snort-inline-users Mailing List for snort_inline (Page 24)

Brought to you by: count_zero_rod, redmaze, vicjul78

snort-inline-users — The goal of this list is to help users debug/use snort_inline

You can subscribe to this list here.

2003	Jan	Feb	Mar	Apr (1)	May (15)	Jun (23)	Jul (54)	Aug (20)	Sep (18)	Oct (19)	Nov (36)	Dec (30)
2004	Jan (48)	Feb (16)	Mar (36)	Apr (36)	May (45)	Jun (47)	Jul (93)	Aug (29)	Sep (28)	Oct (42)	Nov (45)	Dec (53)
2005	Jan (62)	Feb (51)	Mar (65)	Apr (28)	May (57)	Jun (23)	Jul (24)	Aug (72)	Sep (16)	Oct (53)	Nov (53)	Dec (3)
2006	Jan (56)	Feb (6)	Mar (15)	Apr (14)	May (35)	Jun (57)	Jul (35)	Aug (7)	Sep (22)	Oct (16)	Nov (18)	Dec (9)
2007	Jan (8)	Feb (3)	Mar (11)	Apr (35)	May (6)	Jun (10)	Jul (26)	Aug (4)	Sep	Oct (29)	Nov	Dec (7)
2008	Jan (1)	Feb (2)	Mar (2)	Apr (13)	May (8)	Jun (3)	Jul (19)	Aug (20)	Sep (6)	Oct (5)	Nov	Dec (4)
2009	Jan (1)	Feb	Mar (1)	Apr	May	Jun (10)	Jul (2)	Aug (5)	Sep	Oct (1)	Nov	Dec (5)
2010	Jan (10)	Feb (10)	Mar (2)	Apr	May (7)	Jun	Jul	Aug	Sep	Oct	Nov (1)	Dec
2011	Jan	Feb (4)	Mar	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2012	Jan	Feb	Mar	Apr (1)	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2013	Jan	Feb (2)	Mar (3)	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec

Flat | Threaded

<< < 1 .. 22 23 24 25 26 .. 68 > >> (Page 24 of 68)

[Snort-inline-users] Signatures for snort_inline

From: JT <oi...@si...> - 2005-12-08 19:50:53

Are there any howtos for writing/adjusting signatures for snort_inline?  I 
can find plenty of documentation for writing rules for the stock snort, 
just didn't know what changes have to be made to the sigs for the inline 
version - if any.  I've only found a few references to it in README.INLINE.

Re: [Snort-inline-users] stream4inline and enforce_state

From: Will M. <wil...@gm...> - 2005-11-30 19:58:16

I didn't get any attachments after you set the --sport 80 rule.  can
you please send a debug and of stream4 and tcpdump logs....

Regards,

Will

On 11/30/05, Rob Campbell <rca...@pc...> wrote:
> Ok, I added that rule and regenerated the files.  Here they are again
> after running with both iptables rules.  It didn't make any difference
> in the outcome, I am still not able to establish any TCP connections.
> That makes sense though, since it also didn't work when all packets were
> going to the queue.
>
> Rob Campbell
> Pacific Coast Wireless Internet
>
> Victor Julien wrote:
> > Rob Campbell wrote:
> >> I have tcpdumps from both interfaces on the bridge.  I also was able
> >> to turn on debugging and I am seeing "Lets drop this its not a synner"=
.
> >>
> >> I am attaching that output and the 2 tcpdump files.  eth2 is the
> >> external interface and eth3 is the internal interface.  To keep the
> >> logs and packet dumps clean, I used a different iptables rule for only
> >> port 80 traffic.  I get the same results with "iptables -A FORWARD -j
> >> QUEUE", it's just a lot more noisy.  The rule I was using this time
> >> was "iptables -A FORWARD -p tcp --dport 80 -j QUEUE".  The output from
> >> iptables -vnL is also attached.
> >
> > This iptables rule is not sufficient. You now only send packets with
> > destination port 80 to the QUEUE, but the return packets, which have
> > source port 80 are accepted by iptables using ACCEPT and thus not send
> > to snort_inline. Please add the following rule in addition to the one
> > you already have:
> > iptables -A FORWARD -p tcp --sport 80 -j QUEUE
> >
> > This will make sure the return traffic is also send to the QUEUE.
> >
> > Regards,
> > Victor
> >
> >
> >
> >> Rob Campbell
> >> Pacific Coast Wireless Internet
> >>
> >> Will Metcalf wrote:
> >>
> >>> hmmmm can you send my packet dumps and possibly ./configure with
> >>> --enable-debug.  Then export SNORT_DEBUG=3D8192 if enforce_state is
> >>> dropping your packets you should see something in the debug to the
> >>> effect of "dropping packet not a synner".  Let me know what you find,
> >>> as long as stream4 can see the TWH enforce_state shouldn't be causing
> >>> you any problems.
> >>>
> >>> Regards,
> >>>
> >>> Will
> >>>
> >>> On 11/29/05, Rob Campbell <rca...@pc...> wrote:
> >>>
> >>>> Will,
> >>>>
> >>>> I'm just checking back to see if you have found anything.  I have
> >>>> done a
> >>>> little more testing, but haven't found a way to fix it yet.  It is
> >>>> definitely related to enforce_state.  If I use enforce_state, even
> >>>> without stream4inline, it will not pass any TCP traffic.  From what =
I
> >>>> understand, without enforce_state I cannot drop TCP packets in
> >>>> real-time, is that correct?  I would really like to use Snort for an
> >>>> IPS, but without TCP it wouldn't be very useful.  Let me know if you
> >>>> have any other ideas, or want me to give something a try.  Thank you=
.
> >>>>
> >>>> Rob Campbell
> >>>> Pacific Coast Wireless Internet
> >>>>
> >>>> Will Metcalf wrote:
> >>>>
> >>>>> I'll see if I can reproduce it this weekend
> >>>>>
> >>>>> On 11/18/05, Rob Campbell <rca...@pc...> wrote:
> >>>>>
> >>>>>> I have also tried it with just "iptables -A FORWARD -j QUEUE" to m=
ake
> >>>>>> sure that the specified interfaces wasn't causing a problem.  Any
> >>>>>> ideas
> >>>>>> why it's not working with stream4inline and enforce_state?
> >>>>>>
> >>>>>> Rob Campbell
> >>>>>> Pacific Coast Wireless Internet
> >>>>>>
> >>>>>> Rob Campbell wrote:
> >>>>>>
> >>>>>>> No.  That is the only iptables rule I have.  The full rule was
> >>>>>>> "iptables
> >>>>>>> -A FORWARD -i br0 -o br0 -j QUEUE", could that cause any problems=
?
> >>>>>>>
> >>>>>>> Rob Campbell
> >>>>>>> Pacific Coast Wireless Internet
> >>>>>>>
> >>>>>>> Will Metcalf wrote:
> >>>>>>>
> >>>>>>>> hmmm how odd, you don't have any other entries in your FORWARD
> >>>>>>>> chain
> >>>>>>>> before you -A FORWARD -j QUEUE entry do you?
> >>>>>>>>
> >>>>>>>> Regards,
> >>>>>>>>
> >>>>>>>> Will
> >>>>>>>>
> >>>>>>>> On 11/17/05, Rob Campbell <rca...@pc...> wrote:
> >>>>>>>>
> >>>>>>>>> It is happening on web traffic, IMAP traffic, and telnet to
> >>>>>>>>> various
> >>>>>>>>> ports.
> >>>>>>>>>
> >>>>>>>>> Rob Campbell
> >>>>>>>>> Pacific Coast Wireless Internet
> >>>>>>>>>
> >>>>>>>>> Will Metcalf wrote:
> >>>>>>>>>
> >>>>>>>>>> sorry it's late missed the "iptables -A FORWARD -j QUEUE"
> >>>>>>>>>> part.  Just
> >>>>>>>>>> out of curiosity is it a particular protocol, or does all tcp
> >>>>>>>>>> traffic
> >>>>>>>>>> get dropped?
> >>>>>>>>>>
> >>>>>>>>>> Regards,
> >>>>>>>>>>
> >>>>>>>>>> Will
> >>>>>>>>>>
> >>>>>>>>>> On 11/16/05, Will Metcalf <wil...@gm...> wrote:
> >>>>>>>>>>
> >>>>>>>>>>> Hmmm Are you sure that snort-inline can see the full twh?
> >>>>>>>>>>> i.e. are
> >>>>>>>>>>> you queueing both client and server traffic?
> >>>>>>>>>>>
> >>>>>>>>>>> Regards,
> >>>>>>>>>>>
> >>>>>>>>>>> Will
> >>>>>>>>>>>
> >>>>>>>>>>> On 11/16/05, Rob Campbell <rca...@pc...> wrote:
> >>>>>>>>>>>
> >>>>>>>>>>>> Hello,
> >>>>>>>>>>>>
> >>>>>>>>>>>> I have been configuring an IPS using snort inline.  I am
> >>>>>>>>>>>> running the
> >>>>>>>>>>>> latest version, 2.4.3RC2.  It is running in bridge mode with
> >>>>>>>>>>>> "iptables
> >>>>>>>>>>>> -A FORWARD -j QUEUE" on the bridge interface.  When I have
> >>>>>>>>>>>> enforce_state
> >>>>>>>>>>>> on, it seems to block all TCP traffic. With a packet capture
> >>>>>>>>>>>> I do see
> >>>>>>>>>>>> the SYN being sent to the remote host, but I never get any
> >>>>>>>>>>>> replies.  If
> >>>>>>>>>>>> I turn off enforce_state it starts working again.
> >>>>>>>>>>>>
> >>>>>>>>>>>> What are the downsides to turning off enforce_state or
> >>>>>>>>>>>> stream4inline?
> >>>>>>>>>>>> Thank you.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Rob Campbell
> >>>>>>>>>>>> Pacific Coast Wireless Internet
> >>>>>>>>>>>>
>

