Menu
▾
▴
snort-inline-users — The goal of this list is to help users debug/use snort_inline
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(15) |
Jun
(23) |
Jul
(54) |
Aug
(20) |
Sep
(18) |
Oct
(19) |
Nov
(36) |
Dec
(30) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(48) |
Feb
(16) |
Mar
(36) |
Apr
(36) |
May
(45) |
Jun
(47) |
Jul
(93) |
Aug
(29) |
Sep
(28) |
Oct
(42) |
Nov
(45) |
Dec
(53) |
| 2005 |
Jan
(62) |
Feb
(51) |
Mar
(65) |
Apr
(28) |
May
(57) |
Jun
(23) |
Jul
(24) |
Aug
(72) |
Sep
(16) |
Oct
(53) |
Nov
(53) |
Dec
(3) |
| 2006 |
Jan
(56) |
Feb
(6) |
Mar
(15) |
Apr
(14) |
May
(35) |
Jun
(57) |
Jul
(35) |
Aug
(7) |
Sep
(22) |
Oct
(16) |
Nov
(18) |
Dec
(9) |
| 2007 |
Jan
(8) |
Feb
(3) |
Mar
(11) |
Apr
(35) |
May
(6) |
Jun
(10) |
Jul
(26) |
Aug
(4) |
Sep
|
Oct
(29) |
Nov
|
Dec
(7) |
| 2008 |
Jan
(1) |
Feb
(2) |
Mar
(2) |
Apr
(13) |
May
(8) |
Jun
(3) |
Jul
(19) |
Aug
(20) |
Sep
(6) |
Oct
(5) |
Nov
|
Dec
(4) |
| 2009 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(10) |
Jul
(2) |
Aug
(5) |
Sep
|
Oct
(1) |
Nov
|
Dec
(5) |
| 2010 |
Jan
(10) |
Feb
(10) |
Mar
(2) |
Apr
|
May
(7) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2011 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Jack D. <ml...@gm...> - 2009-07-02 13:20:32
|
Hi today I tried to install snort-inline on my Debian (Lenny) but I found some errors while compiling spp_clamav.c gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins -I../../src/dynamic-plugins -I../../src/preprocessors -I../../src/preprocessors/flow -I../../src/preprocessors/portscan -I../../src/preprocessors/flow/int-snort -I../../src/preprocessors/HttpInspect/include -I../../src/preprocessors/Stream5 -I../../src/target-based -I/usr/include/mysql -DENABLE_MYSQL -I/usr/include -fno-strict-aliasing -g -O2 -Wall -DSTREAM4_UDP -DSHUTDOWN_MEMORY_CLEANUP -DDYNAMIC_PLUGIN -DDETECTION_OPTION_TREE -DLINUX_SMP -DNFNETLINKQ -DGIDS -DHAVE_NFQ_MAXLEN -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H -DINLINE_FAILOPEN -DCLAMAV -fno-strict-aliasing -c spp_clamav.c spp_clamav.c: In function ‘ProcessPorts’: spp_clamav.c:191: warning: pointer targets in passing argument 1 of ‘mSplit’ differ in signedness spp_clamav.c: In function ‘ParseClamAVArgs’: spp_clamav.c:306: warning: pointer targets in initialization differ in signedness spp_clamav.c:318: warning: implicit declaration of function ‘strlcpy’ spp_clamav.c:356: warning: pointer targets in passing argument 1 of ‘mSplit’ differ in signedness spp_clamav.c:365: warning: pointer targets in passing argument 1 of ‘ProcessPorts’ differ in signedness spp_clamav.c: In function ‘ClamAVInit’: spp_clamav.c:507: warning: pointer targets in passing argument 1 of ‘ParseClamAVArgs’ differ in signedness spp_clamav.c:520: warning: implicit declaration of function ‘cl_loaddbdir’ spp_clamav.c:530: warning: implicit declaration of function ‘cl_buildtrie’ spp_clamav.c:537: error: invalid application of ‘sizeof’ to incomplete type ‘struct cl_limits’ spp_clamav.c:539: error: invalid use of undefined type ‘struct cl_limits’ spp_clamav.c:541: error: invalid use of undefined type ‘struct cl_limits’ spp_clamav.c:543: error: invalid use of undefined type ‘struct cl_limits’ spp_clamav.c:547: error: invalid use of undefined type ‘struct cl_limits’ spp_clamav.c: In function ‘ClamAVReloadDB’: spp_clamav.c:580: warning: implicit declaration of function ‘cl_freetrie’ spp_clamav.c: In function ‘strip_http_headers_p’: spp_clamav.c:650: warning: pointer targets in passing argument 1 of ‘strstr’ differ in signedness spp_clamav.c:660: warning: assignment discards qualifiers from pointer target type spp_clamav.c:663: warning: pointer targets in passing argument 1 of ‘strstr’ differ in signedness spp_clamav.c:663: warning: pointer targets in assignment differ in signedness spp_clamav.c:678: warning: pointer targets in passing argument 1 of ‘strstr’ differ in signedness spp_clamav.c:678: warning: pointer targets in assignment differ in signedness spp_clamav.c:706: warning: pointer targets in passing argument 1 of ‘strstr’ differ in signedness spp_clamav.c:706: warning: pointer targets in assignment differ in signedness spp_clamav.c: In function ‘StoreAndScan’: spp_clamav.c:877: warning: passing argument 4 of ‘cl_scandesc’ from incompatible pointer type spp_clamav.c:877: warning: passing argument 5 of ‘cl_scandesc’ makes integer from pointer without a cast spp_clamav.c:877: error: too many arguments to function ‘cl_scandesc’ make[4]: *** [spp_clamav.o] Error 1 make[4]: Leaving directory `/usr/src/snort-inline/src/preprocessors' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/usr/src/snort-inline/src/preprocessors' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/usr/src/snort-inline/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/usr/src/snort-inline' make: *** [all] Error 2 These are the steps: # head -1 RELEASE.NOTES 2008-08-12 - Snort 2.8.3 # uname -a Linux ips 2.6.26-2-686 #1 SMP Sun Jun 21 04:57:38 UTC 2009 i686 GNU/Linux # svn co https://snort-inline.svn.sourceforge.net/svnroot/snort-inline/trunk # cd trunk/ # sh autojunk.sh # ./configure --enable-pthread --enable-memory-cleanup --enable-stream4udp --enable-inline-init-failopen --enable-nfnetlink --enable-clamav --enable-linux-smp-stats --with-mysql ( configure ends successfully) # make Thanks. |
|
From: Dave R. <dav...@gm...> - 2009-07-02 03:37:31
|
Available for *testing*. See the SVN testing directory: http://snort-inline.svn.sourceforge.net/viewvc/snort-inline/testing/ I've spent a lot of time testing snort_inline 2.8.3.2, but very little on this update. Let me know of any problems. Cheers, Dave |
|
From: <DO...@co...> - 2009-06-12 21:12:21
|
I will be out of the office starting 06/08/2009 and will not return until 06/15/2009. I will respond to your message when I return. |
|
From: Adriel T. D. <ad_...@ne...> - 2009-06-12 19:56:02
