yeh, it compiles,  
> but it
> doesn't work.

This is what he said on 30 Jan 2006 on this list:

"I am working on Mac OS X and will likely be a patched
version of 2.4.3.  If anyone has SSH access to a Mac that I can build
on, it would speed this process along.  Email me privately at
ni...@ro... if will let me use your machine to test on."

Unfortunately I have pretty meager programming skills, so I can't  
contribute to the code itself. If I can help in any other way I  
would. If I use QoS on my switch would that help reduce the latency?  
Or is it just because we are on the wrong side of the world? I've  
doubled our upload speed since Nick had his last attempt. If we can  
get SSH working acceptably I'd be happy to grant access to my  
computer if that would help.

Regards,

James.

On 24/04/2006, at 2:51 PM, Will Metcalf wrote:

> Nick Rogness was working on it but unfortunately he won't be able to
> do any coding for a while.  I don't have a MacOSX box, and neither do
> Dave or Victor.  You want to build support for MacOS X be my guest,
> let me know when you get a patch together and we will be sure to
> include it.
>
> Regards,
>
> Will

Re: [Snort-inline-users] Re: Snort-inline-users digest, Vol 1 #478 - 1 msg

[Will M. <wil...@gm...>]

Actually that brings up an interesting point. Anybody have access to a
OSX box based on the  intel chipset?  If I remember correctly Nick
thought a lot of the issues he was running into porting snort_inline
to OSX had to do with the architecture differences between x86 and
Power. Anybody want to give it a shot and get back to me?

Regards,

Will

On 4/23/06, Will Metcalf <wil...@gm...> wrote:
> Nick Rogness was working on it but unfortunately he won't be able to
> do any coding for a while.  I don't have a MacOSX box, and neither do
> Dave or Victor.  You want to build support for MacOS X be my guest,
> let me know when you get a patch together and we will be sure to
> include it.
>
> Regards,
>
> Will
>
> On 4/23/06, James Brown <jl...@bo...> wrote:
> > So still no MacOS X support?
> >
> > :-(
> >
> > James.
> >
> > On 24/04/2006, at 1:48 PM, snort-inline-users-
> > re...@li... wrote:
> >
> > > Send Snort-inline-users mailing list submissions to
> > >       sno...@li...
> > >
> > > To subscribe or unsubscribe via the World Wide Web, visit
> > >       https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> > > or, via email, send a message with subject or body 'help' to
> > >       sno...@li...
> > >
> > > You can reach the person managing the list at
> > >       sno...@li...
> > >
> > > When replying, please edit your Subject line so it is more specific
> > > than "Re: Contents of Snort-inline-users digest..."
> > >
> > >
> > > Today's Topics:
> > >
> > >    1. Release: snort_inline-2.4.4-final (Will Metcalf)
> > >
> > > --__--__--
> > >
> > > Message: 1
> > > Date: Sun, 23 Apr 2006 10:43:11 -0500
> > > From: "Will Metcalf" <wil...@gm...>
> > > To: snort-inline-users <sno...@li...>
> > > Subject: [Snort-inline-users] Release: snort_inline-2.4.4-final
> > >
> > > List,
> > >
> > > You thought it would never happen......
> > > We had our doubts as well.......
> > > But we have finally released something that doesn't have the RC
> > > designation behind it....
> > > Now Victor can stop bugging me and we can start porting to 2.6.0 w00t=
!
> > >
> > > Below is that change log, as always take a look at the README.INLINE
> > > and snort_inline.conf in the source file for more info.
> > >
> > > Changes: And I thought we would always be a release behind SF ;-)
> > > Fixed stickydrop to work with tracking rules. Added insert_before
> > > option to bait-and-switch so that it would add the NAT rules via "-I"
> > > instead of "-A". Updated snort_inline.conf and README.INLINE
> > >
> > > Go get the latest release from
> > >
> > > http://snort-inline.sourceforge.net/download.html
> > >
> > > Regards,
> > >
> > > Will
> > >
> > >
> > >
> > > --__--__--
> > >
> > > _______________________________________________
> > > Snort-inline-users mailing list
> > > Sno...@li...
> > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> > >
> > >
> > > End of Snort-inline-users Digest
> > >
> >
> >
> >
> >
>

Re: [Snort-inline-users] Re: Snort-inline-users digest, Vol 1 #478 - 1 msg

[Will M. <wil...@gm...>]

Nick Rogness was working on it but unfortunately he won't be able to
do any coding for a while.  I don't have a MacOSX box, and neither do
Dave or Victor.  You want to build support for MacOS X be my guest,
let me know when you get a patch together and we will be sure to
include it.