Re: [Snort-inline-users] stream4inline and enforce_state

From: Rob C. <rca...@pc...> - 2005-11-30 19:21:37

Attachments: iptables.output snort.debug eth2.log eth3.log

Of course I wasn't paying attention and forgot to attach the new files. 
  Here they are.

Rob Campbell
Pacific Coast Wireless Internet

Rob Campbell wrote:
> Ok, I added that rule and regenerated the files.  Here they are again 
> after running with both iptables rules.  It didn't make any difference 
> in the outcome, I am still not able to establish any TCP connections. 
> That makes sense though, since it also didn't work when all packets were 
> going to the queue.
> 
> Rob Campbell
> Pacific Coast Wireless Internet
> 
> Victor Julien wrote:
>> Rob Campbell wrote:
>>> I have tcpdumps from both interfaces on the bridge.  I also was able 
>>> to turn on debugging and I am seeing "Lets drop this its not a synner".
>>>
>>> I am attaching that output and the 2 tcpdump files.  eth2 is the 
>>> external interface and eth3 is the internal interface.  To keep the 
>>> logs and packet dumps clean, I used a different iptables rule for 
>>> only port 80 traffic.  I get the same results with "iptables -A 
>>> FORWARD -j QUEUE", it's just a lot more noisy.  The rule I was using 
>>> this time was "iptables -A FORWARD -p tcp --dport 80 -j QUEUE".  The 
>>> output from iptables -vnL is also attached.
>>
>> This iptables rule is not sufficient. You now only send packets with 
>> destination port 80 to the QUEUE, but the return packets, which have 
>> source port 80 are accepted by iptables using ACCEPT and thus not send 
>> to snort_inline. Please add the following rule in addition to the one 
>> you already have:
>> iptables -A FORWARD -p tcp --sport 80 -j QUEUE
>>
>> This will make sure the return traffic is also send to the QUEUE.
>>
>> Regards,
>> Victor
>>
>>
>>
>>> Rob Campbell
>>> Pacific Coast Wireless Internet
>>>
>>> Will Metcalf wrote:
>>>
>>>> hmmmm can you send my packet dumps and possibly ./configure with
>>>> --enable-debug.  Then export SNORT_DEBUG=8192 if enforce_state is
>>>> dropping your packets you should see something in the debug to the
>>>> effect of "dropping packet not a synner".  Let me know what you find,
>>>> as long as stream4 can see the TWH enforce_state shouldn't be causing
>>>> you any problems.
>>>>
>>>> Regards,
>>>>
>>>> Will
>>>>
>>>> On 11/29/05, Rob Campbell <rca...@pc...> wrote:
>>>>
>>>>> Will,
>>>>>
>>>>> I'm just checking back to see if you have found anything.  I have 
>>>>> done a
>>>>> little more testing, but haven't found a way to fix it yet.  It is
>>>>> definitely related to enforce_state.  If I use enforce_state, even
>>>>> without stream4inline, it will not pass any TCP traffic.  From what I
>>>>> understand, without enforce_state I cannot drop TCP packets in
>>>>> real-time, is that correct?  I would really like to use Snort for an
>>>>> IPS, but without TCP it wouldn't be very useful.  Let me know if you
>>>>> have any other ideas, or want me to give something a try.  Thank you.
>>>>>
>>>>> Rob Campbell
>>>>> Pacific Coast Wireless Internet
>>>>>
>>>>> Will Metcalf wrote:
>>>>>
>>>>>> I'll see if I can reproduce it this weekend
>>>>>>
>>>>>> On 11/18/05, Rob Campbell <rca...@pc...> wrote:
>>>>>>
>>>>>>> I have also tried it with just "iptables -A FORWARD -j QUEUE" to 
>>>>>>> make
>>>>>>> sure that the specified interfaces wasn't causing a problem.  Any 
>>>>>>> ideas
>>>>>>> why it's not working with stream4inline and enforce_state?
>>>>>>>
>>>>>>> Rob Campbell
>>>>>>> Pacific Coast Wireless Internet
>>>>>>>
>>>>>>> Rob Campbell wrote:
>>>>>>>
>>>>>>>> No.  That is the only iptables rule I have.  The full rule was 
>>>>>>>> "iptables
>>>>>>>> -A FORWARD -i br0 -o br0 -j QUEUE", could that cause any problems?
>>>>>>>>
>>>>>>>> Rob Campbell
>>>>>>>> Pacific Coast Wireless Internet
>>>>>>>>
>>>>>>>> Will Metcalf wrote:
>>>>>>>>
>>>>>>>>> hmmm how odd, you don't have any other entries in your FORWARD 
>>>>>>>>> chain
>>>>>>>>> before you -A FORWARD -j QUEUE entry do you?
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>>
>>>>>>>>> Will
>>>>>>>>>
>>>>>>>>> On 11/17/05, Rob Campbell <rca...@pc...> wrote:
>>>>>>>>>
>>>>>>>>>> It is happening on web traffic, IMAP traffic, and telnet to 
>>>>>>>>>> various
>>>>>>>>>> ports.
>>>>>>>>>>
>>>>>>>>>> Rob Campbell
>>>>>>>>>> Pacific Coast Wireless Internet
>>>>>>>>>>
>>>>>>>>>> Will Metcalf wrote:
>>>>>>>>>>
>>>>>>>>>>> sorry it's late missed the "iptables -A FORWARD -j QUEUE" 
>>>>>>>>>>> part.  Just
>>>>>>>>>>> out of curiosity is it a particular protocol, or does all tcp 
>>>>>>>>>>> traffic
>>>>>>>>>>> get dropped?
>>>>>>>>>>>
>>>>>>>>>>> Regards,
>>>>>>>>>>>
>>>>>>>>>>> Will
>>>>>>>>>>>
>>>>>>>>>>> On 11/16/05, Will Metcalf <wil...@gm...> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hmmm Are you sure that snort-inline can see the full twh?  
>>>>>>>>>>>> i.e. are
>>>>>>>>>>>> you queueing both client and server traffic?
>>>>>>>>>>>>
>>>>>>>>>>>> Regards,
>>>>>>>>>>>>
>>>>>>>>>>>> Will
>>>>>>>>>>>>
>>>>>>>>>>>> On 11/16/05, Rob Campbell <rca...@pc...> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I have been configuring an IPS using snort inline.  I am 
>>>>>>>>>>>>> running the
>>>>>>>>>>>>> latest version, 2.4.3RC2.  It is running in bridge mode with
>>>>>>>>>>>>> "iptables
>>>>>>>>>>>>> -A FORWARD -j QUEUE" on the bridge interface.  When I have
>>>>>>>>>>>>> enforce_state
>>>>>>>>>>>>> on, it seems to block all TCP traffic. With a packet 
>>>>>>>>>>>>> capture I do see
>>>>>>>>>>>>> the SYN being sent to the remote host, but I never get any
>>>>>>>>>>>>> replies.  If
>>>>>>>>>>>>> I turn off enforce_state it starts working again.
>>>>>>>>>>>>>
>>>>>>>>>>>>> What are the downsides to turning off enforce_state or 
>>>>>>>>>>>>> stream4inline?
>>>>>>>>>>>>> Thank you.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rob Campbell
>>>>>>>>>>>>> Pacific Coast Wireless Internet
>>>>>>>>>>>>>
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log 
> files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users

Re: [Snort-inline-users] stream4inline and enforce_state

From: Rob C. <rca...@pc...> - 2005-11-30 19:03:57

Ok, I added that rule and regenerated the files.  Here they are again 
after running with both iptables rules.  It didn't make any difference 
in the outcome, I am still not able to establish any TCP connections. 
That makes sense though, since it also didn't work when all packets were 
going to the queue.