|
Indeed that might help... thanks much. On Jun 12, 2009, at 3:52 PM, Will Metcalf wrote: > That version is really old. Try compiling a newer version from > source... > > http://sourceforge.net/project/platformdownload.php?group_id=78497 > > Regards, > > Will > > On Fri, Jun 12, 2009 at 2:47 PM, Adriel T. > Desautels<ad_...@ne...> wrote: >> From the FreeBSD ports... >> >> >> On Jun 12, 2009, at 3:24 PM, Will Metcalf wrote: >> >>> What version of snort_inline are you using? >>> >>> Regards, >>> >>> Will >>> >>> On Fri, Jun 12, 2009 at 1:37 PM, Adriel T. >>> Desautels<ad_...@ne...> wrote: >>>> >>>> And this error? >>>> >>>> ERROR: Warning: /usr/local/etc/snort_inline/rules/web- >>>> cgi.rules(24) => >>>> Unknown keyword ' metadata' in rule! >>>> Fatal Error, Quitting.. >>>> >>>> >>>> >>>> On Jun 8, 2009, at 9:29 PM, Will Metcalf wrote: >>>> >>>>> We may update snort_inline to the latest 2.8 version but we have >>>>> no >>>>> plans on porting the stream4inline functionality to stream5. The >>>>> reason for this is that both victor and I are busy working on a >>>>> new >>>>> IDP engine which you can read about at the link below. With all of >>>>> that said have you tried to compile with --enable-stream4udp? I >>>>> believe this will make your error go away... >>>>> >>>>> >>>>> >>>>> http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/43-founded >>>>> >>>>> Regards, >>>>> >>>>> Will >>>>> >>>>> On Tue, Jun 2, 2009 at 1:20 PM, Adriel T. >>>>> Desautels<ad_...@ne...> wrote: >>>>>> >>>>>> Guys, >>>>>> When will snort_inline be up to date with respect to snort's >>>>>> latest >>>>>> version? Its inability to work with flow control and the most >>>>>> recent >>>>>> rule-sets is a real pain in the ass. Anyone? >>>>>> >>>>>> >>>>>> Adriel T. Desautels >>>>>> ad_...@ne... >>>>>> -------------------------------------- >>>>>> >>>>>> Subscribe to our blog >>>>>> http://snosoft.blogspot.com >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> OpenSolaris 2009.06 is a cutting edge operating system for >>>>>> enterprises >>>>>> looking to deploy the next generation of Solaris that includes >>>>>> the >>>>>> latest >>>>>> innovations from Sun and the OpenSource community. Download a >>>>>> copy and >>>>>> enjoy capabilities such as Networking, Storage and >>>>>> Virtualization. >>>>>> Go to: http://p.sf.net/sfu/opensolaris-get >>>>>> _______________________________________________ >>>>>> Snort-inline-users mailing list >>>>>> Sno...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >>>>>> >>>> >>>> >>>> >>>> Adriel T. Desautels >>>> ad_...@ne... >>>> -------------------------------------- >>>> >>>> Subscribe to our blog >>>> http://snosoft.blogspot.com >>>> >>>> >> >> >> >> Adriel T. Desautels >> ad_...@ne... >> -------------------------------------- >> >> Subscribe to our blog >> http://snosoft.blogspot.com >> >> Adriel T. Desautels ad_...@ne... -------------------------------------- Subscribe to our blog http://snosoft.blogspot.com |
|
From: Will M. <wil...@gm...> - 2009-06-12 19:53:54
|
That version is really old. Try compiling a newer version from source... http://sourceforge.net/project/platformdownload.php?group_id=78497 Regards, Will On Fri, Jun 12, 2009 at 2:47 PM, Adriel T. Desautels<ad_...@ne...> wrote: > From the FreeBSD ports... > > > On Jun 12, 2009, at 3:24 PM, Will Metcalf wrote: > >> What version of snort_inline are you using? >> >> Regards, >> >> Will >> >> On Fri, Jun 12, 2009 at 1:37 PM, Adriel T. >> Desautels<ad_...@ne...> wrote: >>> >>> And this error? >>> >>> ERROR: Warning: /usr/local/etc/snort_inline/rules/web-cgi.rules(24) => >>> Unknown keyword ' metadata' in rule! >>> Fatal Error, Quitting.. >>> >>> >>> >>> On Jun 8, 2009, at 9:29 PM, Will Metcalf wrote: >>> >>>> We may update snort_inline to the latest 2.8 version but we have no >>>> plans on porting the stream4inline functionality to stream5. The >>>> reason for this is that both victor and I are busy working on a new >>>> IDP engine which you can read about at the link below. With all of >>>> that said have you tried to compile with --enable-stream4udp? I >>>> believe this will make your error go away... >>>> >>>> >>>> >>>> http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/43-founded >>>> >>>> Regards, >>>> >>>> Will >>>> >>>> On Tue, Jun 2, 2009 at 1:20 PM, Adriel T. >>>> Desautels<ad_...@ne...> wrote: >>>>> >>>>> Guys, >>>>> When will snort_inline be up to date with respect to snort's >>>>> latest >>>>> version? Its inability to work with flow control and the most recent >>>>> rule-sets is a real pain in the ass. Anyone? >>>>> >>>>> >>>>> Adriel T. Desautels >>>>> ad_...@ne... >>>>> -------------------------------------- >>>>> >>>>> Subscribe to our blog >>>>> http://snosoft.blogspot.com >>>>> >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> OpenSolaris 2009.06 is a cutting edge operating system for enterprises >>>>> looking to deploy the next generation of Solaris that includes the >>>>> latest >>>>> innovations from Sun and the OpenSource community. Download a copy and >>>>> enjoy capabilities such as Networking, Storage and Virtualization. >>>>> Go to: http://p.sf.net/sfu/opensolaris-get >>>>> _______________________________________________ >>>>> Snort-inline-users mailing list >>>>> Sno...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >>>>> >>> >>> >>> >>> Adriel T. Desautels >>> ad_...@ne... >>> -------------------------------------- >>> >>> Subscribe to our blog >>> http://snosoft.blogspot.com >>> >>> > > > > Adriel T. Desautels > ad_...@ne... > -------------------------------------- > > Subscribe to our blog > http://snosoft.blogspot.com > > |
|
From: Adriel T. D. <ad_...@ne...> - 2009-06-12 19:48:34
|
,,_ -*> Snort_Inline! <*-
o" )~ Version 2.4.5 (Build 29) FreeBSD
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2005 Sourcefire Inc., et al.