Regards,

Will

On 4/23/06, James Brown <jl...@bo...> wrote:
> So still no MacOS X support?
>
> :-(
>
> James.
>
> On 24/04/2006, at 1:48 PM, snort-inline-users-
> re...@li... wrote:
>
> > Send Snort-inline-users mailing list submissions to
> >       sno...@li...
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> >       https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> > or, via email, send a message with subject or body 'help' to
> >       sno...@li...
> >
> > You can reach the person managing the list at
> >       sno...@li...
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Snort-inline-users digest..."
> >
> >
> > Today's Topics:
> >
> >    1. Release: snort_inline-2.4.4-final (Will Metcalf)
> >
> > --__--__--
> >
> > Message: 1
> > Date: Sun, 23 Apr 2006 10:43:11 -0500
> > From: "Will Metcalf" <wil...@gm...>
> > To: snort-inline-users <sno...@li...>
> > Subject: [Snort-inline-users] Release: snort_inline-2.4.4-final
> >
> > List,
> >
> > You thought it would never happen......
> > We had our doubts as well.......
> > But we have finally released something that doesn't have the RC
> > designation behind it....
> > Now Victor can stop bugging me and we can start porting to 2.6.0 w00t!
> >
> > Below is that change log, as always take a look at the README.INLINE
> > and snort_inline.conf in the source file for more info.
> >
> > Changes: And I thought we would always be a release behind SF ;-)
> > Fixed stickydrop to work with tracking rules. Added insert_before
> > option to bait-and-switch so that it would add the NAT rules via "-I"
> > instead of "-A". Updated snort_inline.conf and README.INLINE
> >
> > Go get the latest release from
> >
> > http://snort-inline.sourceforge.net/download.html
> >
> > Regards,
> >
> > Will
> >
> >
> >
> > --__--__--
> >
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >
> >
> > End of Snort-inline-users Digest
> >
>
>
>
>

[Snort-inline-users] Re: Snort-inline-users digest, Vol 1 #478 - 1 msg

[James B. <jl...@bo...>]

So still no MacOS X support?

:-(

James.

On 24/04/2006, at 1:48 PM, snort-inline-users- 
re...@li... wrote:

> Send Snort-inline-users mailing list submissions to
> 	sno...@li...
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> or, via email, send a message with subject or body 'help' to
> 	sno...@li...
>
> You can reach the person managing the list at
> 	sno...@li...
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-inline-users digest..."
>
>
> Today's Topics:
>
>    1. Release: snort_inline-2.4.4-final (Will Metcalf)
>
> --__--__--
>
> Message: 1
> Date: Sun, 23 Apr 2006 10:43:11 -0500
> From: "Will Metcalf" <wil...@gm...>
> To: snort-inline-users <sno...@li...>
> Subject: [Snort-inline-users] Release: snort_inline-2.4.4-final
>
> List,
>
> You thought it would never happen......
> We had our doubts as well.......
> But we have finally released something that doesn't have the RC
> designation behind it....
> Now Victor can stop bugging me and we can start porting to 2.6.0 w00t!
>
> Below is that change log, as always take a look at the README.INLINE
> and snort_inline.conf in the source file for more info.
>
> Changes: And I thought we would always be a release behind SF ;-)
> Fixed stickydrop to work with tracking rules. Added insert_before
> option to bait-and-switch so that it would add the NAT rules via "-I"
> instead of "-A". Updated snort_inline.conf and README.INLINE
>
> Go get the latest release from
>
> http://snort-inline.sourceforge.net/download.html
>
> Regards,
>
> Will
>
>
>
> --__--__--
>
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
> End of Snort-inline-users Digest
>

[Snort-inline-users] Release: snort_inline-2.4.4-final

[Will M. <wil...@gm...>]

List,

You thought it would never happen......
We had our doubts as well.......
But we have finally released something that doesn't have the RC
designation behind it....
Now Victor can stop bugging me and we can start porting to 2.6.0 w00t!

Below is that change log, as always take a look at the README.INLINE
and snort_inline.conf in the source file for more info.

Changes: And I thought we would always be a release behind SF ;-)
Fixed stickydrop to work with tracking rules. Added insert_before
option to bait-and-switch so that it would add the NAT rules via "-I"
instead of "-A". Updated snort_inline.conf and README.INLINE

Go get the latest release from

http://snort-inline.sourceforge.net/download.html

Regards,

Will

Re: [Snort-inline-users] modify packets

[Will M. <wil...@gm...>]

You can use the replace keyword to replace content matches.  What
exactly are you trying to accomplish?