Rob Campbell
Pacific Coast Wireless Internet

Victor Julien wrote:
> Rob Campbell wrote:
>> I have tcpdumps from both interfaces on the bridge.  I also was able 
>> to turn on debugging and I am seeing "Lets drop this its not a synner".
>>
>> I am attaching that output and the 2 tcpdump files.  eth2 is the 
>> external interface and eth3 is the internal interface.  To keep the 
>> logs and packet dumps clean, I used a different iptables rule for only 
>> port 80 traffic.  I get the same results with "iptables -A FORWARD -j 
>> QUEUE", it's just a lot more noisy.  The rule I was using this time 
>> was "iptables -A FORWARD -p tcp --dport 80 -j QUEUE".  The output from 
>> iptables -vnL is also attached.
> 
> This iptables rule is not sufficient. You now only send packets with 
> destination port 80 to the QUEUE, but the return packets, which have 
> source port 80 are accepted by iptables using ACCEPT and thus not send 
> to snort_inline. Please add the following rule in addition to the one 
> you already have:
> iptables -A FORWARD -p tcp --sport 80 -j QUEUE
> 
> This will make sure the return traffic is also send to the QUEUE.
> 
> Regards,
> Victor
> 
> 
> 
>> Rob Campbell
>> Pacific Coast Wireless Internet
>>
>> Will Metcalf wrote:
>>
>>> hmmmm can you send my packet dumps and possibly ./configure with
>>> --enable-debug.  Then export SNORT_DEBUG=8192 if enforce_state is
>>> dropping your packets you should see something in the debug to the
>>> effect of "dropping packet not a synner".  Let me know what you find,
>>> as long as stream4 can see the TWH enforce_state shouldn't be causing
>>> you any problems.
>>>
>>> Regards,
>>>
>>> Will
>>>
>>> On 11/29/05, Rob Campbell <rca...@pc...> wrote:
>>>
>>>> Will,
>>>>
>>>> I'm just checking back to see if you have found anything.  I have 
>>>> done a
>>>> little more testing, but haven't found a way to fix it yet.  It is
>>>> definitely related to enforce_state.  If I use enforce_state, even
>>>> without stream4inline, it will not pass any TCP traffic.  From what I
>>>> understand, without enforce_state I cannot drop TCP packets in
>>>> real-time, is that correct?  I would really like to use Snort for an
>>>> IPS, but without TCP it wouldn't be very useful.  Let me know if you
>>>> have any other ideas, or want me to give something a try.  Thank you.
>>>>
>>>> Rob Campbell
>>>> Pacific Coast Wireless Internet
>>>>
>>>> Will Metcalf wrote:
>>>>
>>>>> I'll see if I can reproduce it this weekend
>>>>>
>>>>> On 11/18/05, Rob Campbell <rca...@pc...> wrote:
>>>>>
>>>>>> I have also tried it with just "iptables -A FORWARD -j QUEUE" to make
>>>>>> sure that the specified interfaces wasn't causing a problem.  Any 
>>>>>> ideas
>>>>>> why it's not working with stream4inline and enforce_state?
>>>>>>
>>>>>> Rob Campbell
>>>>>> Pacific Coast Wireless Internet
>>>>>>
>>>>>> Rob Campbell wrote:
>>>>>>
>>>>>>> No.  That is the only iptables rule I have.  The full rule was 
>>>>>>> "iptables
>>>>>>> -A FORWARD -i br0 -o br0 -j QUEUE", could that cause any problems?
>>>>>>>
>>>>>>> Rob Campbell
>>>>>>> Pacific Coast Wireless Internet
>>>>>>>
>>>>>>> Will Metcalf wrote:
>>>>>>>
>>>>>>>> hmmm how odd, you don't have any other entries in your FORWARD 
>>>>>>>> chain
>>>>>>>> before you -A FORWARD -j QUEUE entry do you?
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>>
>>>>>>>> Will
>>>>>>>>
>>>>>>>> On 11/17/05, Rob Campbell <rca...@pc...> wrote:
>>>>>>>>
>>>>>>>>> It is happening on web traffic, IMAP traffic, and telnet to 
>>>>>>>>> various
>>>>>>>>> ports.
>>>>>>>>>
>>>>>>>>> Rob Campbell
>>>>>>>>> Pacific Coast Wireless Internet
>>>>>>>>>
>>>>>>>>> Will Metcalf wrote:
>>>>>>>>>
>>>>>>>>>> sorry it's late missed the "iptables -A FORWARD -j QUEUE" 
>>>>>>>>>> part.  Just
>>>>>>>>>> out of curiosity is it a particular protocol, or does all tcp 
>>>>>>>>>> traffic
>>>>>>>>>> get dropped?
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>>
>>>>>>>>>> Will
>>>>>>>>>>
>>>>>>>>>> On 11/16/05, Will Metcalf <wil...@gm...> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hmmm Are you sure that snort-inline can see the full twh?  
>>>>>>>>>>> i.e. are
>>>>>>>>>>> you queueing both client and server traffic?
>>>>>>>>>>>
>>>>>>>>>>> Regards,
>>>>>>>>>>>
>>>>>>>>>>> Will
>>>>>>>>>>>
>>>>>>>>>>> On 11/16/05, Rob Campbell <rca...@pc...> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hello,
>>>>>>>>>>>>
>>>>>>>>>>>> I have been configuring an IPS using snort inline.  I am 
>>>>>>>>>>>> running the
>>>>>>>>>>>> latest version, 2.4.3RC2.  It is running in bridge mode with
>>>>>>>>>>>> "iptables
>>>>>>>>>>>> -A FORWARD -j QUEUE" on the bridge interface.  When I have
>>>>>>>>>>>> enforce_state
>>>>>>>>>>>> on, it seems to block all TCP traffic. With a packet capture 
>>>>>>>>>>>> I do see
>>>>>>>>>>>> the SYN being sent to the remote host, but I never get any
>>>>>>>>>>>> replies.  If
>>>>>>>>>>>> I turn off enforce_state it starts working again.
>>>>>>>>>>>>
>>>>>>>>>>>> What are the downsides to turning off enforce_state or 
>>>>>>>>>>>> stream4inline?
>>>>>>>>>>>> Thank you.
>>>>>>>>>>>>
>>>>>>>>>>>> Rob Campbell
>>>>>>>>>>>> Pacific Coast Wireless Internet
>>>>>>>>>>>>

Re: [Snort-inline-users] stream4inline and enforce_state

From: Victor J. <vi...@nk...> - 2005-11-30 18:27:43

Rob Campbell wrote:
> I have tcpdumps from both interfaces on the bridge.  I also was able to 
> turn on debugging and I am seeing "Lets drop this its not a synner".
> 
> I am attaching that output and the 2 tcpdump files.  eth2 is the 
> external interface and eth3 is the internal interface.  To keep the logs 
> and packet dumps clean, I used a different iptables rule for only port 
> 80 traffic.  I get the same results with "iptables -A FORWARD -j QUEUE", 
> it's just a lot more noisy.  The rule I was using this time was 
> "iptables -A FORWARD -p tcp --dport 80 -j QUEUE".  The output from 
> iptables -vnL is also attached.

This iptables rule is not sufficient. You now only send packets with 
destination port 80 to the QUEUE, but the return packets, which have 
source port 80 are accepted by iptables using ACCEPT and thus not send 
to snort_inline. Please add the following rule in addition to the one 
you already have:
iptables -A FORWARD -p tcp --sport 80 -j QUEUE

This will make sure the return traffic is also send to the QUEUE.

