snort-inline-users — The goal of this list is to help users debug/use snort_inline

[Snort-inline-users] [very basic question] Do I have to use Bridging Mode for inlinesnort?

[guest01 <gu...@gm...>]

Hi!

I have to integrate snort in a linux firewall (Debian) and therefor I
have some a few questions:

- I am planing to let the user decide whether to use snort as a NIDS or
inline as a IPS. In my opinion all I need is a snort package compilied
with the --enable-inline flag and depending on the command line flag,
snort starts as a NIDS or IPS, am I right?

- Which other requirements do I have to fullfil for inlinesnort?
: Do I have to use the interfaces in the Briding Mode? In my opinion I
can command iptables to route the whole traffic WITHOUT Bridging Mode,
am I right?
: Changing the IDS rules (i.e. with the snortconfig tool)

Thxs for helping guys! :-)

regards
peda

Re: [Snort-inline-users] snort inline performance

[chima s <ch...@gm...>]

Hi,

Below is the list of preprocessor configured

preprocessor flow: stats_interval 0 hash 2
preprocessor frag2: timeout 60, memcap 4194304
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global \
preprocessor http_inspect_server: server default \
preprocessor rpc_decode: 111 32771
preprocessor telnet_decode: 23 25 21 119
preprocessor conversation: timeout 120, max_conversations 65335

Regards
Sathyan

On 11/11/05, chima s <ch...@gm...> wrote:
>
> HI,
>
> I do not have any idea on the preprocessor. and same was not configured i=
n
> the snort.conf.
>
> What is stream_reassembly preprocessor and do i need to configure
>
> Regards
> Sathyan
>
> On 11/10/05, Adayadil Thomas <ada...@gm...> wrote:
> >
> > what about stream_reassembly preprocessor. Do you have that turned on ?
> >
> >
> >
> > On 11/10/05, Dino Dragovic <dra...@gf...> wrote:
> > > Hello Sathyanss,
> > >
> > > what about your rules, did you disabled rules you don't need ?
> > >
> > > regards,
> > >
> > > Dino
> > >
> > > >Hi,
> > > >
> > > >I am using snort_inline-2.3.0-RC1 on linux kernel 2.4.25 (server is
> > in
> > > >bridge mode) and working fine with 50 MB of traffic. Yesterday i hav=
e
> >
> > > >upgarded my snort server to GIGE(fiber) module and diverted 30 MB
> > more
> > > >traffic to snort , but after that all the users are experiancing slo=
w
> > > >browsing and pages are opening very slow.
> > > >
> > > >
> > > >Can any one suggest to fine tune the Snort (currently using standard
> > > >configuration) and OS to perform better with 150 to 200 MB traffic.
> > > >
> > > >Below is the hardware configuration
> > > >
> > > >P4 Intel(R) Xeon(TM) CPU 3.00GHz (Dual)
> > > >2 GB RAM
> > > >Intel GIGE (fiber) NIC
> > > >
> > > >
> > > >Iptables rule
> > > >
> > > >iptables -I FORWARD -s x.x.x.x/16 -j QUEUE
> > > >
> > > >
> > > >Regards
> > > >Sathyan
> > > >
> > > >
> > > >
> > >
> > >----------------------------------------------------------------------=
--
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > > --
> > > This message was scanned for spam and viruses by Trinity &
> > BitDefender.
> > >
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > SF.Net email is sponsored by:
> > > Tame your development challenges with Apache's Geronimo App Server.
> > Download
> > > it for free - -and be entered to win a 42" plasma tv or your very own
> > > Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
> > > _______________________________________________
> > > Snort-inline-users mailing list
> > > Sno...@li...
> > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> > >
> >
>
>

Re: [Snort-inline-users] snort inline performance

[chima s <ch...@gm...>]

HI,

I do not have any idea on the preprocessor. and same was not configured in
the snort.conf.

What is stream_reassembly preprocessor and do i need to configure

Regards
Sathyan

On 11/10/05, Adayadil Thomas <ada...@gm...> wrote:
>
> what about stream_reassembly preprocessor. Do you have that turned on ?
>
>
>
> On 11/10/05, Dino Dragovic <dra...@gf...> wrote:
> > Hello Sathyanss,
> >
> > what about your rules, did you disabled rules you don't need ?
> >
> > regards,
> >
> > Dino
> >
> > >Hi,
> > >
> > >I am using snort_inline-2.3.0-RC1 on linux kernel 2.4.25 (server is in
> > >bridge mode) and working fine with 50 MB of traffic. Yesterday i have
> > >upgarded my snort server to GIGE(fiber) module and diverted 30 MB more
> > >traffic to snort , but after that all the users are experiancing slow
> > >browsing and pages are opening very slow.
> > >
> > >
> > >Can any one suggest to fine tune the Snort (currently using standard
> > >configuration) and OS to perform better with 150 to 200 MB traffic.
> > >
> > >Below is the hardware configuration
> > >
> > >P4 Intel(R) Xeon(TM) CPU 3.00GHz (Dual)
> > >2 GB RAM
> > >Intel GIGE (fiber) NIC
> > >
> > >
> > >Iptables rule
> > >
> > >iptables -I FORWARD -s x.x.x.x/16 -j QUEUE
> > >
> > >
> > >Regards
> > >Sathyan
> > >
> > >
> > >
> >
> >------------------------------------------------------------------------
> > >
> > >
> > >
> > >
> >
> >
> >
> > --
> > This message was scanned for spam and viruses by Trinity & BitDefender.
> >
> >
> >
> >
> > -------------------------------------------------------
> > SF.Net email is sponsored by:
> > Tame your development challenges with Apache's Geronimo App Server.
> Download
> > it for free - -and be entered to win a 42" plasma tv or your very own
> > Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >
>