Regards,

Will

On 4/19/06, Marco Falomi <m.f...@gm...> wrote:
> hi,
>  I'm working with snort_inline version 2.3.0-RC1, and I would like to kno=
w
> how can I write a preprocessor to modify the packets. At least I would li=
ke
> to know if there is some tutorial or something similar to learn how to
> modify packets.
>  Regards
>  Marco
>

[Snort-inline-users] modify packets

[Marco F. <m.f...@gm...>]

hi,
I'm working with snort_inline version 2.3.0-RC1, and I would like to know
how can I write a preprocessor to modify the packets. At least I would like
to know if there is some tutorial or something similar to learn how to
modify packets.
Regards
Marco

[Snort-inline-users] snort_inline-2.4.4-RC5 released

[Will M. <wil...@gm...>]

List,

I have released snort_inline-2.4.4-RC5 which can be downloaded from
the following url:

http://snort-inline.sourceforge.net/download.html

We changed a lot of things between 2.4.3-RC4 and 2.4.4-RC5 so please
play with and break it if you can ;-).  As a side note, I will be
teaching a class on snort_inline for the local Kansas City snort users
group.  If anyone from the snort_inline-users list is interested let
me know, it looks like it will end up being about two day's worth of
material.

Regards,

Will


Here is a list o' things that have changes in this release...

Nick Added Reinject rule action for IPFW(see snort_inline.conf)

Dave added a fix for stuck packets under high load for NFQUEUE

Added support for stripping http headers out of packet payloads for
ClamAV, no we do not yet support chunked or gzip encoding so don't ask
;-).

Removed support for buffer scanning using ClamAV we now only support
scanning via file-descriptor-mode.  If you defined
file-descriptor-mode for clamav in your snort_inline.conf before you
must now remove it.

Added fix for condition when ClamAV alerted and was followed by an
alert in snort, packet contents could not be logged.

Added new rule actions rejectsrc(same as reject), rejectdst, and
rejectboth(README.INLINE).  It should be noted that rejectdst will not
work in combination with layer2resets as iptables only passes us the
src mac, if this the condition the packet will be dropped but no reset
will be sent.

Victor Added Experimental support for saving the stream4 state table
to disk at exit, this allows you to preserve an already established
sessions with stream4 and enforce_state enabled(see
snort_inline.conf).

RE: [Snort-inline-users] fail open nic and snort inline?

[Tony C. <tc...@en...>]

> 
> I checked out bypass switches from Netoptics but I would like 
> something that can be installed directly in the PC. 
> A PCI nic basically. 
> 
> Any ideas? 
> 
> Thanks,
> Mike

I was looking for the same and found a combined TAP / Bypass card.
http://www.silicom-usa.com/ProductsAndEventsinside.asp?id=168 

I'm not sure what the price is on the tap/bypass card but they do make a
bypass only card for around $250 USD.

Google for "ethernet bypass cards" 

-Tony

[Snort-inline-users] snort_inline & yahoo mesanger

[aria a. <ari...@ya...>]

Hello ,
  I saw a problem with my snort, when I use : iptables -A FORWARD -p tcp -j QUEUE to redirect Internet traffic ( originated from my MS-ISA Proxy/NAT server ) to snort daemon , users are able to login in their Yahoo Messangers and receive offline message but they can't send IM to outside or each other ( all other traffic included ftp,https,ssh,telnet,http,.... are ok )   , in fact all traffic to Yahoo servers to --dport : 5050 will have problem until I use : iptables -A FORWARD -p tcp --sport 1024:65000 --dport 5050 -j ACCEPT ( and  vice versa from --sport 5050  to --dport 1024:65000 ) , 
  Would you plz let me know what's the problem ?
   

		
---------------------------------
 Yahoo! Mail
 Use Photomail to share photos without annoying attachments.

[Snort-inline-users] snort_inlie and asymetric routing

[aria a. <ari...@ya...>]

Hi and thank you Dear William , 
  so you mean if I use : iptables -A FORWARD -p tcp -j QUEUE and start snort with -Q 
  and disbale : stream4 and stream4 reassembly , my snort should work in inline mode with no problem ? I'm going to assure someone that snort_inline is able to work as IPS in these situation ( asymetric) but as you mentioned we must look carefully to traffic as well . am i right ? also I'd like to know what do you recommend for these situation for an IPS to work with better functionality? 
  With Regards and Excuse me for my bombing questions .
   
  Your functionality is greatly reduced as you are only seeing half of
the conversation.  Disable stream4 and stream4 reassembly and see if
you start to get alerts.
  Regards,
  Will
  On 3/7/06, aria asadi <ari...@ya...> wrote:
>
> Hi ,
> Would you plz let me know if it's possible to use snort_inline as a 
IPS in a
> network that use Asymetric routing ( my outoging traffic goes to 
internet
> from my router and comes back from my DVB system ) , I'd like to use
> snort_inline as bridging IPS between my DVB system and my local 
network to
> capture incomming traffic and check it against  snort rules  .
> With Regards


		
---------------------------------
Yahoo! Mail
Bring photos to life! New PhotoMail  makes sharing a breeze.