Regards,
Victor



> Rob Campbell
> Pacific Coast Wireless Internet
> 
> Will Metcalf wrote:
> 
>> hmmmm can you send my packet dumps and possibly ./configure with
>> --enable-debug.  Then export SNORT_DEBUG=8192 if enforce_state is
>> dropping your packets you should see something in the debug to the
>> effect of "dropping packet not a synner".  Let me know what you find,
>> as long as stream4 can see the TWH enforce_state shouldn't be causing
>> you any problems.
>>
>> Regards,
>>
>> Will
>>
>> On 11/29/05, Rob Campbell <rca...@pc...> wrote:
>>
>>> Will,
>>>
>>> I'm just checking back to see if you have found anything.  I have done a
>>> little more testing, but haven't found a way to fix it yet.  It is
>>> definitely related to enforce_state.  If I use enforce_state, even
>>> without stream4inline, it will not pass any TCP traffic.  From what I
>>> understand, without enforce_state I cannot drop TCP packets in
>>> real-time, is that correct?  I would really like to use Snort for an
>>> IPS, but without TCP it wouldn't be very useful.  Let me know if you
>>> have any other ideas, or want me to give something a try.  Thank you.
>>>
>>> Rob Campbell
>>> Pacific Coast Wireless Internet
>>>
>>> Will Metcalf wrote:
>>>
>>>> I'll see if I can reproduce it this weekend
>>>>
>>>> On 11/18/05, Rob Campbell <rca...@pc...> wrote:
>>>>
>>>>> I have also tried it with just "iptables -A FORWARD -j QUEUE" to make
>>>>> sure that the specified interfaces wasn't causing a problem.  Any 
>>>>> ideas
>>>>> why it's not working with stream4inline and enforce_state?
>>>>>
>>>>> Rob Campbell
>>>>> Pacific Coast Wireless Internet
>>>>>
>>>>> Rob Campbell wrote:
>>>>>
>>>>>> No.  That is the only iptables rule I have.  The full rule was 
>>>>>> "iptables
>>>>>> -A FORWARD -i br0 -o br0 -j QUEUE", could that cause any problems?
>>>>>>
>>>>>> Rob Campbell
>>>>>> Pacific Coast Wireless Internet
>>>>>>
>>>>>> Will Metcalf wrote:
>>>>>>
>>>>>>> hmmm how odd, you don't have any other entries in your FORWARD chain
>>>>>>> before you -A FORWARD -j QUEUE entry do you?
>>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>> Will
>>>>>>>
>>>>>>> On 11/17/05, Rob Campbell <rca...@pc...> wrote:
>>>>>>>
>>>>>>>> It is happening on web traffic, IMAP traffic, and telnet to various
>>>>>>>> ports.
>>>>>>>>
>>>>>>>> Rob Campbell
>>>>>>>> Pacific Coast Wireless Internet
>>>>>>>>
>>>>>>>> Will Metcalf wrote:
>>>>>>>>
>>>>>>>>> sorry it's late missed the "iptables -A FORWARD -j QUEUE" 
>>>>>>>>> part.  Just
>>>>>>>>> out of curiosity is it a particular protocol, or does all tcp 
>>>>>>>>> traffic
>>>>>>>>> get dropped?
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>>
>>>>>>>>> Will
>>>>>>>>>
>>>>>>>>> On 11/16/05, Will Metcalf <wil...@gm...> wrote:
>>>>>>>>>
>>>>>>>>>> Hmmm Are you sure that snort-inline can see the full twh?  
>>>>>>>>>> i.e. are
>>>>>>>>>> you queueing both client and server traffic?
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>>
>>>>>>>>>> Will
>>>>>>>>>>
>>>>>>>>>> On 11/16/05, Rob Campbell <rca...@pc...> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hello,
>>>>>>>>>>>
>>>>>>>>>>> I have been configuring an IPS using snort inline.  I am 
>>>>>>>>>>> running the
>>>>>>>>>>> latest version, 2.4.3RC2.  It is running in bridge mode with
>>>>>>>>>>> "iptables
>>>>>>>>>>> -A FORWARD -j QUEUE" on the bridge interface.  When I have
>>>>>>>>>>> enforce_state
>>>>>>>>>>> on, it seems to block all TCP traffic. With a packet capture 
>>>>>>>>>>> I do see
>>>>>>>>>>> the SYN being sent to the remote host, but I never get any
>>>>>>>>>>> replies.  If
>>>>>>>>>>> I turn off enforce_state it starts working again.
>>>>>>>>>>>
>>>>>>>>>>> What are the downsides to turning off enforce_state or 
>>>>>>>>>>> stream4inline?
>>>>>>>>>>> Thank you.
>>>>>>>>>>>
>>>>>>>>>>> Rob Campbell
>>>>>>>>>>> Pacific Coast Wireless Internet
>>>>>>>>>>>

Re: [Snort-inline-users] stream4inline and enforce_state

From: Victor J. <vi...@nk...> - 2005-11-30 07:43:15

Rob Campbell wrote:
> Will,
> 
> I'm just checking back to see if you have found anything.  I have done a 
> little more testing, but haven't found a way to fix it yet.  It is 
> definitely related to enforce_state.  If I use enforce_state, even 
> without stream4inline, it will not pass any TCP traffic.  From what I 
> understand, without enforce_state I cannot drop TCP packets in 
> real-time, is that correct?

No, that is not correct. If enforce_state is enabled stream4 will drop 
packets that do not belong to an existing connection and are not valid 
tcp-connection initializers. If enforce_state is disabled, you can still 
drop tcp packets.

I cannot reproduce this problem, but i don't use a bridge.

Other than the debug info Will asked for, i would be interested in a 
tcpdump file and the output of iptables -vnL ...

Regards,
Victor

> I would really like to use Snort for an 
> IPS, but without TCP it wouldn't be very useful.  Let me know if you 
> have any other ideas, or want me to give something a try.  Thank you.
> 
> Rob Campbell
> Pacific Coast Wireless Internet
> 
> Will Metcalf wrote:
> 
>> I'll see if I can reproduce it this weekend
>>
>> On 11/18/05, Rob Campbell <rca...@pc...> wrote:
>>
>>> I have also tried it with just "iptables -A FORWARD -j QUEUE" to make
>>> sure that the specified interfaces wasn't causing a problem.  Any ideas
>>> why it's not working with stream4inline and enforce_state?
>>>
>>> Rob Campbell
>>> Pacific Coast Wireless Internet
>>>
>>> Rob Campbell wrote:
>>>
>>>> No.  That is the only iptables rule I have.  The full rule was 
>>>> "iptables
>>>> -A FORWARD -i br0 -o br0 -j QUEUE", could that cause any problems?
>>>>
>>>> Rob Campbell
>>>> Pacific Coast Wireless Internet
>>>>
>>>> Will Metcalf wrote:
>>>>
>>>>> hmmm how odd, you don't have any other entries in your FORWARD chain
>>>>> before you -A FORWARD -j QUEUE entry do you?
>>>>>
>>>>> Regards,
>>>>>
>>>>> Will
>>>>>
>>>>> On 11/17/05, Rob Campbell <rca...@pc...> wrote:
>>>>>
>>>>>> It is happening on web traffic, IMAP traffic, and telnet to various
>>>>>> ports.
>>>>>>
>>>>>> Rob Campbell
>>>>>> Pacific Coast Wireless Internet
>>>>>>
>>>>>> Will Metcalf wrote:
>>>>>>
>>>>>>> sorry it's late missed the "iptables -A FORWARD -j QUEUE" part.  
>>>>>>> Just
>>>>>>> out of curiosity is it a particular protocol, or does all tcp 
>>>>>>> traffic
>>>>>>> get dropped?
>>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>> Will
>>>>>>>
>>>>>>> On 11/16/05, Will Metcalf <wil...@gm...> wrote:
>>>>>>>
>>>>>>>> Hmmm Are you sure that snort-inline can see the full twh?  i.e. are
>>>>>>>> you queueing both client and server traffic?
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>>
>>>>>>>> Will
>>>>>>>>
>>>>>>>> On 11/16/05, Rob Campbell <rca...@pc...> wrote:
>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> I have been configuring an IPS using snort inline.  I am 
>>>>>>>>> running the
>>>>>>>>> latest version, 2.4.3RC2.  It is running in bridge mode with
>>>>>>>>> "iptables
>>>>>>>>> -A FORWARD -j QUEUE" on the bridge interface.  When I have
>>>>>>>>> enforce_state
>>>>>>>>> on, it seems to block all TCP traffic. With a packet capture I 
>>>>>>>>> do see
>>>>>>>>> the SYN being sent to the remote host, but I never get any
>>>>>>>>> replies.  If
>>>>>>>>> I turn off enforce_state it starts working again.
>>>>>>>>>
>>>>>>>>> What are the downsides to turning off enforce_state or 
>>>>>>>>> stream4inline?
>>>>>>>>> Thank you.
>>>>>>>>>
>>>>>>>>> Rob Campbell
>>>>>>>>> Pacific Coast Wireless Internet
>>>>>>>>>
>>>>>>>>>

Re: [Snort-inline-users] stream4inline and enforce_state

From: Will M. <wil...@gm...> - 2005-11-30 04:45:16

hmmmm can you send my packet dumps and possibly ./configure with
--enable-debug.  Then export SNORT_DEBUG=3D8192 if enforce_state is
dropping your packets you should see something in the debug to the
effect of "dropping packet not a synner".  Let me know what you find,
as long as stream4 can see the TWH enforce_state shouldn't be causing
you any problems.