Re: [Snort-inline-users] snort inline performance

[Adayadil T. <ada...@gm...>]

what about stream_reassembly preprocessor. Do you have that turned on ?



On 11/10/05, Dino Dragovic <dra...@gf...> wrote:
> Hello Sathyanss,
>
> what about your rules, did you disabled rules you don't need ?
>
> regards,
>
> Dino
>
> >Hi,
> >
> >I am using snort_inline-2.3.0-RC1 on linux kernel 2.4.25 (server is in
> >bridge mode) and working fine with 50 MB of traffic. Yesterday i have
> >upgarded my snort server to GIGE(fiber) module and diverted 30 MB more
> >traffic to snort , but after that all the users are experiancing slow
> >browsing and pages are opening very slow.
> >
> >
> >Can any one suggest to fine tune the Snort (currently using standard
> >configuration) and OS to perform better with 150 to 200 MB traffic.
> >
> >Below is the hardware configuration
> >
> >P4 Intel(R) Xeon(TM) CPU 3.00GHz (Dual)
> >2 GB RAM
> >Intel GIGE (fiber) NIC
> >
> >
> >Iptables rule
> >
> >iptables -I FORWARD -s x.x.x.x/16 -j QUEUE
> >
> >
> >Regards
> >Sathyan
> >
> >
> >
> >------------------------------------------------------------------------
> >
> >
> >
> >
>
>
>
> --
> This message was scanned for spam and viruses by Trinity & BitDefender.
>
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's Geronimo App Server. Downl=
oad
> it for free - -and be entered to win a 42" plasma tv or your very own
> Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

Re: [Snort-inline-users] snort inline performance

[Dino D. <dra...@gf...>]

Hello Sathyanss,

what about your rules, did you disabled rules you don't need ?

regards,

Dino

>Hi,
>
>I am using snort_inline-2.3.0-RC1 on linux kernel 2.4.25 (server is in
>bridge mode) and working fine with 50 MB of traffic. Yesterday i have
>upgarded my snort server to GIGE(fiber) module and diverted 30 MB more
>traffic to snort , but after that all the users are experiancing slow
>browsing and pages are opening very slow.
>
>
>Can any one suggest to fine tune the Snort (currently using standard
>configuration) and OS to perform better with 150 to 200 MB traffic.
>
>Below is the hardware configuration
>
>P4 Intel(R) Xeon(TM) CPU 3.00GHz (Dual)
>2 GB RAM
>Intel GIGE (fiber) NIC
>
>
>Iptables rule
>
>iptables -I FORWARD -s x.x.x.x/16 -j QUEUE
>
>
>Regards
>Sathyan
>
>  
>
>------------------------------------------------------------------------
>
>
>  
>



-- 
This message was scanned for spam and viruses by Trinity & BitDefender.

[Snort-inline-users] snort inline performance

[ss b. <ch...@gm...>]

Hi,

I am using snort_inline-2.3.0-RC1 on linux kernel 2.4.25 (server is in
bridge mode) and working fine with 50 MB of traffic. Yesterday i have
upgarded my snort server to GIGE(fiber) module and diverted 30 MB more
traffic to snort , but after that all the users are experiancing slow
browsing and pages are opening very slow.


Can any one suggest to fine tune the Snort (currently using standard
configuration) and OS to perform better with 150 to 200 MB traffic.

Below is the hardware configuration

P4 Intel(R) Xeon(TM) CPU 3.00GHz (Dual)
2 GB RAM
Intel GIGE (fiber) NIC


Iptables rule

iptables -I FORWARD -s x.x.x.x/16 -j QUEUE


Regards
Sathyan

Re: [Snort-inline-users] Does Sourcefire's IPS use snort-inline?

[Adrian S. <soo...@gm...>]

I don't know whether Sourcefire uses snort-inline or not, but I do
know that one limitation they have run into in the past with their
IPSs and IDSs is the database.  The database is a bottleneck that I
think many people overlook.  They may use snort-inline, but what gives
them and a few other IPS vendors their "competitive edge" if you will,
is the database that collects all their information.  I've never used
an IPS from ISS, but I hear they don't bother logging alerts in as
great of a detail as Sourcefire's and other's IPSs do because of the
database problem.