Snort_Inline Mod by William Metcalf, Victor Julien, Nick
Rogness,
Dave Remien, Rob McMillen and Jed Haile
NOTE: Snort's default output has changed in version 2.4.1!
The default logging mode is now PCAP, use "-K ascii" to activate
the old default logging mode.
On Jun 12, 2009, at 3:24 PM, Will Metcalf wrote:
> What version of snort_inline are you using?
>
> Regards,
>
> Will
>
> On Fri, Jun 12, 2009 at 1:37 PM, Adriel T.
> Desautels<ad_...@ne...> wrote:
>> And this error?
>>
>> ERROR: Warning: /usr/local/etc/snort_inline/rules/web-cgi.rules(24)
>> =>
>> Unknown keyword ' metadata' in rule!
>> Fatal Error, Quitting..
>>
>>
>>
>> On Jun 8, 2009, at 9:29 PM, Will Metcalf wrote:
>>
>>> We may update snort_inline to the latest 2.8 version but we have no
>>> plans on porting the stream4inline functionality to stream5. The
>>> reason for this is that both victor and I are busy working on a new
>>> IDP engine which you can read about at the link below. With all of
>>> that said have you tried to compile with --enable-stream4udp? I
>>> believe this will make your error go away...
>>>
>>>
>>> http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/43-founded
>>>
>>> Regards,
>>>
>>> Will
>>>
>>> On Tue, Jun 2, 2009 at 1:20 PM, Adriel T.
>>> Desautels<ad_...@ne...> wrote:
>>>>
>>>> Guys,
>>>> When will snort_inline be up to date with respect to
>>>> snort's latest
>>>> version? Its inability to work with flow control and the most
>>>> recent
>>>> rule-sets is a real pain in the ass. Anyone?
>>>>
>>>>
>>>> Adriel T. Desautels
>>>> ad_...@ne...
>>>> --------------------------------------
>>>>
>>>> Subscribe to our blog
>>>> http://snosoft.blogspot.com
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> OpenSolaris 2009.06 is a cutting edge operating system for
>>>> enterprises
>>>> looking to deploy the next generation of Solaris that includes
>>>> the latest
>>>> innovations from Sun and the OpenSource community. Download a
>>>> copy and
>>>> enjoy capabilities such as Networking, Storage and Virtualization.
>>>> Go to: http://p.sf.net/sfu/opensolaris-get
>>>> _______________________________________________
>>>> Snort-inline-users mailing list
>>>> Sno...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>>>
>>
>>
>>
>> Adriel T. Desautels
>> ad_...@ne...
>> --------------------------------------
>>
>> Subscribe to our blog
>> http://snosoft.blogspot.com
>>
>>
Adriel T. Desautels
ad_...@ne...