Regards,

Will

On 11/29/05, Rob Campbell <rca...@pc...> wrote:
> Will,
>
> I'm just checking back to see if you have found anything.  I have done a
> little more testing, but haven't found a way to fix it yet.  It is
> definitely related to enforce_state.  If I use enforce_state, even
> without stream4inline, it will not pass any TCP traffic.  From what I
> understand, without enforce_state I cannot drop TCP packets in
> real-time, is that correct?  I would really like to use Snort for an
> IPS, but without TCP it wouldn't be very useful.  Let me know if you
> have any other ideas, or want me to give something a try.  Thank you.
>
> Rob Campbell
> Pacific Coast Wireless Internet
>
> Will Metcalf wrote:
> > I'll see if I can reproduce it this weekend
> >
> > On 11/18/05, Rob Campbell <rca...@pc...> wrote:
> >> I have also tried it with just "iptables -A FORWARD -j QUEUE" to make
> >> sure that the specified interfaces wasn't causing a problem.  Any idea=
s
> >> why it's not working with stream4inline and enforce_state?
> >>
> >> Rob Campbell
> >> Pacific Coast Wireless Internet
> >>
> >> Rob Campbell wrote:
> >>> No.  That is the only iptables rule I have.  The full rule was "iptab=
les
> >>> -A FORWARD -i br0 -o br0 -j QUEUE", could that cause any problems?
> >>>
> >>> Rob Campbell
> >>> Pacific Coast Wireless Internet
> >>>
> >>> Will Metcalf wrote:
> >>>> hmmm how odd, you don't have any other entries in your FORWARD chain
> >>>> before you -A FORWARD -j QUEUE entry do you?
> >>>>
> >>>> Regards,
> >>>>
> >>>> Will
> >>>>
> >>>> On 11/17/05, Rob Campbell <rca...@pc...> wrote:
> >>>>> It is happening on web traffic, IMAP traffic, and telnet to various
> >>>>> ports.
> >>>>>
> >>>>> Rob Campbell
> >>>>> Pacific Coast Wireless Internet
> >>>>>
> >>>>> Will Metcalf wrote:
> >>>>>> sorry it's late missed the "iptables -A FORWARD -j QUEUE" part.  J=
ust
> >>>>>> out of curiosity is it a particular protocol, or does all tcp traf=
fic
> >>>>>> get dropped?
> >>>>>>
> >>>>>> Regards,
> >>>>>>
> >>>>>> Will
> >>>>>>
> >>>>>> On 11/16/05, Will Metcalf <wil...@gm...> wrote:
> >>>>>>> Hmmm Are you sure that snort-inline can see the full twh?  i.e. a=
re
> >>>>>>> you queueing both client and server traffic?
> >>>>>>>
> >>>>>>> Regards,
> >>>>>>>
> >>>>>>> Will
> >>>>>>>
> >>>>>>> On 11/16/05, Rob Campbell <rca...@pc...> wrote:
> >>>>>>>> Hello,
> >>>>>>>>
> >>>>>>>> I have been configuring an IPS using snort inline.  I am running=
 the
> >>>>>>>> latest version, 2.4.3RC2.  It is running in bridge mode with
> >>>>>>>> "iptables
> >>>>>>>> -A FORWARD -j QUEUE" on the bridge interface.  When I have
> >>>>>>>> enforce_state
> >>>>>>>> on, it seems to block all TCP traffic. With a packet capture I d=
o see
> >>>>>>>> the SYN being sent to the remote host, but I never get any
> >>>>>>>> replies.  If
> >>>>>>>> I turn off enforce_state it starts working again.
> >>>>>>>>
> >>>>>>>> What are the downsides to turning off enforce_state or stream4in=
line?
> >>>>>>>> Thank you.
> >>>>>>>>
> >>>>>>>> Rob Campbell
> >>>>>>>> Pacific Coast Wireless Internet
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> -------------------------------------------------------
> >>>>>>>> This SF.Net email is sponsored by the JBoss Inc.  Get Certified =
Today
> >>>>>>>> Register for a JBoss Training Course.  Free Certification Exam
> >>>>>>>> for All Training Attendees Through End of 2005. For more info vi=
sit:
> >>>>>>>> http://ads.osdn.com/?ad_id=3D7628&alloc_id=3D16845&op=3Dclick
> >>>>>>>> _______________________________________________
> >>>>>>>> Snort-inline-users mailing list
> >>>>>>>> Sno...@li...
> >>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >>>>>>>>
> >>>>>> -------------------------------------------------------
> >>>>>> This SF.Net email is sponsored by the JBoss Inc.  Get Certified To=
day
> >>>>>> Register for a JBoss Training Course.  Free Certification Exam
> >>>>>> for All Training Attendees Through End of 2005. For more info visi=
t:
> >>>>>> http://ads.osdn.com/?ad_idv28&alloc_id=16845&op=3Dclick
> >>>>>> _______________________________________________
> >>>>>> Snort-inline-users mailing list
> >>>>>> Sno...@li...
> >>>>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >>>
> >>> -------------------------------------------------------
> >>> This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
> >>> Register for a JBoss Training Course.  Free Certification Exam
> >>> for All Training Attendees Through End of 2005. For more info visit:
> >>> http://ads.osdn.com/?ad_id=3D7628&alloc_id=3D16845&op=3Dclick
> >>> _______________________________________________
> >>> Snort-inline-users mailing list
> >>> Sno...@li...
> >>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

Re: [Snort-inline-users] stream4inline and enforce_state

From: Rob C. <rca...@pc...> - 2005-11-30 00:53:25

Will,

I'm just checking back to see if you have found anything.  I have done a 
little more testing, but haven't found a way to fix it yet.  It is 
definitely related to enforce_state.  If I use enforce_state, even 
without stream4inline, it will not pass any TCP traffic.  From what I 
understand, without enforce_state I cannot drop TCP packets in 
real-time, is that correct?  I would really like to use Snort for an 
IPS, but without TCP it wouldn't be very useful.  Let me know if you 
have any other ideas, or want me to give something a try.  Thank you.

Rob Campbell
Pacific Coast Wireless Internet

Will Metcalf wrote:
> I'll see if I can reproduce it this weekend
> 
> On 11/18/05, Rob Campbell <rca...@pc...> wrote:
>> I have also tried it with just "iptables -A FORWARD -j QUEUE" to make
>> sure that the specified interfaces wasn't causing a problem.  Any ideas
>> why it's not working with stream4inline and enforce_state?
>>
>> Rob Campbell
>> Pacific Coast Wireless Internet
>>
>> Rob Campbell wrote:
>>> No.  That is the only iptables rule I have.  The full rule was "iptables
>>> -A FORWARD -i br0 -o br0 -j QUEUE", could that cause any problems?
>>>
>>> Rob Campbell
>>> Pacific Coast Wireless Internet
>>>
>>> Will Metcalf wrote:
>>>> hmmm how odd, you don't have any other entries in your FORWARD chain
>>>> before you -A FORWARD -j QUEUE entry do you?
>>>>
>>>> Regards,
>>>>
>>>> Will
>>>>
>>>> On 11/17/05, Rob Campbell <rca...@pc...> wrote:
>>>>> It is happening on web traffic, IMAP traffic, and telnet to various
>>>>> ports.
>>>>>
>>>>> Rob Campbell
>>>>> Pacific Coast Wireless Internet
>>>>>
>>>>> Will Metcalf wrote:
>>>>>> sorry it's late missed the "iptables -A FORWARD -j QUEUE" part.  Just
>>>>>> out of curiosity is it a particular protocol, or does all tcp traffic
>>>>>> get dropped?
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Will
>>>>>>
>>>>>> On 11/16/05, Will Metcalf <wil...@gm...> wrote:
>>>>>>> Hmmm Are you sure that snort-inline can see the full twh?  i.e. are
>>>>>>> you queueing both client and server traffic?
>>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>> Will
>>>>>>>
>>>>>>> On 11/16/05, Rob Campbell <rca...@pc...> wrote:
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> I have been configuring an IPS using snort inline.  I am running the
>>>>>>>> latest version, 2.4.3RC2.  It is running in bridge mode with
>>>>>>>> "iptables
>>>>>>>> -A FORWARD -j QUEUE" on the bridge interface.  When I have
>>>>>>>> enforce_state
>>>>>>>> on, it seems to block all TCP traffic. With a packet capture I do see
>>>>>>>> the SYN being sent to the remote host, but I never get any
>>>>>>>> replies.  If
>>>>>>>> I turn off enforce_state it starts working again.
>>>>>>>>
>>>>>>>> What are the downsides to turning off enforce_state or stream4inline?
>>>>>>>> Thank you.
>>>>>>>>
>>>>>>>> Rob Campbell
>>>>>>>> Pacific Coast Wireless Internet
>>>>>>>>
>>>>>>>>
>>>>>>>> -------------------------------------------------------
>>>>>>>> This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
>>>>>>>> Register for a JBoss Training Course.  Free Certification Exam
>>>>>>>> for All Training Attendees Through End of 2005. For more info visit:
>>>>>>>> http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
>>>>>>>> _______________________________________________
>>>>>>>> Snort-inline-users mailing list
>>>>>>>> Sno...@li...
>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>>>>>>>
>>>>>> -------------------------------------------------------
>>>>>> This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
>>>>>> Register for a JBoss Training Course.  Free Certification Exam
>>>>>> for All Training Attendees Through End of 2005. For more info visit:
>>>>>> http://ads.osdn.com/?ad_idv28&alloc_id845&op=click
>>>>>> _______________________________________________
>>>>>> Snort-inline-users mailing list
>>>>>> Sno...@li...
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>>
>>> -------------------------------------------------------
>>> This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
>>> Register for a JBoss Training Course.  Free Certification Exam
>>> for All Training Attendees Through End of 2005. For more info visit:
>>> http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
>>> _______________________________________________
>>> Snort-inline-users mailing list
>>> Sno...@li...
>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users