For example, when MySQL or Oracle get a million or so records, record
insertion rates drop down to somewhere in the hundreds per second (or
slower, depending on the database schema and how many indexes you have
- the more the indexes, the slower the insertion rates) -- not good if
you're on a busy network or having one database collecting alerts for
many sensors!  I think they use a proprietary high-speed database that
they license from some other company.  The database boasts they can do
orders of magnitude more insertions per second, even with hundreds of
millions of records (Oracle will fall on its face with that many
records!).  The database also has a crazy fast record retrieval rate,
even when there are millions of records to search through.

For the users that has a small internet pipe, perhaps this solution
will work.  But when getting into the 30, 100 mbit or gigabit space,
the database is going to be the biggest bottleneck.  You wouldn't be
able to use one of these honeywall or live-cd IPSs to protect an
internal network, if there are alerts being generated.

-Adrian

On 11/8/05, Richard Compton <ric...@gm...> wrote:
> Ok, so that's the answer?  Sourcefire uses an older version of snort_inli=
ne
> which is developed by William Metcalf and others for their "SC best buy"
> IPS.  I'm running a newer version of snort-inline and it was free.  I'd s=
ay
> that's the real "best buy" :)
>
>  It occurs to me that it would be very convienent for folks out there to
> have a live cd or a install cd that would have the OS, snort-inline,
> iptables, clamav, base, ntop, etc preconfigured so users could just downl=
oad
> the cd, install it on a box w/ 3 ethernet interfaces and PRESTO! you have=
 an
> IPS.
>
>  Maybe the honeywall cd could be modified?  It has pretty much everything
> listed.
>
>  Any comments?
>
>
> On 11/7/05, Nick Rogness <ni...@ro...> wrote:
> >
> > > I am not subscribed to the list from this address so please copy me o=
n
> > > any replies.
> > >
> > > Nick Rogness wrote:
> > >>>Sourcefire maintains and uses the inline capabilities of snort prope=
r
> > >>>
> > >>>EG:
> > >>>
> > >>>$ wget
> http://www.snort.org/dl/current/snort-2.4.3.tar.gz
> > >>>$ tar -xvzf snort-2.4.3.tar.gz
> > >>>$ cd snort-2.4.3
> > >>>$ ./configure --enable-inline && make && make install
> > >>>
> > >>
> > >>
> > >>   I would be very surprised if SourceFire is using snort_inline for
> > >> their
> > >> production branch.  More likely, it is a modified version of
> > >> snort+flexresponse.  Is anyone at SourceFire on this list that could
> > >> comment?
> > >
> > > Sourcefire does not use snort-inline or a modified version of
> > > snort+flexresp, we maintain and use the inline capabilities of snort
> > > proper.
> > >
> > > The same capabilities are available in Snort from
> > > http://www.snort.org/dl and can be enabled by fetching the latest
> > > sources and enabling inline mode by doing ./configure --enable-inline
> > > during the build process.
> >
> >
> >    Ummm, that IS snort_inline then (an older version patch).  I'll be
> > damned...
> >
> >
> > Nick Rogness <ni...@ro...>
> >
> >
>
>
>
> --
> Thanks,
> Rich Compton

Re: [Snort-inline-users] Does Sourcefire's IPS use snort-inline?

[Richard C. <ric...@gm...>]

Ok, so that's the answer? Sourcefire uses an older version of snort_inline
which is developed by William Metcalf and others for their "SC best buy"
IPS. I'm running a newer version of snort-inline and it was free. I'd say
that's the real "best buy" :)

It occurs to me that it would be very convienent for folks out there to hav=
e
a live cd or a install cd that would have the OS, snort-inline, iptables,
clamav, base, ntop, etc preconfigured so users could just download the cd,
install it on a box w/ 3 ethernet interfaces and PRESTO! you have an IPS.

Maybe the honeywall cd could be modified? It has pretty much everything
listed.

Any comments?

On 11/7/05, Nick Rogness <ni...@ro...> wrote:
>
>
> > I am not subscribed to the list from this address so please copy me on
> > any replies.
> >
> > Nick Rogness wrote:
> >>>Sourcefire maintains and uses the inline capabilities of snort proper
> >>>
> >>>EG:
> >>>
> >>>$ wget http://www.snort.org/dl/current/snort-2.4.3.tar.gz
> >>>$ tar -xvzf snort-2.4.3.tar.gz
> >>>$ cd snort-2.4.3
> >>>$ ./configure --enable-inline && make && make install
> >>>
> >>
> >>
> >> I would be very surprised if SourceFire is using snort_inline for
> >> their
> >> production branch. More likely, it is a modified version of
> >> snort+flexresponse. Is anyone at SourceFire on this list that could
> >> comment?
> >
> > Sourcefire does not use snort-inline or a modified version of
> > snort+flexresp, we maintain and use the inline capabilities of snort
> > proper.
> >
> > The same capabilities are available in Snort from
> > http://www.snort.org/dl and can be enabled by fetching the latest
> > sources and enabling inline mode by doing ./configure --enable-inline
> > during the build process.
>
>
> Ummm, that IS snort_inline then (an older version patch). I'll be
> damned...
>
>
> Nick Rogness <ni...@ro...>
>
>


--
Thanks,
Rich Compton

Re: [Snort-inline-users] Does Sourcefire's IPS use snort-inline?