--------------------------------------
Subscribe to our blog
http://snosoft.blogspot.com
|
|
From: Adriel T. D. <ad_...@ne...> - 2009-06-12 19:48:23
|
From the FreeBSD ports... On Jun 12, 2009, at 3:24 PM, Will Metcalf wrote: > What version of snort_inline are you using? > > Regards, > > Will > > On Fri, Jun 12, 2009 at 1:37 PM, Adriel T. > Desautels<ad_...@ne...> wrote: >> And this error? >> >> ERROR: Warning: /usr/local/etc/snort_inline/rules/web-cgi.rules(24) >> => >> Unknown keyword ' metadata' in rule! >> Fatal Error, Quitting.. >> >> >> >> On Jun 8, 2009, at 9:29 PM, Will Metcalf wrote: >> >>> We may update snort_inline to the latest 2.8 version but we have no >>> plans on porting the stream4inline functionality to stream5. The >>> reason for this is that both victor and I are busy working on a new >>> IDP engine which you can read about at the link below. With all of >>> that said have you tried to compile with --enable-stream4udp? I >>> believe this will make your error go away... >>> >>> >>> http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/43-founded >>> >>> Regards, >>> >>> Will >>> >>> On Tue, Jun 2, 2009 at 1:20 PM, Adriel T. >>> Desautels<ad_...@ne...> wrote: >>>> >>>> Guys, >>>> When will snort_inline be up to date with respect to >>>> snort's latest >>>> version? Its inability to work with flow control and the most >>>> recent >>>> rule-sets is a real pain in the ass. Anyone? >>>> >>>> >>>> Adriel T. Desautels >>>> ad_...@ne... >>>> -------------------------------------- >>>> >>>> Subscribe to our blog >>>> http://snosoft.blogspot.com >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> OpenSolaris 2009.06 is a cutting edge operating system for >>>> enterprises >>>> looking to deploy the next generation of Solaris that includes >>>> the latest >>>> innovations from Sun and the OpenSource community. Download a >>>> copy and >>>> enjoy capabilities such as Networking, Storage and Virtualization. >>>> Go to: http://p.sf.net/sfu/opensolaris-get >>>> _______________________________________________ >>>> Snort-inline-users mailing list >>>> Sno...@li... >>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >>>> >> >> >> >> Adriel T. Desautels >> ad_...@ne... >> -------------------------------------- >> >> Subscribe to our blog >> http://snosoft.blogspot.com >> >> Adriel T. Desautels ad_...@ne... -------------------------------------- Subscribe to our blog http://snosoft.blogspot.com |
|
From: Will M. <wil...@gm...> - 2009-06-12 19:27:38
|
What version of snort_inline are you using? Regards, Will On Fri, Jun 12, 2009 at 1:37 PM, Adriel T. Desautels<ad_...@ne...> wrote: > And this error? > > ERROR: Warning: /usr/local/etc/snort_inline/rules/web-cgi.rules(24) => > Unknown keyword ' metadata' in rule! > Fatal Error, Quitting.. > > > > On Jun 8, 2009, at 9:29 PM, Will Metcalf wrote: > >> We may update snort_inline to the latest 2.8 version but we have no >> plans on porting the stream4inline functionality to stream5. The >> reason for this is that both victor and I are busy working on a new >> IDP engine which you can read about at the link below. With all of >> that said have you tried to compile with --enable-stream4udp? I >> believe this will make your error go away... >> >> >> http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/43-founded >> >> Regards, >> >> Will >> >> On Tue, Jun 2, 2009 at 1:20 PM, Adriel T. >> Desautels<ad_...@ne...> wrote: >>> >>> Guys, >>> When will snort_inline be up to date with respect to snort's latest >>> version? Its inability to work with flow control and the most recent >>> rule-sets is a real pain in the ass. Anyone? >>> >>> >>> Adriel T. Desautels >>> ad_...@ne... >>> -------------------------------------- >>> >>> Subscribe to our blog >>> http://snosoft.blogspot.com >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> OpenSolaris 2009.06 is a cutting edge operating system for enterprises >>> looking to deploy the next generation of Solaris that includes the latest >>> innovations from Sun and the OpenSource community. Download a copy and >>> enjoy capabilities such as Networking, Storage and Virtualization. >>> Go to: http://p.sf.net/sfu/opensolaris-get >>> _______________________________________________ >>> Snort-inline-users mailing list >>> Sno...@li... >>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >>> > > > > Adriel T. Desautels > ad_...@ne... > -------------------------------------- > > Subscribe to our blog > http://snosoft.blogspot.com > > |
|
From: Adriel T. D. <ad_...@ne...> - 2009-06-12 18:39:31
|
And this error? ERROR: Warning: /usr/local/etc/snort_inline/rules/web-cgi.rules(24) => Unknown keyword ' metadata' in rule! Fatal Error, Quitting.. On Jun 8, 2009, at 9:29 PM, Will Metcalf wrote: > We may update snort_inline to the latest 2.8 version but we have no > plans on porting the stream4inline functionality to stream5. The > reason for this is that both victor and I are busy working on a new > IDP engine which you can read about at the link below. With all of > that said have you tried to compile with --enable-stream4udp? I > believe this will make your error go away... > > http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/43-founded > > Regards, > > Will > > On Tue, Jun 2, 2009 at 1:20 PM, Adriel T. > Desautels<ad_...@ne...> wrote: >> Guys, >> When will snort_inline be up to date with respect to snort's >> latest >> version? Its inability to work with flow control and the most recent >> rule-sets is a real pain in the ass. Anyone? >> >> >> Adriel T. Desautels >> ad_...@ne... >> -------------------------------------- >> >> Subscribe to our blog >> http://snosoft.blogspot.com >> >> >> ------------------------------------------------------------------------------ >> OpenSolaris 2009.06 is a cutting edge operating system for >> enterprises >> looking to deploy the next generation of Solaris that includes the >> latest >> innovations from Sun and the OpenSource community. Download a copy >> and >> enjoy capabilities such as Networking, Storage and Virtualization. >> Go to: http://p.sf.net/sfu/opensolaris-get >> _______________________________________________ >> Snort-inline-users mailing list >> Sno...@li... >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> Adriel T. Desautels ad_...@ne... -------------------------------------- Subscribe to our blog http://snosoft.blogspot.com |
|
From: Adriel T. D. <ad_...@ne...> - 2009-06-09 17:09:47
|
Certainly haven't tried that yet, I'll give it a shot. By the way, do you remember me from Open Market? On Jun 8, 2009, at 9:29 PM, Will Metcalf wrote: > We may update snort_inline to the latest 2.8 version but we have no > plans on porting the stream4inline functionality to stream5. The > reason for this is that both victor and I are busy working on a new > IDP engine which you can read about at the link below. With all of > that said have you tried to compile with --enable-stream4udp? I > believe this will make your error go away... > > http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/43-founded > > Regards, > > Will > > On Tue, Jun 2, 2009 at 1:20 PM, Adriel T. > Desautels<ad_...@ne...> wrote: >> Guys, >> When will snort_inline be up to date with respect to snort's >> latest >> version? Its inability to work with flow control and the most recent >> rule-sets is a real pain in the ass. Anyone? >> >> >> Adriel T. Desautels >> ad_...@ne... >> -------------------------------------- >> >> Subscribe to our blog >> http://snosoft.blogspot.com >> >> >> ------------------------------------------------------------------------------ >> OpenSolaris 2009.06 is a cutting edge operating system for >> enterprises >> looking to deploy the next generation of Solaris that includes the >> latest >> innovations from Sun and the OpenSource community. Download a copy >> and >> enjoy capabilities such as Networking, Storage and Virtualization. >> Go to: http://p.sf.net/sfu/opensolaris-get >> _______________________________________________ >> Snort-inline-users mailing list >> Sno...@li... >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> Adriel T. Desautels ad_...@ne... -------------------------------------- Subscribe to our blog http://snosoft.blogspot.com |
|
From: Will M. <wil...@gm...> - 2009-06-09 01:29:19
|
We may update snort_inline to the latest 2.8 version but we have no plans on porting the stream4inline functionality to stream5. The reason for this is that both victor and I are busy working on a new IDP engine which you can read about at the link below. With all of that said have you tried to compile with --enable-stream4udp? I believe this will make your error go away... http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/43-founded Regards, Will On Tue, Jun 2, 2009 at 1:20 PM, Adriel T. Desautels<ad_...@ne...> wrote: > Guys, > When will snort_inline be up to date with respect to snort's latest > version? Its inability to work with flow control and the most recent > rule-sets is a real pain in the ass. Anyone? > > > Adriel T. Desautels > ad_...@ne... > -------------------------------------- > > Subscribe to our blog > http://snosoft.blogspot.com > > > ------------------------------------------------------------------------------ > OpenSolaris 2009.06 is a cutting edge operating system for enterprises > looking to deploy the next generation of Solaris that includes the latest > innovations from Sun and the OpenSource community. Download a copy and > enjoy capabilities such as Networking, Storage and Virtualization. > Go to: http://p.sf.net/sfu/opensolaris-get > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Adriel T. D. <ad_...@ne...> - 2009-06-02 18:40:02
|
Guys,
When will snort_inline be up to date with respect to snort's latest
version? Its inability to work with flow control and the most recent
rule-sets is a real pain in the ass. Anyone?