RE: [Snort-inline-users] Under FreeBSD: working with dummynet

From: Alexandre D. <ale...@fr...> - 2005-11-28 17:14:12

WhoW!

What a reactivity!

-----Message d'origine-----
De : Nick Rogness [mailto:ni...@ro...]
Envoy=E9 : lundi 28 novembre 2005 18:01
=C0 : Alexandre DELAY
Cc : sno...@li...
Objet : Re: [Snort-inline-users] Under FreeBSD: working with dummynet



> Hi guys
>
> Is there a way to use snort_inline with dummynet.
> I would like, for example, to redirect p2p traffic to a pipe or a queue=
 in
> order to limit the bandwidth.
>

  Not yet, but it should be easy to add something to send matched packets
to a specific rule number which can then be used with dummynet.  Let me
look at it this week and get a patch out.


Nick Rogness <ni...@ro...>

Re: [Snort-inline-users] Under FreeBSD: working with dummynet

From: Nick R. <ni...@ro...> - 2005-11-28 17:01:35

> Hi guys
>
> Is there a way to use snort_inline with dummynet.
> I would like, for example, to redirect p2p traffic to a pipe or a queue in
> order to limit the bandwidth.
>

  Not yet, but it should be easy to add something to send matched packets
to a specific rule number which can then be used with dummynet.  Let me
look at it this week and get a patch out.


Nick Rogness <ni...@ro...>

[Snort-inline-users] Under FreeBSD: working with dummynet

From: Alexandre D. <ale...@fr...> - 2005-11-28 09:12:33

Hi guys

Is there a way to use snort_inline with dummynet.
I would like, for example, to redirect p2p traffic to a pipe or a queue in
order to limit the bandwidth.

cheers

Alex

Re: [Snort-inline-users] stream4inline and enforce_state

From: Will M. <wil...@gm...> - 2005-11-18 21:03:14

I'll see if I can reproduce it this weekend

On 11/18/05, Rob Campbell <rca...@pc...> wrote:
> I have also tried it with just "iptables -A FORWARD -j QUEUE" to make
> sure that the specified interfaces wasn't causing a problem.  Any ideas
> why it's not working with stream4inline and enforce_state?
>
> Rob Campbell
> Pacific Coast Wireless Internet
>
> Rob Campbell wrote:
> > No.  That is the only iptables rule I have.  The full rule was "iptable=
s
> > -A FORWARD -i br0 -o br0 -j QUEUE", could that cause any problems?
> >
> > Rob Campbell
> > Pacific Coast Wireless Internet
> >
> > Will Metcalf wrote:
> >> hmmm how odd, you don't have any other entries in your FORWARD chain
> >> before you -A FORWARD -j QUEUE entry do you?
> >>
> >> Regards,
> >>
> >> Will
> >>
> >> On 11/17/05, Rob Campbell <rca...@pc...> wrote:
> >>> It is happening on web traffic, IMAP traffic, and telnet to various
> >>> ports.
> >>>
> >>> Rob Campbell
> >>> Pacific Coast Wireless Internet
> >>>
> >>> Will Metcalf wrote:
> >>>> sorry it's late missed the "iptables -A FORWARD -j QUEUE" part.  Jus=
t
> >>>> out of curiosity is it a particular protocol, or does all tcp traffi=
c
> >>>> get dropped?
> >>>>
> >>>> Regards,
> >>>>
> >>>> Will
> >>>>
> >>>> On 11/16/05, Will Metcalf <wil...@gm...> wrote:
> >>>>> Hmmm Are you sure that snort-inline can see the full twh?  i.e. are
> >>>>> you queueing both client and server traffic?
> >>>>>
> >>>>> Regards,
> >>>>>
> >>>>> Will
> >>>>>
> >>>>> On 11/16/05, Rob Campbell <rca...@pc...> wrote:
> >>>>>> Hello,
> >>>>>>
> >>>>>> I have been configuring an IPS using snort inline.  I am running t=
he
> >>>>>> latest version, 2.4.3RC2.  It is running in bridge mode with
> >>>>>> "iptables
> >>>>>> -A FORWARD -j QUEUE" on the bridge interface.  When I have
> >>>>>> enforce_state
> >>>>>> on, it seems to block all TCP traffic. With a packet capture I do =
see
> >>>>>> the SYN being sent to the remote host, but I never get any
> >>>>>> replies.  If
> >>>>>> I turn off enforce_state it starts working again.
> >>>>>>
> >>>>>> What are the downsides to turning off enforce_state or stream4inli=
ne?
> >>>>>> Thank you.
> >>>>>>
> >>>>>> Rob Campbell
> >>>>>> Pacific Coast Wireless Internet
> >>>>>>
> >>>>>>
> >>>>>> -------------------------------------------------------
> >>>>>> This SF.Net email is sponsored by the JBoss Inc.  Get Certified To=
day
> >>>>>> Register for a JBoss Training Course.  Free Certification Exam
> >>>>>> for All Training Attendees Through End of 2005. For more info visi=
t:
> >>>>>> http://ads.osdn.com/?ad_id=3D7628&alloc_id=3D16845&op=3Dclick
> >>>>>> _______________________________________________
> >>>>>> Snort-inline-users mailing list
> >>>>>> Sno...@li...
> >>>>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >>>>>>
> >>>>
> >>>> -------------------------------------------------------
> >>>> This SF.Net email is sponsored by the JBoss Inc.  Get Certified Toda=
y
> >>>> Register for a JBoss Training Course.  Free Certification Exam
> >>>> for All Training Attendees Through End of 2005. For more info visit:
> >>>> http://ads.osdn.com/?ad_idv28&alloc_id=16845&op=3Dclick
> >>>> _______________________________________________
> >>>> Snort-inline-users mailing list
> >>>> Sno...@li...
> >>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
> > Register for a JBoss Training Course.  Free Certification Exam
> > for All Training Attendees Through End of 2005. For more info visit:
> > http://ads.osdn.com/?ad_id=3D7628&alloc_id=3D16845&op=3Dclick
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

Re: [Snort-inline-users] stream4inline and enforce_state

From: Rob C. <rca...@pc...> - 2005-11-18 20:11:10

I have also tried it with just "iptables -A FORWARD -j QUEUE" to make 
sure that the specified interfaces wasn't causing a problem.  Any ideas 
why it's not working with stream4inline and enforce_state?