[Nick R. <ni...@ro...>]

> I am not subscribed to the list from this address so please copy me on
> any replies.
>
> Nick Rogness wrote:
>>>Sourcefire maintains and uses the inline capabilities of snort proper
>>>
>>>EG:
>>>
>>>$ wget http://www.snort.org/dl/current/snort-2.4.3.tar.gz
>>>$ tar -xvzf snort-2.4.3.tar.gz
>>>$ cd snort-2.4.3
>>>$ ./configure --enable-inline && make && make install
>>>
>>
>>
>>   I would be very surprised if SourceFire is using snort_inline for
>> their
>> production branch.  More likely, it is a modified version of
>> snort+flexresponse.  Is anyone at SourceFire on this list that could
>> comment?
>
> Sourcefire does not use snort-inline or a modified version of
> snort+flexresp, we maintain and use the inline capabilities of snort
> proper.
>
> The same capabilities are available in Snort from
> http://www.snort.org/dl and can be enabled by fetching the latest
> sources and enabling inline mode by doing ./configure --enable-inline
> during the build process.


   Ummm, that IS snort_inline then (an older version patch).  I'll be
damned...


Nick Rogness <ni...@ro...>

Re: [Snort-inline-users] Announcing Snort_inline 2.4.3RC2 a.k.a "The Wedding Release"

[Victor J. <vi...@nk...>]

Hi Adrian,

> You mentioned that in this release, stream4inline was re-written.  Did
> it resolve this bug I found more than three months ago?  I think it
> had to do with out-of-order packets?  Could you explain to me what the
> old stream4inline did, and how the new stream4inline resolves a few
> issues?
> 
> http://sourceforge.net/mailarchive/message.php?msg_id=12489363

I think we did, we have not been able to crash it in a long time. From 
the top of my head there were multiple issues:

1. we couldn't handle sequence number wraps
2. we no longer adjust base_seq on alerts because we dont flush the 
stream on an alert like plain stream4 does.
3. we are more intelligent on adjusting base_seq on truncating the stream

> I'm excited to give it a beating and see if it works.  The multiple
> copies of Snort seems to be really cool!  I could use a load-balancing
> iptables module and tripple the throughput on my IPS on a 4-cpu box,
> that's cool.

Cool, please let us know how it works!

Regards,
Victor

Re: [Snort-inline-users] Does Sourcefire's IPS use snort-inline?

[Nick R. <ni...@ro...>]

> Sourcefire maintains and uses the inline capabilities of snort proper
>
> EG:
>
> $ wget http://www.snort.org/dl/current/snort-2.4.3.tar.gz
> $ tar -xvzf snort-2.4.3.tar.gz
> $ cd snort-2.4.3
> $ ./configure --enable-inline && make && make install
>

  I would be very surprised if SourceFire is using snort_inline for their
production branch.  More likely, it is a modified version of
snort+flexresponse.  Is anyone at SourceFire on this list that could
comment?


>
> Richard Compton wrote:
>> Sourcefire has their own line of IPSs that sit inline and block
>> traffic.  Do these devices just use snort-inline or do they have some
>> proprietary code that they use for their IPS?  Anybody have any
>> experience w/ these IPSs?
>>
>> --
>> Thanks,
>> Rich Compton
>
>




Nick Rogness <ni...@ro...>

Re: [Snort-inline-users] Announcing Snort_inline 2.4.3RC2 a.k.a "The Wedding Release"

[Adrian S. <soo...@gm...>]

Victor,

You mentioned that in this release, stream4inline was re-written.  Did
it resolve this bug I found more than three months ago?  I think it
had to do with out-of-order packets?  Could you explain to me what the
old stream4inline did, and how the new stream4inline resolves a few
issues?

http://sourceforge.net/mailarchive/message.php?msg_id=3D12489363

I'm excited to give it a beating and see if it works.  The multiple
copies of Snort seems to be really cool!  I could use a load-balancing
iptables module and tripple the throughput on my IPS on a 4-cpu box,
that's cool.