Adriel T. Desautels
ad_...@ne...
--------------------------------------
Subscribe to our blog
http://snosoft.blogspot.com
|
|
From: carlopmart <car...@gm...> - 2009-03-05 22:42:15
|
Hi all,
Some news about next release?? I have checked subversion repository and last
snort based release used is 2.8.3 ...
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
|
|
From: carlopmart <car...@gm...> - 2009-01-16 17:15:14
|
Hi all,
Somebody knows when next snort inline will be released??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
|
|
From: Will M. <wil...@gm...> - 2008-12-02 13:23:56
|
Thanks for the patches. We will have a look at them.
Regards,
Will
On Tue, Dec 2, 2008 at 3:16 AM, Eric Leblond <er...@in...> wrote:
> This patch adds a netfilter_reinject_mask option which can be
> used to only modify the packet mark with respect to the selected
> mask. Let's say you can use mark 1 and mask 1 (thus reserve one
> bit to the reinjection process). To send all traffic to snort-inline,
> you can just add at the top of your ruleset:
> iptables -I FORWARD -m mark ! --mark 1/1 -j NFQUEUE
>
> Signed-off-by: Eric Leblond <er...@in...>
> ---
> src/inline.c | 10 +++++++---
> src/parser.c | 20 ++++++++++++++++++++
> src/snort.h | 1 +
> 3 files changed, 28 insertions(+), 3 deletions(-)
>
> diff --git a/src/inline.c b/src/inline.c
> index 2f3b6f0..a5f8766 100644
> --- a/src/inline.c
> +++ b/src/inline.c
> @@ -242,7 +242,7 @@ static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
> //ipq_pkt.packet_id = glid;
> //ipq_pkt.hw_protocol = ntohs(ph->hw_protocol);
> //ipq_pkt.hook = ph->hook;
> - //ipq_pkt.mark = nfq_get_nfmark(nfa);
> + ipq_pkt.mark = nfq_get_nfmark(nfa);
>
> /* TODO: we only use this for rejects, so we might move
> * this to the reject code */
> @@ -998,7 +998,9 @@ void HandlePacket()
> #ifdef NFNETLINKQ
> if (pv.netfilter_reinject_mark)
> {
> - status = nfq_set_verdict_mark(qhndl, glid, NF_REPEAT, htonl(pv.netfilter_reinject_mark), 0, NULL);
> + status = nfq_set_verdict_mark(qhndl, glid, NF_REPEAT,
> + htonl((pv.netfilter_reinject_mark & pv.netfilter_reinject_mask) | m->mark),
> + 0, NULL);
> } else {
> status = nfq_set_verdict(qhndl, glid, NF_ACCEPT, 0, NULL);
> }
> @@ -1018,7 +1020,9 @@ void HandlePacket()
> {
> #ifdef NFNETLINKQ
> if (pv.netfilter_reinject_mark) {
> - status = nfq_set_verdict_mark(qhndl, glid, NF_REPEAT, htonl(pv.netfilter_reinject_mark), m->data_len, m->payload);
> + status = nfq_set_verdict_mark(qhndl, glid, NF_REPEAT,
> + htonl((pv.netfilter_reinject_mark & pv.netfilter_reinject_mask) | m->mark),
> + m->data_len, m->payload);
> } else {
> status = nfq_set_verdict(qhndl, glid, NF_ACCEPT, m->data_len, m->payload);
> }
> diff --git a/src/parser.c b/src/parser.c
> index 991a8f7..b0ac525 100644
> --- a/src/parser.c
> +++ b/src/parser.c
> @@ -6861,6 +6861,26 @@ void ParseConfig(char *rule)
> return;
>
> }
> + else if(!strcasecmp(config, "netfilter_reinject_mask"))
> + {
> + if(args)
> + {
> + toks = mSplit(args, " ", 1, &num_toks, 0);
> +#ifdef GIDS
> +#ifdef NFNETLINKQ
> + pv.netfilter_reinject_mask = atoi(toks[0]);
> +#endif
> +#endif
> +
> + mSplitFree( &toks, num_toks );
> + }
> +
> + mSplitFree(&rule_toks,num_rule_toks);
> + mSplitFree(&config_decl,num_config_decl_toks);
> +
> + return;
> +
> + }
> else if(!strcasecmp(config, "asn1"))
> {
> toks = mSplit(args, ", ", 20, &num_toks, 0);
> diff --git a/src/snort.h b/src/snort.h
> index a9ea3a4..d0f1542 100644
> --- a/src/snort.h
> +++ b/src/snort.h
> @@ -300,6 +300,7 @@ typedef struct _progvars
> #endif /* USE IPFW DIVERT socket instead of IPtables */