Rob Campbell
Pacific Coast Wireless Internet

Rob Campbell wrote:
> No.  That is the only iptables rule I have.  The full rule was "iptables 
> -A FORWARD -i br0 -o br0 -j QUEUE", could that cause any problems?
> 
> Rob Campbell
> Pacific Coast Wireless Internet
> 
> Will Metcalf wrote:
>> hmmm how odd, you don't have any other entries in your FORWARD chain
>> before you -A FORWARD -j QUEUE entry do you?
>>
>> Regards,
>>
>> Will
>>
>> On 11/17/05, Rob Campbell <rca...@pc...> wrote:
>>> It is happening on web traffic, IMAP traffic, and telnet to various 
>>> ports.
>>>
>>> Rob Campbell
>>> Pacific Coast Wireless Internet
>>>
>>> Will Metcalf wrote:
>>>> sorry it's late missed the "iptables -A FORWARD -j QUEUE" part.  Just
>>>> out of curiosity is it a particular protocol, or does all tcp traffic
>>>> get dropped?
>>>>
>>>> Regards,
>>>>
>>>> Will
>>>>
>>>> On 11/16/05, Will Metcalf <wil...@gm...> wrote:
>>>>> Hmmm Are you sure that snort-inline can see the full twh?  i.e. are
>>>>> you queueing both client and server traffic?
>>>>>
>>>>> Regards,
>>>>>
>>>>> Will
>>>>>
>>>>> On 11/16/05, Rob Campbell <rca...@pc...> wrote:
>>>>>> Hello,
>>>>>>
>>>>>> I have been configuring an IPS using snort inline.  I am running the
>>>>>> latest version, 2.4.3RC2.  It is running in bridge mode with 
>>>>>> "iptables
>>>>>> -A FORWARD -j QUEUE" on the bridge interface.  When I have 
>>>>>> enforce_state
>>>>>> on, it seems to block all TCP traffic. With a packet capture I do see
>>>>>> the SYN being sent to the remote host, but I never get any 
>>>>>> replies.  If
>>>>>> I turn off enforce_state it starts working again.
>>>>>>
>>>>>> What are the downsides to turning off enforce_state or stream4inline?
>>>>>> Thank you.
>>>>>>
>>>>>> Rob Campbell
>>>>>> Pacific Coast Wireless Internet
>>>>>>
>>>>>>
>>>>>> -------------------------------------------------------
>>>>>> This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
>>>>>> Register for a JBoss Training Course.  Free Certification Exam
>>>>>> for All Training Attendees Through End of 2005. For more info visit:
>>>>>> http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
>>>>>> _______________________________________________
>>>>>> Snort-inline-users mailing list
>>>>>> Sno...@li...
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>>>>>
>>>>
>>>> -------------------------------------------------------
>>>> This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
>>>> Register for a JBoss Training Course.  Free Certification Exam
>>>> for All Training Attendees Through End of 2005. For more info visit:
>>>> http://ads.osdn.com/?ad_idv28&alloc_id845&op=click
>>>> _______________________________________________
>>>> Snort-inline-users mailing list
>>>> Sno...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
> Register for a JBoss Training Course.  Free Certification Exam
> for All Training Attendees Through End of 2005. For more info visit:
> http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users

Re: [Snort-inline-users] clamav preprocessor don't work

From: Will M. <wil...@gm...> - 2005-11-18 18:41:03

crappy browser code ;-)

Regards,

Will

On 11/18/05, davide belloni <dav...@gm...> wrote:
> I'va a new problem with snort inline + clamav...now when catch a virus th=
e
> file isn't downloaded, but the browser crash...someone know why? Tnx
> --
>
> China

Fwd: [Snort-inline-users] clamav preprocessor don't work

From: davide b. <dav...@gm...> - 2005-11-18 18:13:42

I'va a new problem with snort inline + clamav...now when catch a virus the
file isn't downloaded, but the browser crash...someone know why? Tnx
--

China

Re: [Snort-inline-users] stream4inline and enforce_state

From: Rob C. <rca...@pc...> - 2005-11-18 00:40:21

No.  That is the only iptables rule I have.  The full rule was "iptables 
-A FORWARD -i br0 -o br0 -j QUEUE", could that cause any problems?

Rob Campbell
Pacific Coast Wireless Internet

Will Metcalf wrote:
> hmmm how odd, you don't have any other entries in your FORWARD chain
> before you -A FORWARD -j QUEUE entry do you?
> 
> Regards,
> 
> Will
> 
> On 11/17/05, Rob Campbell <rca...@pc...> wrote:
>> It is happening on web traffic, IMAP traffic, and telnet to various ports.
>>
>> Rob Campbell
>> Pacific Coast Wireless Internet
>>
>> Will Metcalf wrote:
>>> sorry it's late missed the "iptables -A FORWARD -j QUEUE" part.  Just
>>> out of curiosity is it a particular protocol, or does all tcp traffic
>>> get dropped?
>>>
>>> Regards,
>>>
>>> Will
>>>
>>> On 11/16/05, Will Metcalf <wil...@gm...> wrote:
>>>> Hmmm Are you sure that snort-inline can see the full twh?  i.e. are
>>>> you queueing both client and server traffic?
>>>>
>>>> Regards,
>>>>
>>>> Will
>>>>
>>>> On 11/16/05, Rob Campbell <rca...@pc...> wrote:
>>>>> Hello,
>>>>>
>>>>> I have been configuring an IPS using snort inline.  I am running the
>>>>> latest version, 2.4.3RC2.  It is running in bridge mode with "iptables
>>>>> -A FORWARD -j QUEUE" on the bridge interface.  When I have enforce_state
>>>>> on, it seems to block all TCP traffic. With a packet capture I do see
>>>>> the SYN being sent to the remote host, but I never get any replies.  If
>>>>> I turn off enforce_state it starts working again.
>>>>>
>>>>> What are the downsides to turning off enforce_state or stream4inline?
>>>>> Thank you.
>>>>>
>>>>> Rob Campbell
>>>>> Pacific Coast Wireless Internet
>>>>>
>>>>>
>>>>> -------------------------------------------------------
>>>>> This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
>>>>> Register for a JBoss Training Course.  Free Certification Exam
>>>>> for All Training Attendees Through End of 2005. For more info visit:
>>>>> http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
>>>>> _______________________________________________
>>>>> Snort-inline-users mailing list
>>>>> Sno...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>>>>
>>>
>>> -------------------------------------------------------
>>> This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
>>> Register for a JBoss Training Course.  Free Certification Exam
>>> for All Training Attendees Through End of 2005. For more info visit:
>>> http://ads.osdn.com/?ad_idv28&alloc_id845&op=click
>>> _______________________________________________
>>> Snort-inline-users mailing list
>>> Sno...@li...
>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users

Re: [Snort-inline-users] stream4inline and enforce_state

From: Will M. <wil...@gm...> - 2005-11-18 00:11:14

hmmm how odd, you don't have any other entries in your FORWARD chain
before you -A FORWARD -j QUEUE entry do you?

Regards,

Will

On 11/17/05, Rob Campbell <rca...@pc...> wrote:
> It is happening on web traffic, IMAP traffic, and telnet to various ports=
.
>
> Rob Campbell
> Pacific Coast Wireless Internet
>
> Will Metcalf wrote:
> > sorry it's late missed the "iptables -A FORWARD -j QUEUE" part.  Just
> > out of curiosity is it a particular protocol, or does all tcp traffic
> > get dropped?
> >
> > Regards,
> >
> > Will
> >
> > On 11/16/05, Will Metcalf <wil...@gm...> wrote:
> >> Hmmm Are you sure that snort-inline can see the full twh?  i.e. are
> >> you queueing both client and server traffic?
> >>
> >> Regards,
> >>
> >> Will
> >>
> >> On 11/16/05, Rob Campbell <rca...@pc...> wrote:
> >>> Hello,
> >>>
> >>> I have been configuring an IPS using snort inline.  I am running the
> >>> latest version, 2.4.3RC2.  It is running in bridge mode with "iptable=
s
> >>> -A FORWARD -j QUEUE" on the bridge interface.  When I have enforce_st=
ate
> >>> on, it seems to block all TCP traffic. With a packet capture I do see
> >>> the SYN being sent to the remote host, but I never get any replies.  =
If
> >>> I turn off enforce_state it starts working again.
> >>>
> >>> What are the downsides to turning off enforce_state or stream4inline?
> >>> Thank you.
> >>>
> >>> Rob Campbell
> >>> Pacific Coast Wireless Internet
> >>>
> >>>
> >>> -------------------------------------------------------
> >>> This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
> >>> Register for a JBoss Training Course.  Free Certification Exam
> >>> for All Training Attendees Through End of 2005. For more info visit:
> >>> http://ads.osdn.com/?ad_id=3D7628&alloc_id=3D16845&op=3Dclick
> >>> _______________________________________________
> >>> Snort-inline-users mailing list
> >>> Sno...@li...
> >>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >>>
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
> > Register for a JBoss Training Course.  Free Certification Exam
> > for All Training Attendees Through End of 2005. For more info visit:
> > http://ads.osdn.com/?ad_idv28&alloc_id=16845&op=3Dclick
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

Re: [Snort-inline-users] stream4inline and enforce_state

From: Rob C. <rca...@pc...> - 2005-11-17 16:16:53

It is happening on web traffic, IMAP traffic, and telnet to various ports.