-Adrian

On 11/5/05, Victor Julien <vi...@nk...> wrote:
> Hi everyone!
>
> Today is the day Will is getting married with his bride Lindsay. Thats
> why todays release is dubbed "The Wedding Release". Before i tell you
> guys about the release i want to wish William and Lindsay all the best
> together! Congratulations and have fun on your honeymoon!
>
> Ok, back to Snort_inline. The jumping in version from 2.3.0RC1 to
> 2.4.3RC2 makes clear that the last couple of months both Will and I have
> been very busy with mostly real-life stuff like work, study, his
> marriage, etc. We hope to be able to update Snort_inline much more and
> faster in the future.
>
> Finally we are able to present you a new version, with the great help of
> Nick Rogness (FreeBSD support), Dave Remien (netfilter netlink queue
> support) and Ricardo Patino (debugging stream4inline).
>
> So whats new in this release:
> - rewritten stream4inline support.
> - netfilter netlink queue support, supporting multiple instances of
> snort_inline on Linux 2.6.14+. Written by Dave Remien.
> - bait and switch preprocessor allowing to redirect attackers to another
> ipaddress (currently Linux only).
> - updated clamav preprocessor.
> - snort_inline manual page. Written by Nick Rogness.
> - switch from libnet to libdnet: no more libnet 1.0.2a :-)
>
> Downloading, compiling and installing:
>
> NOTE: you need libdnet to compile Snort_inline now!
>
> - You first need to download Snort 2.4.3:
> http://www.snort.org/dl/current/snort-2.4.3.tar.gz
> - Then download the patch:
> http://sourceforge.net/tracker/download.php?group_id=3D78497&atid=3D55346=
9&file_id=3D155116&aid=3D1349079
> - check its md5 checksum: 0215e3c71f6dd824db8b08fda6bf7b79
> - unzip the patchfile: gunzip snort_inline-2.4.3RC2.diff.gz
> - Extract the snort archive and apply the patch like this: patch -p0 <
> /path/to/snort_inline-2.4.3RC2.diff
> - Enter the directory snort-2.4.3 and execute the 'autojunk.sh' script.
> - run configure, make, make install
> - done!
>
> Please give this release some serious beating and report all problems to
> the list.
>
> Regards,
> Victor
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's Geronimo App Server. Downl=
oad
> it for free - -and be entered to win a 42" plasma tv or your very own
> Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

Re: [Snort-inline-users] Announcing Snort_inline 2.4.3RC2 a.k.a "The Wedding Release"

[Victor J. <vi...@nk...>]

Kee Huat wrote:
> Hi, I followed your instructions however i am having problems when i do 
> a straight forward configure
>  
> checking for libipq.h... yes
> checking for ipq_set_mode in -lipq... yes
> checking dnet.h usability... yes
> checking dnet.h presence... yes
> checking for dnet.h... yes
> checking for eth_set in -ldnet... no
>  
>    ERROR!  Libdnet header not found, go get it from
>    http://libdnet.sourceforge.net or use the --with-dnet-*
>    options, if you have it installed in an unusual place
> I have installed libdnet from source but i still get the problem

Which version of libdnet did you install? Where did you install the lib? 
If in /usr/local/lib you might need to add that path to /etc/ld.so.conf

Regards,
Victor

[Snort-inline-users] Announcing Snort_inline 2.4.3RC2 a.k.a "The Wedding Release"

[Kee H. <ke...@bi...>]

Hi, I followed your instructions however i am having problems when i do =
a straight forward configure

checking for libipq.h... yes
checking for ipq_set_mode in -lipq... yes
checking dnet.h usability... yes
checking dnet.h presence... yes
checking for dnet.h... yes
checking for eth_set in -ldnet... no

   ERROR!  Libdnet header not found, go get it from
   http://libdnet.sourceforge.net or use the --with-dnet-*
   options, if you have it installed in an unusual place

I have installed libdnet from source but i still get the problem

Please advice

Regards,
Kee Huat

Re: [Snort-inline-users] Does Sourcefire's IPS use snort-inline?

[Eric H. <eri...@ap...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

For a company whose founder created Snort, built appliances powered by
Snort, and put the effort in to integrating Snort-Inline in to the Snort
codebase, I would find it highly unlikely that they would use anything
but.. Especially since their appliances use Snort signatures.

Any Snort-based product company, such as Countersnipe, Sourcefire,
Demarc, even Applied Watch, any IPS capabilities announced by these
companies you can believe is most likely powered by Snort-Inline.
Especially if the solutions use Snort signatures.

The only other snort-based IPS that I am aware of other than
Snort-Inline is Hogwash, however, I'm not aware of any commercial
company that uses it. It would be interested to hear if anyone is
actually using it.

Side note, last I heard, the Hogwash project was dead but from what I
can see on the project page, it may be picking back up.

Best Regards,

Eric Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC


- ---------------------------------------------------
Eric Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC
- ---------------------------------------------------
Headquarters:		1095 Pingree Road
			Suite 213
			Crystal Lake, IL 60014

Virginia Office:	4524 Waverly Crossing Lane
(DoD/Intelligence)	Chantilly, Va. 20151 	
			TS/SCI Cleared Personnel
- ---------------------------------------------------
Web Site:		http://www.appliedwatch.com
Tel:			(877) 262-7593
Direct:			(877) 262-7593 ext:327
Cell:			(847) 456-6785
- ---------------------------------------------------
- -


Victor Julien wrote:
> On Saturday 05 November 2005 18:53, Richard Compton wrote:
> 
>>Sourcefire has their own line of IPSs that sit inline and block traffic. Do
>>these devices just use snort-inline or do they have some proprietary code
>>that they use for their IPS? Anybody have any experience w/ these IPSs?
> 
> 
> As far as i know they don't use Snort_inline...
> 
> Regards,
> Victor
> 
> 
> -------------------------------------------------------
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's Geronimo App Server. Download
> it for free - -and be entered to win a 42" plasma tv or your very own
> Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDbqt9obrbO5ZoXNARAv3jAJ9fiDuF0qdRusRTBjR7NbpZqBVGCQCg7bbB
Ff+u82n+X+XEom/t90f4P3k=
=UIzy
-----END PGP SIGNATURE-----

Re: [Snort-inline-users] Does Sourcefire's IPS use snort-inline?