> #ifdef NFNETLINKQ
> int netfilter_reinject_mark;
> + int netfilter_reinject_mask;
> #endif
> #endif /* GIDS */
> #ifdef WIN32
> --
> 1.5.6.5
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
|
|
From: Eric L. <er...@in...> - 2008-12-02 09:55:10
|
This patch adds a netfilter_reinject_mask option which can be
used to only modify the packet mark with respect to the selected
mask. Let's say you can use mark 1 and mask 1 (thus reserve one
bit to the reinjection process). To send all traffic to snort-inline,
you can just add at the top of your ruleset:
iptables -I FORWARD -m mark ! --mark 1/1 -j NFQUEUE
Signed-off-by: Eric Leblond <er...@in...>
---
src/inline.c | 10 +++++++---
src/parser.c | 20 ++++++++++++++++++++
src/snort.h | 1 +
3 files changed, 28 insertions(+), 3 deletions(-)
diff --git a/src/inline.c b/src/inline.c
index 2f3b6f0..a5f8766 100644
--- a/src/inline.c
+++ b/src/inline.c
@@ -242,7 +242,7 @@ static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
//ipq_pkt.packet_id = glid;
//ipq_pkt.hw_protocol = ntohs(ph->hw_protocol);
//ipq_pkt.hook = ph->hook;
- //ipq_pkt.mark = nfq_get_nfmark(nfa);
+ ipq_pkt.mark = nfq_get_nfmark(nfa);
/* TODO: we only use this for rejects, so we might move
* this to the reject code */
@@ -998,7 +998,9 @@ void HandlePacket()
#ifdef NFNETLINKQ
if (pv.netfilter_reinject_mark)
{
- status = nfq_set_verdict_mark(qhndl, glid, NF_REPEAT, htonl(pv.netfilter_reinject_mark), 0, NULL);
+ status = nfq_set_verdict_mark(qhndl, glid, NF_REPEAT,
+ htonl((pv.netfilter_reinject_mark & pv.netfilter_reinject_mask) | m->mark),
+ 0, NULL);
} else {
status = nfq_set_verdict(qhndl, glid, NF_ACCEPT, 0, NULL);
}
@@ -1018,7 +1020,9 @@ void HandlePacket()
{
#ifdef NFNETLINKQ
if (pv.netfilter_reinject_mark) {
- status = nfq_set_verdict_mark(qhndl, glid, NF_REPEAT, htonl(pv.netfilter_reinject_mark), m->data_len, m->payload);
+ status = nfq_set_verdict_mark(qhndl, glid, NF_REPEAT,
+ htonl((pv.netfilter_reinject_mark & pv.netfilter_reinject_mask) | m->mark),
+ m->data_len, m->payload);
} else {
status = nfq_set_verdict(qhndl, glid, NF_ACCEPT, m->data_len, m->payload);
}
diff --git a/src/parser.c b/src/parser.c
index 991a8f7..b0ac525 100644
--- a/src/parser.c
+++ b/src/parser.c
@@ -6861,6 +6861,26 @@ void ParseConfig(char *rule)
return;
}
+ else if(!strcasecmp(config, "netfilter_reinject_mask"))
+ {
+ if(args)
+ {
+ toks = mSplit(args, " ", 1, &num_toks, 0);
+#ifdef GIDS
+#ifdef NFNETLINKQ
+ pv.netfilter_reinject_mask = atoi(toks[0]);
+#endif
+#endif
+
+ mSplitFree( &toks, num_toks );
+ }
+
+ mSplitFree(&rule_toks,num_rule_toks);
+ mSplitFree(&config_decl,num_config_decl_toks);
+
+ return;
+
+ }
else if(!strcasecmp(config, "asn1"))
{
toks = mSplit(args, ", ", 20, &num_toks, 0);
diff --git a/src/snort.h b/src/snort.h
index a9ea3a4..d0f1542 100644
--- a/src/snort.h
+++ b/src/snort.h
@@ -300,6 +300,7 @@ typedef struct _progvars
#endif /* USE IPFW DIVERT socket instead of IPtables */
#ifdef NFNETLINKQ
int netfilter_reinject_mark;
+ int netfilter_reinject_mask;
#endif
#endif /* GIDS */
#ifdef WIN32
--
1.5.6.5
|
|
From: Eric L. <er...@in...> - 2008-12-02 09:54:57
|
If set to non null, snort_inline will mark the packet with the given
value and reinject it in the hook by issuing a NF_REPEAT verdict. This
functionnality can be used to simplify the iptables ruleset. Let's say
you want to use the mark 1, then to send all traffic to snort-inline,
you can just add at the top of your ruleset:
iptables -I FORWARD -m mark ! --mark 1 -j NFQUEUE
The cost of the modification is light as it just add a single rule
check when the packet is reinjected.