Rob Campbell
Pacific Coast Wireless Internet

Will Metcalf wrote:
> sorry it's late missed the "iptables -A FORWARD -j QUEUE" part.  Just
> out of curiosity is it a particular protocol, or does all tcp traffic
> get dropped?
> 
> Regards,
> 
> Will
> 
> On 11/16/05, Will Metcalf <wil...@gm...> wrote:
>> Hmmm Are you sure that snort-inline can see the full twh?  i.e. are
>> you queueing both client and server traffic?
>>
>> Regards,
>>
>> Will
>>
>> On 11/16/05, Rob Campbell <rca...@pc...> wrote:
>>> Hello,
>>>
>>> I have been configuring an IPS using snort inline.  I am running the
>>> latest version, 2.4.3RC2.  It is running in bridge mode with "iptables
>>> -A FORWARD -j QUEUE" on the bridge interface.  When I have enforce_state
>>> on, it seems to block all TCP traffic. With a packet capture I do see
>>> the SYN being sent to the remote host, but I never get any replies.  If
>>> I turn off enforce_state it starts working again.
>>>
>>> What are the downsides to turning off enforce_state or stream4inline?
>>> Thank you.
>>>
>>> Rob Campbell
>>> Pacific Coast Wireless Internet
>>>
>>>
>>> -------------------------------------------------------
>>> This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
>>> Register for a JBoss Training Course.  Free Certification Exam
>>> for All Training Attendees Through End of 2005. For more info visit:
>>> http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
>>> _______________________________________________
>>> Snort-inline-users mailing list
>>> Sno...@li...
>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>>
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
> Register for a JBoss Training Course.  Free Certification Exam
> for All Training Attendees Through End of 2005. For more info visit:
> http://ads.osdn.com/?ad_idv28&alloc_id845&op=click
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users

Re: [Snort-inline-users] stream4inline and enforce_state

From: Will M. <wil...@gm...> - 2005-11-17 05:31:26

sorry it's late missed the "iptables -A FORWARD -j QUEUE" part.  Just
out of curiosity is it a particular protocol, or does all tcp traffic
get dropped?

Regards,

Will

On 11/16/05, Will Metcalf <wil...@gm...> wrote:
> Hmmm Are you sure that snort-inline can see the full twh?  i.e. are
> you queueing both client and server traffic?
>
> Regards,
>
> Will
>
> On 11/16/05, Rob Campbell <rca...@pc...> wrote:
> > Hello,
> >
> > I have been configuring an IPS using snort inline.  I am running the
> > latest version, 2.4.3RC2.  It is running in bridge mode with "iptables
> > -A FORWARD -j QUEUE" on the bridge interface.  When I have enforce_stat=
e
> > on, it seems to block all TCP traffic. With a packet capture I do see
> > the SYN being sent to the remote host, but I never get any replies.  If
> > I turn off enforce_state it starts working again.
> >
> > What are the downsides to turning off enforce_state or stream4inline?
> > Thank you.
> >
> > Rob Campbell
> > Pacific Coast Wireless Internet
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
> > Register for a JBoss Training Course.  Free Certification Exam
> > for All Training Attendees Through End of 2005. For more info visit:
> > http://ads.osdn.com/?ad_id=3D7628&alloc_id=3D16845&op=3Dclick
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >
>

Re: [Snort-inline-users] stream4inline and enforce_state

From: Will M. <wil...@gm...> - 2005-11-17 05:29:46

Hmmm Are you sure that snort-inline can see the full twh?  i.e. are
you queueing both client and server traffic?

Regards,

Will

On 11/16/05, Rob Campbell <rca...@pc...> wrote:
> Hello,
>
> I have been configuring an IPS using snort inline.  I am running the
> latest version, 2.4.3RC2.  It is running in bridge mode with "iptables
> -A FORWARD -j QUEUE" on the bridge interface.  When I have enforce_state
> on, it seems to block all TCP traffic. With a packet capture I do see
> the SYN being sent to the remote host, but I never get any replies.  If
> I turn off enforce_state it starts working again.
>
> What are the downsides to turning off enforce_state or stream4inline?
> Thank you.
>
> Rob Campbell
> Pacific Coast Wireless Internet
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
> Register for a JBoss Training Course.  Free Certification Exam
> for All Training Attendees Through End of 2005. For more info visit:
> http://ads.osdn.com/?ad_id=3D7628&alloc_id=3D16845&op=3Dclick
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

[Snort-inline-users] stream4inline and enforce_state

From: Rob C. <rca...@pc...> - 2005-11-17 01:03:43

Hello,

I have been configuring an IPS using snort inline.  I am running the 
latest version, 2.4.3RC2.  It is running in bridge mode with "iptables 
-A FORWARD -j QUEUE" on the bridge interface.  When I have enforce_state 
on, it seems to block all TCP traffic. With a packet capture I do see 
the SYN being sent to the remote host, but I never get any replies.  If 
I turn off enforce_state it starts working again.

What are the downsides to turning off enforce_state or stream4inline? 
Thank you.

Rob Campbell
Pacific Coast Wireless Internet

Re: [Snort-inline-users] Compiling snort inline 2.3.0-RC1 on Windows XP Platform

From: Victor J. <vi...@nk...> - 2005-11-15 12:53:05

masaleh wrote:
> Hi,
> 
> 
> If I want to run inline mode, can snort_inline 2.3.0-RC1 be compiled on 
> XP? ( I have succesfully installed it on Linux.)

Snort_inline does currently only work on Linux and FreeBSD. AFAIK there 
are no plans for Windows support.

Regards,
Victor

[Snort-inline-users] Compiling snort inline 2.3.0-RC1 on Windows XP Platform

From: masaleh <ma...@tm...> - 2005-11-14 10:16:19

Hi,


If I want to run inline mode, can snort_inline 2.3.0-RC1 be compiled on XP? 
( I have succesfully installed it on Linux.)

Regds,

masaleh

Re: [Snort-inline-users] snort inline performance

From: chima s <ch...@gm...> - 2005-11-14 04:12:23

HI,

Is it "preprocessor stream4_reassemble" is this to be turned on or turned
off and in case it has to be turned off how to do that

Regards
Sathyan

On 11/10/05, Adayadil Thomas <ada...@gm...> wrote:
>
> what about stream_reassembly preprocessor. Do you have that turned on ?
>
>
>
> On 11/10/05, Dino Dragovic <dra...@gf...> wrote:
> > Hello Sathyanss,
> >
> > what about your rules, did you disabled rules you don't need ?
> >
> > regards,
> >
> > Dino
> >
> > >Hi,
> > >
> > >I am using snort_inline-2.3.0-RC1 on linux kernel 2.4.25 (server is in
> > >bridge mode) and working fine with 50 MB of traffic. Yesterday i have
> > >upgarded my snort server to GIGE(fiber) module and diverted 30 MB more
> > >traffic to snort , but after that all the users are experiancing slow
> > >browsing and pages are opening very slow.
> > >
> > >
> > >Can any one suggest to fine tune the Snort (currently using standard
> > >configuration) and OS to perform better with 150 to 200 MB traffic.
> > >
> > >Below is the hardware configuration
> > >
> > >P4 Intel(R) Xeon(TM) CPU 3.00GHz (Dual)
> > >2 GB RAM
> > >Intel GIGE (fiber) NIC
> > >
> > >
> > >Iptables rule
> > >
> > >iptables -I FORWARD -s x.x.x.x/16 -j QUEUE
> > >
> > >
> > >Regards
> > >Sathyan
> > >
> > >
> > >
> >
> >------------------------------------------------------------------------
> > >
> > >
> > >
> > >
> >
> >
> >
> > --
> > This message was scanned for spam and viruses by Trinity & BitDefender.
> >
> >
> >
> >
> > -------------------------------------------------------
> > SF.Net email is sponsored by:
> > Tame your development challenges with Apache's Geronimo App Server.
> Download
> > it for free - -and be entered to win a 42" plasma tv or your very own
> > Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >
>

Re: [Snort-inline-users] [very basic question] Do I have to use Bridging Mode for inlinesnort?

From: Victor J. <vi...@nk...> - 2005-11-13 14:48:35

guest01 wrote:
> Hi!
> 
> I have to integrate snort in a linux firewall (Debian) and therefor I
> have some a few questions:
> 
> - I am planing to let the user decide whether to use snort as a NIDS or
> inline as a IPS. In my opinion all I need is a snort package compilied
> with the --enable-inline flag and depending on the command line flag,
> snort starts as a NIDS or IPS, am I right?

Yes.

> - Which other requirements do I have to fullfil for inlinesnort?
> : Do I have to use the interfaces in the Briding Mode? In my opinion I
> can command iptables to route the whole traffic WITHOUT Bridging Mode,
> am I right?

Yes, it runs fine without a bridge setup.

> : Changing the IDS rules (i.e. with the snortconfig tool)

Yes.

Regards,
Victor

133 messages has been excluded from this view by a project administrator.

Flat | Threaded

<< < 1 .. 22 23 24 25 26 .. 68 > >> (Page 24 of 68)