[Jason <sec...@br...>]

Sourcefire maintains and uses the inline capabilities of snort proper

EG:

$ wget http://www.snort.org/dl/current/snort-2.4.3.tar.gz
$ tar -xvzf snort-2.4.3.tar.gz
$ cd snort-2.4.3
$ ./configure --enable-inline && make && make install


Richard Compton wrote:
> Sourcefire has their own line of IPSs that sit inline and block
> traffic.  Do these devices just use snort-inline or do they have some
> proprietary code that they use for their IPS?  Anybody have any
> experience w/ these IPSs?
> 
> -- 
> Thanks,
> Rich Compton

Re: [Snort-inline-users] Does Sourcefire's IPS use snort-inline?

[Victor J. <vi...@nk...>]

On Saturday 05 November 2005 18:53, Richard Compton wrote:
> Sourcefire has their own line of IPSs that sit inline and block traffic. Do
> these devices just use snort-inline or do they have some proprietary code
> that they use for their IPS? Anybody have any experience w/ these IPSs?

As far as i know they don't use Snort_inline...

Regards,
Victor

[Snort-inline-users] Does Sourcefire's IPS use snort-inline?

[Richard C. <ric...@gm...>]

Sourcefire has their own line of IPSs that sit inline and block traffic. Do
these devices just use snort-inline or do they have some proprietary code
that they use for their IPS? Anybody have any experience w/ these IPSs?

--
Thanks,
Rich Compton

[Snort-inline-users] Announcing Snort_inline 2.4.3RC2 a.k.a "The Wedding Release"

[Victor J. <vi...@nk...>]

Hi everyone!

Today is the day Will is getting married with his bride Lindsay. Thats 
why todays release is dubbed "The Wedding Release". Before i tell you 
guys about the release i want to wish William and Lindsay all the best 
together! Congratulations and have fun on your honeymoon!

Ok, back to Snort_inline. The jumping in version from 2.3.0RC1 to 
2.4.3RC2 makes clear that the last couple of months both Will and I have 
been very busy with mostly real-life stuff like work, study, his 
marriage, etc. We hope to be able to update Snort_inline much more and 
faster in the future.

Finally we are able to present you a new version, with the great help of 
Nick Rogness (FreeBSD support), Dave Remien (netfilter netlink queue 
support) and Ricardo Patino (debugging stream4inline).

So whats new in this release:
- rewritten stream4inline support.
- netfilter netlink queue support, supporting multiple instances of 
snort_inline on Linux 2.6.14+. Written by Dave Remien.
- bait and switch preprocessor allowing to redirect attackers to another 
ipaddress (currently Linux only).
- updated clamav preprocessor.
- snort_inline manual page. Written by Nick Rogness.
- switch from libnet to libdnet: no more libnet 1.0.2a :-)

Downloading, compiling and installing:

NOTE: you need libdnet to compile Snort_inline now!

- You first need to download Snort 2.4.3: 
http://www.snort.org/dl/current/snort-2.4.3.tar.gz
- Then download the patch: 
http://sourceforge.net/tracker/download.php?group_id=78497&atid=553469&file_id=155116&aid=1349079
- check its md5 checksum: 0215e3c71f6dd824db8b08fda6bf7b79
- unzip the patchfile: gunzip snort_inline-2.4.3RC2.diff.gz
- Extract the snort archive and apply the patch like this: patch -p0 < 
/path/to/snort_inline-2.4.3RC2.diff
- Enter the directory snort-2.4.3 and execute the 'autojunk.sh' script.
- run configure, make, make install
- done!

Please give this release some serious beating and report all problems to 
the list.

Regards,
Victor

[Snort-inline-users] Is it dropping?

[Javier R. P. <jr...@on...>]

Hi, I've been playing with snort-line, it works great, I just have a 
doubt, whet snort_inline matchs a rule for example for msn login

CHAT MSN login attempt [Classification: Potential Corporate Privacy 
Violation] [Priority: 1]: {TCP} 192.168.1.198:1146 -> 65.54.239.20:1863
This rule was only alerting, so I put drop, and I get
CHAT MSN login attempt [Classification: Potential Corporate Privacy 
Violation] [Priority: 1]: {TCP} 192.168.1.214:2697 -> 65.54.239.20:1863
now this rule was dropping, i know it is really dropping because i 
cannot connect to msn server, but I cannot really prove tha it is 
blocking for example spyware, just watching syslog.

Is there a form to show in syslog if it is alert or dropping or rejecting?

Re: [Snort-inline-users] Can not drop anything

[Javier R. P. <jr...@on...>]

I was thinking something like that, like msn that goes from 80 port qhen 
its native ports are blocked, when I put drop in the rule I see all the 
matches in the syslog, maybe it is blocking but donkey is going for 
other ports, i will sniff a little. Thanks!