Signed-off-by: Eric Leblond <er...@in...>
---
src/inline.c | 13 +++++++++++--
src/parser.c | 20 ++++++++++++++++++++
src/snort.h | 3 +++
3 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/src/inline.c b/src/inline.c
index e938541..2f3b6f0 100644
--- a/src/inline.c
+++ b/src/inline.c
@@ -996,7 +996,12 @@ void HandlePacket()
else if (iv.replace == 0)
{
#ifdef NFNETLINKQ
- status = nfq_set_verdict(qhndl, glid, NF_ACCEPT, 0, NULL);
+ if (pv.netfilter_reinject_mark)
+ {
+ status = nfq_set_verdict_mark(qhndl, glid, NF_REPEAT, htonl(pv.netfilter_reinject_mark), 0, NULL);
+ } else {
+ status = nfq_set_verdict(qhndl, glid, NF_ACCEPT, 0, NULL);
+ }
if (status < 0)
{
fprintf(stderr, "NF_ACCEPT: ");
@@ -1012,7 +1017,11 @@ void HandlePacket()
else /* implied replace */
{
#ifdef NFNETLINKQ
- status = nfq_set_verdict(qhndl, glid, NF_ACCEPT, m->data_len, m->payload);
+ if (pv.netfilter_reinject_mark) {
+ status = nfq_set_verdict_mark(qhndl, glid, NF_REPEAT, htonl(pv.netfilter_reinject_mark), m->data_len, m->payload);
+ } else {
+ status = nfq_set_verdict(qhndl, glid, NF_ACCEPT, m->data_len, m->payload);
+ }
if (status < 0)
{
fprintf(stderr,"NF_ACCEPT: ");
diff --git a/src/parser.c b/src/parser.c
index 5a53f68..991a8f7 100644
--- a/src/parser.c
+++ b/src/parser.c
@@ -6841,6 +6841,26 @@ void ParseConfig(char *rule)
return;
}
+ else if(!strcasecmp(config, "netfilter_reinject_mark"))
+ {
+ if(args)
+ {
+ toks = mSplit(args, " ", 1, &num_toks, 0);
+#ifdef GIDS
+#ifdef NFNETLINKQ
+ pv.netfilter_reinject_mark = atoi(toks[0]);
+#endif
+#endif
+
+ mSplitFree( &toks, num_toks );
+ }
+
+ mSplitFree(&rule_toks,num_rule_toks);
+ mSplitFree(&config_decl,num_config_decl_toks);
+
+ return;
+
+ }
else if(!strcasecmp(config, "asn1"))
{
toks = mSplit(args, ", ", 20, &num_toks, 0);
diff --git a/src/snort.h b/src/snort.h
index 86b3d05..a9ea3a4 100644
--- a/src/snort.h
+++ b/src/snort.h
@@ -298,6 +298,9 @@ typedef struct _progvars
int divert_port;
int ipfw_reinject_rule;
#endif /* USE IPFW DIVERT socket instead of IPtables */
+#ifdef NFNETLINKQ
+ int netfilter_reinject_mark;
+#endif
#endif /* GIDS */
#ifdef WIN32
int syslog_remote_flag;
--
1.5.6.5
|
|
From: Eric L. <er...@in...> - 2008-12-02 09:54:52
|
Hi, snort-inline can be difficult to use because it is necessary to put the NFQUEUE rule in PREROUTING to get all the packets. In the case where we only want to analyse what is on FORWARD, there is no easy way to do this. The following patchset fixes this. By issuing a NF_REPEAT verdict and a little trick on mark, we can use a simple ruleset. Let's say we can reserve a bit in the mark for the reinjection process (we take value 1 for convenience). Then to send all traffic to snort-inline, we can just add at the top of your ruleset: iptables -I FORWARD -m mark ! --mark 1/1 -j NFQUEUE When packet reaches the FORWARD chain, it matches the first rule and is send to snort-inline. Instead of accepting the packet, snort-inline reinject it in the FORWARD chain but change the mark before. Thus, the packet does not match this rule and live his life in the standard Netfilter ruleset. The cost of the modification is light as it just adds a single rule check when the packet is reinjected. BR, -- Eric Leblond <er...@in...> INL: http://www.inl.fr/ NuFW: http://www.nufw.org/ |
|
From: chatsiri <cha...@ch...> - 2008-10-27 03:18:17
|
Hello All I have a questions about snort-inline.I understand about snort programs has web interface. But snort-inline have not web interfaces for selected rules and management on web interfaces. What it's good?, if we can implemented web interface for using with snort-inline. I want suggestion for implement web interface for snort-inline. Best Regard Chatsiri Ratana |
|
From: chatsiri <cha...@ch...> - 2008-10-27 03:07:35
|
Hello All I have a questions about snort-inline.I understand about snort programs has web interface. But snort-inline have not web interfaces for selected rules and management on web interfaces. What it's good?, if we can implemented web interface for using with snort-inline. I want suggestion for implement web interface for snort-inline. Best Regard Chatsiri Ratana |
|
From: Kasun <thu...@ya...> - 2008-10-17 06:59:40
|
Hi,
Thank you very much for your reply.I found the line and currently trying to find the error.There is project called Brcontrol which build a new action rule in snort inline to froward traffic.This error came when I'm testing it to my project.For that, we have recompile kernel, edit some iptables and snort too.
I'm using snort_inline 2.1.0 and iptables 1.2.9 for it(sorry if not told earlier) and i write a rule to capture ICMP packets(in local.rules) but an alert is coming to BASE.I enable the ip_queue module before start snort also.
error:-
Received error message 22
trying to set marksetting mark09/27-11:11:33.146601 192.x.x.16 -> 192.x.x.18
ICMP TTL:128 TOS:0x0 ID:24102 IpLen:20 DgmLen:60
Type:8 Code:0 ID:1 Seq:2 ECHO
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Received error message 22
trying to set marksetting mark09/27-11:11:42.815522 192.x.x.16 -> 192.x.x.18
ICMP TTL:128 TOS:0x0 ID:24103 IpLen:20 DgmLen:60
Type:8 Code:0 ID:1 Seq:3 ECHO
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Thank you,
Kasun Abeykoon
--- On Thu, 10/16/08, John Default <joh...@gm...> wrote:
From: John Default <joh...@gm...>
Subject: Re: [Snort-inline-users] Received error message when packet capturing
To: sno...@li...
Cc: thu...@ya...
Date: Thursday, October 16, 2008, 11:48 PM
Kasun wrote:
Hi All,
This is my first mail to snort-inline users mail.I'm a
undergraduate and i use snort inline for my project.I use Debian as my
OS and the problem is i got an error message while snort capture
packets.It says " Received error message 22 " .Does anyone know what
this particular error message means?
Hi Kasun
"Received error message" is in inline.c line 454 , where it receives
message from libipq and tries to read it.