Jason wrote:
>When you connect do you get an alert for both the alert and drop rule?
>
>My guess is that the rule is not doing what you expect it to do. EG:
>edonkey just uses a different method to connect when one is blocked.
>
>This is generally a problem with BLEEDING- style rules in that they
>focus on specific cases and not the larger picture like modeling the
>protocol or all of the things a client can do. That being said, by the
>message of this rule it is only checking for File Status messages and
>not connects so it could well be the case that you can connect but not
>actually do anything.
>
>Javier Reyna Padilla wrote:
>  
>>SO, finally I get snort-inline working. I am running iptables with the
>>nex line
>>
>>iptables -A FORWARD -j QUEUE
>>
>>and snort-inline with:
>>
>>snort -QDd -c /etc/snort_inline/snort_inline.conf
>>I am testing with p2p sigs from bleeding snort
>>
>>one f the rules is:
>>
>>drop tcp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg: "BLEEDING-EDGE
>>P2P eDonkey File Status"; flow:to_server,established; content:"|e3 14|";
>>offset: 0; depth: 2; classtype: policy-violation;
>>reference:url,www.edonkey.com; sid: 2001296; rev:4;)
>>
>>and can detect it succesfully:
>>BLEEDING-EDGE P2P ed2k connection to server [Classification: Potential
>>Corporate Privacy Violation] [Priority: 1]: {TCP} 192.168.1.214:2891 ->
>>222.239.52.185:4662
>>
>>I change the alert to drop, restart snort and I still can connect to
>>mldonkey net.
>>
>>Any idea? Suggestions? RTFM answers?  :-)
>>
>>Regards!!
>>
>>
>>
>>
>>-------------------------------------------------------
>>This SF.Net email is sponsored by the JBoss Inc.
>>Get Certified Today * Register for a JBoss Training Course
>>Free Certification Exam for All Training Attendees Through End of 2005
>>Visit http://www.jboss.com/services/certification for more information
>>_______________________________________________
>>Snort-inline-users mailing list
>>Sno...@li...
>>https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>>    
>
>  

Re: [Snort-inline-users] Can not drop anything

[Jason <sec...@br...>]

When you connect do you get an alert for both the alert and drop rule?

My guess is that the rule is not doing what you expect it to do. EG:
edonkey just uses a different method to connect when one is blocked.

This is generally a problem with BLEEDING- style rules in that they
focus on specific cases and not the larger picture like modeling the
protocol or all of the things a client can do. That being said, by the
message of this rule it is only checking for File Status messages and
not connects so it could well be the case that you can connect but not
actually do anything.

Javier Reyna Padilla wrote:
> SO, finally I get snort-inline working. I am running iptables with the
> nex line
> 
> iptables -A FORWARD -j QUEUE
> 
> and snort-inline with:
> 
> snort -QDd -c /etc/snort_inline/snort_inline.conf
> I am testing with p2p sigs from bleeding snort
> 
> one f the rules is:
> 
> drop tcp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg: "BLEEDING-EDGE
> P2P eDonkey File Status"; flow:to_server,established; content:"|e3 14|";
> offset: 0; depth: 2; classtype: policy-violation;
> reference:url,www.edonkey.com; sid: 2001296; rev:4;)
> 
> and can detect it succesfully:
> BLEEDING-EDGE P2P ed2k connection to server [Classification: Potential
> Corporate Privacy Violation] [Priority: 1]: {TCP} 192.168.1.214:2891 ->
> 222.239.52.185:4662
> 
> I change the alert to drop, restart snort and I still can connect to
> mldonkey net.
> 
> Any idea? Suggestions? RTFM answers?  :-)
> 
> Regards!!
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by the JBoss Inc.
> Get Certified Today * Register for a JBoss Training Course
> Free Certification Exam for All Training Attendees Through End of 2005
> Visit http://www.jboss.com/services/certification for more information
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> 

Re: [Snort-inline-users] good document on how to setup a snort inline machine.

[Will M. <wil...@gm...>]

From the article http://linuxgazette.net/118/savage.html

"In contrast, snort_inline actually interferes with the conveyor belt
process. snort_inline picks the items up and examines them itself.
This is where snort_inline does its content matching. The original
snort also has a mechanism called stream4_reassemble. This is
analogous to having a second man watching over the parts as they are
assembled, at the end of the conveyor belt. This second
quality-control checker can then check the whole assembly, to see if
there are any problems.

The problem is that snort_inline functions with only one man in the
middle of the conveyor belt. This has the effect that connections like
telnet, where each character typed is sent as a separate packet, can
bypass certain rules."

My response is wait a couple of day's, and this may no longer be true ;-)

Regards,

Will

On 11/2/05, jdurick <jd...@mi...> wrote:
> Here are two good docs:
>
> http://linuxgazette.net/117/savage.html
> http://linuxgazette.net/118/savage.html
>
> enjoy, jd
>
> Dino Dragovic wrote:
>
> >
> > On Tue, 1 Nov 2005, Tymad95 wrote:
> >
> >> I am trying to find a good link or document on how to setup a snort
> >> inline machine running RedHat Fedora core 4. Can anyone point me in
> >> the right direction on where I can get such information ?
> >>
> >>
> >
> > Try this:
> >
> > http://www.snort.org/docs/
> > and the documentation in snort's tarball
> >
> > regards,
> >
> > Dino
> >
> >
> > -------------------------------------------------------
> > SF.Net email is sponsored by:
> > Tame your development challenges with Apache's Geronimo App Server.
> > Download
> > it for free - -and be entered to win a 42" plasma tv or your very own
> > Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
> --
> ________________________________________________________________
> JD Durick        Senior InfoSec Engineer       jd...@MI...
> Work:            703-983-5543               http://www.mitre.org
>
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's Geronimo App Server. Downl=
oad
> it for free - -and be entered to win a 42" plasma tv or your very own
> Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

Re: [Snort-inline-users] good document on how to setup a snort inline machine.

[jdurick <jd...@mi...>]

Here are two good docs:

http://linuxgazette.net/117/savage.html
http://linuxgazette.net/118/savage.html

enjoy, jd

Dino Dragovic wrote:

>
> On Tue, 1 Nov 2005, Tymad95 wrote:
>
>> I am trying to find a good link or document on how to setup a snort
>> inline machine running RedHat Fedora core 4. Can anyone point me in
>> the right direction on where I can get such information ?
>>
>>
>
> Try this:
>
> http://www.snort.org/docs/
> and the documentation in snort's tarball
>
> regards,
>
> Dino
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's Geronimo App Server.
> Download
> it for free - -and be entered to win a 42" plasma tv or your very own
> Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users


-- 
________________________________________________________________
JD Durick        Senior InfoSec Engineer       jd...@MI...
Work:		 703-983-5543		    http://www.mitre.org

[Snort-inline-users] Problems building inline snort with snort-2.4.3

[Kee H. <ke...@bi...>]

Hi,

I am having problems building snort inline on 2.4.3. I suspect it has =
something to do with libnet.=20

I am using Debian 3.1 (sarge), with a recompiled kernel 2.6.14
By the way the following is what i have done.
- installed libnet-1.0.2a from source
- apt-get install iptables-dev

I use the following command to configure snort-inline
- ./configure --enable-inline =
--with-libipq-includes=3D/usr/include/libipq

snort configures without any problems or error. However when i try to =
build (make) it i get the following errors:

inline.o(.text+0x183): In function `InitInlinePostConfig':
/root/temp/IPS/xxx/snort-2.4.3/src/inline.c:157: undefined reference to =
`libnet_build_ip'
inline.o(.text+0x22e):/root/temp/IPS/xxx/snort-2.4.3/src/inline.c:164: =
undefined reference to `libnet_build_ip'
inline.o(.text+0x28b):/root/temp/IPS/xxx/snort-2.4.3/src/inline.c:166: =
undefined reference to `libnet_build_icmp_unreach'
inline.o(.text+0x2fe):/root/temp/IPS/xxx/snort-2.4.3/src/inline.c:175: =
undefined reference to `libnet_build_ip'
inline.o(.text+0x3a6):/root/temp/IPS/xxx/snort-2.4.3/src/inline.c:182: =
undefined reference to `libnet_build_ip'
inline.o(.text+0x3e0):/root/temp/IPS/xxx/snort-2.4.3/src/inline.c:126: =
undefined reference to `libnet_open_raw_sock'
inline.o(.text+0x722): In function `RejectSocket':
/root/temp/IPS/xxx/snort-2.4.3/src/inline.c:468: undefined reference to =
`libnet_write_ip'
inline.o(.text+0x73f):/root/temp/IPS/xxx/snort-2.4.3/src/inline.c:470: =
undefined reference to `libnet_error'
inline.o(.text+0x7cd):/root/temp/IPS/xxx/snort-2.4.3/src/inline.c:427: =
undefined reference to `libnet_write_ip'
inline.o(.text+0x852): In function `RejectLayer2':
/root/temp/IPS/xxx/snort-2.4.3/src/inline.c:539: undefined reference to =
`libnet_open_link_interface'
inline.o(.text+0x8f4):/root/temp/IPS/xxx/snort-2.4.3/src/inline.c:684: =
undefined reference to `libnet_close_link_interface'
inline.o(.text+0x914):/root/temp/IPS/xxx/snort-2.4.3/src/inline.c:686: =
undefined reference to `libnet_error'
inline.o(.text+0xa80):/root/temp/IPS/xxx/snort-2.4.3/src/inline.c:673: =
undefined reference to `libnet_write_link_layer'
inline.o(.text+0xba5):/root/temp/IPS/xxx/snort-2.4.3/src/inline.c:615: =
undefined reference to `libnet_write_link_layer'
inline.o(.text+0xc20):/root/temp/IPS/xxx/snort-2.4.3/src/inline.c:549: =
undefined reference to `libnet_error'
inline.o(.text+0xc4a):/root/temp/IPS/xxx/snort-2.4.3/src/inline.c:541: =
undefined reference to `libnet_error'
collect2: ld returned 1 exit status
make[3]: *** [snort] Error 1
make[3]: Leaving directory `/root/temp/IPS/xxx/snort-2.4.3/src'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/root/temp/IPS/xxx/snort-2.4.3/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/root/temp/IPS/xxx/snort-2.4.3'
make: *** [all] Error 2

I hope some one could help me with this.=20

Thanks in Advance

Kee Huat