The error is therefore sent by libipq, but i could not find quickly
what exact error it is. Libipq uses some sort of recvfrom to get
messages, calling select and then recv. But if i understood correctly,
it should return error from recv or -1, not 22. Maybe i am completely
wrong. I think the source is small and clear enough that you should be
able to find it there yourself in relatively short time and can then
include it in documentation : )
I am sorry, i just can't give it more now.
Wish you good luck
Best regards
John Default
|
|
From: John D. <joh...@gm...> - 2008-10-16 17:49:02
|
Kasun wrote: > > Hi All, > > This is my first mail to snort-inline users mail.I'm a > undergraduate and i use snort inline for my project.I use Debian as my > OS and the problem is i got an error message while snort capture > packets.It says " Received error message 22 " .Does anyone know what > this particular error message means? > > > Hi Kasun "Received error message" is in inline.c line 454 , where it receives message from libipq and tries to read it. The error is therefore sent by libipq, but i could not find quickly what exact error it is. Libipq uses some sort of recvfrom to get messages, calling select and then recv. But if i understood correctly, it should return error from recv or -1, not 22. Maybe i am completely wrong. I think the source is small and clear enough that you should be able to find it there yourself in relatively short time and can then include it in documentation : ) I am sorry, i just can't give it more now. Wish you good luck Best regards John Default |
|
From: Kasun <thu...@ya...> - 2008-10-16 14:27:19
|
Hi All,
This is my first mail to snort-inline users mail.I'm a undergraduate and i use snort inline for my project.I use Debian as my OS and the problem is i got an error message while snort capture packets.It says " Received error message 22 " .Does anyone know what this particular error message means?
|
|
From: Joel E. <es...@gm...> - 2008-09-23 16:54:38
|
You say that you are putting in your own drop rules? Or am I totally
missing your question. Would you be willing to post your drop rules that
you are putting in? Are you able to drop ANY traffic? Can you post your
Snort command line? How about your snort.conf file?
Joel
On Tue, Sep 23, 2008 at 2:38 AM, Snort User <pea...@ya...> wrote:
> To Any Snort_Inline Guru:
>
> I am an EXTREMELY FRUSTRATED snort_inline user. I am using snort 2.8 in
> inline mode and updating with oinkmaster 2.0. If I update via oinkmaster
> WITHOUT specifying {modifysid * "^alert" | "drop"} within the
> oinkmaster.conf file, the rules get updated and everything works. If I
> insert some simple drop rules for testing after the oinkmaster update, my
> "test" drop rules correctly drop and log dropped packets. If I test the
> updated alerts by restarting in non-inline mode, they work as well.
>
> STRANGELY, if I update via oinkmaster and DO specify {modifysid * "^alert"
> | "drop"} within the .conf file, oinkmaster "seems" to work (i.e., updates
> appear to have been made correctly, "alert" rules are all converted to
> "drop" rules, snort inline starts without errors, snort output lists rules
> as being correctly read, etc.), however, when I insert some simple drop
> rules for testing, my "test" drop rules do not work, nor do any of the
> converted drop rules that had worked prior as alerts. At least the "test"
> drop rules SHOULD work (but do not), since they work when I update without
> converting alerts to drops. This would seem impossible, but it IS
> occurring. I always restart snort after rules modifications to flush rules
> from memory and am only using dowloaded snort rules (i.e. other than some
> extremely simple "test" drop rules that DO work when I haven't converted
> "alert" rules to "drop").
>
> I understand that if I had "alert" rules similar to my test "drop" rules,
> then my test "drop" rules might not get triggered and logged (i.e., as a
> consequence of already being dropped by other rules that were prior only
> "alerts").. However, in that scenario, even though the test "drops"
> wouldn't show as triggered in the logs, the packets would still get dropped,
> due to other "drop" rules. This isn't what is happening, since none of my
> packets are getting dropped once I convert "alerts" to "drops". Again,
> extremely baffling!
>
> There must be a way to run snort-inline with automatic alert/drop
> conversions on updates, but I have not been able to to it.
>
> Any feedback would be GREATLY APPRECIATED!
>
> Peabody
>
>
>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
|
|
From: Snort U. <pea...@ya...> - 2008-09-23 06:38:12
|
To Any Snort_Inline Guru:
I
am an EXTREMELY FRUSTRATED snort_inline user. I am using snort 2.8 in inline mode
and updating with oinkmaster 2.0. If I update via oinkmaster WITHOUT
specifying {modifysid * “^alert” | “drop”} within the oinkmaster.conf
file, the rules get updated and everything works. If I insert some
simple drop rules for testing after the oinkmaster update, my “test”
drop rules correctly drop and log dropped packets. If I test the
updated alerts by restarting in non-inline mode, they work as well.
STRANGELY, if I
update via oinkmaster and DO specify {modifysid * “^alert” | “drop”}
within the .conf file, oinkmaster “seems” to work (i.e., updates appear
to have been made correctly, “alert” rules are all converted to “drop”
rules, snort inline starts without errors, snort output lists rules as
being correctly read, etc.), however, when I insert some simple drop
rules for testing, my “test” drop rules do not work, nor do any of the
converted drop rules that had worked prior as alerts. At least the
“test” drop rules SHOULD work (but do not), since they work when I
update without converting alerts to drops. This would seem impossible,
but it IS occurring.. I always restart snort after rules modifications
to flush rules from memory and am only using dowloaded snort rules
(i.e. other than some extremely simple "test" drop rules that DO work
when I haven't converted "alert" rules to "drop").
I understand
that if I had "alert" rules similar to my test "drop" rules, then my
test "drop" rules might not get triggered and logged (i.e., as a
consequence of already being dropped by other rules that were prior
only "alerts").. However, in that scenario, even though the test
"drops" wouldn't show as triggered in the logs, the packets would still
get dropped, due to other "drop" rules. This isn't what is happening,
since none of my packets are getting dropped once I convert "alerts" to
"drops". Again, extremely baffling!
There must be a way to run snort-inline with automatic alert/drop conversions on updates, but I have not been able to to it.
Any feedback would be GREATLY APPRECIATED!
Peabody
|
133 messages has been excluded from this view by a project administrator.
