snort-inline-users — The goal of this list is to help users debug/use snort_inline

Re: [Snort-inline-users] good document on how to setup a snort inline machine.

[Dino D. <dra...@gf...>]

On Tue, 1 Nov 2005, Tymad95 wrote:

> I am trying to find a good link or document on how to setup a snort inline machine running RedHat Fedora core 4. Can anyone point me in the right direction on where I can get such information ?
>
>

Try this:

http://www.snort.org/docs/
and the documentation in snort's tarball

regards,

Dino

[Snort-inline-users] good document on how to setup a snort inline machine.

[Tymad95 <ty...@ya...>]

I am trying to find a good link or document on how to setup a snort inline machine running RedHat Fedora core 4. Can anyone point me in the right direction on where I can get such information ?

		
---------------------------------
 Yahoo! FareChase - Search multiple travel sites in one click.  

[Snort-inline-users] Can not drop anything

[Javier R. P. <jr...@on...>]

SO, finally I get snort-inline working. I am running iptables with the 
nex line

iptables -A FORWARD -j QUEUE

and snort-inline with:

snort -QDd -c /etc/snort_inline/snort_inline.conf
I am testing with p2p sigs from bleeding snort

one f the rules is:

drop tcp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg: "BLEEDING-EDGE 
P2P eDonkey File Status"; flow:to_server,established; content:"|e3 14|"; 
offset: 0; depth: 2; classtype: policy-violation; 
reference:url,www.edonkey.com; sid: 2001296; rev:4;)

and can detect it succesfully:
BLEEDING-EDGE P2P ed2k connection to server [Classification: Potential 
Corporate Privacy Violation] [Priority: 1]: {TCP} 192.168.1.214:2891 -> 
222.239.52.185:4662

I change the alert to drop, restart snort and I still can connect to 
mldonkey net.

Any idea? Suggestions? RTFM answers?  :-)

Regards!!

Re: [Snort-inline-users] Modules for iptables

[Javier R. P. <jr...@on...>]

my kernel is 2.6

Will Metcalf wrote:
>what kernel version are you running? 2.6.x or 2.4.x?
>
>Regards,
>
>Will
>
>On 10/31/05, Javier Reyna Padilla <jr...@on...> wrote:
>  
>>Hi, some doubts, searching the web and reading some manuals, talk about
>>setting ebtables, CONFIG_IP_NF_MATCH_PHYSDEV as modules in the kernel, i
>>have ip_queue and bridge modules installed in the kernel, but my bridge
>>stop passign traffic when I set iptables.. do I need this modules for
>>the bridge?
>>
>>
>>-------------------------------------------------------
>>This SF.Net email is sponsored by the JBoss Inc.
>>Get Certified Today * Register for a JBoss Training Course
>>Free Certification Exam for All Training Attendees Through End of 2005
>>Visit http://www.jboss.com/services/certification for more information
>>_______________________________________________
>>Snort-inline-users mailing list
>>Sno...@li...
>>https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>>    
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by the JBoss Inc.
>Get Certified Today * Register for a JBoss Training Course
>Free Certification Exam for All Training Attendees Through End of 2005
>Visit http://www.jboss.com/services/certification for more information
>_______________________________________________
>Snort-inline-users mailing list
>Sno...@li...
>https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>  

Re: [Snort-inline-users] Modules for iptables

[Will M. <wil...@gm...>]

what kernel version are you running? 2.6.x or 2.4.x?

Regards,

Will

On 10/31/05, Javier Reyna Padilla <jr...@on...> wrote:
> Hi, some doubts, searching the web and reading some manuals, talk about
> setting ebtables, CONFIG_IP_NF_MATCH_PHYSDEV as modules in the kernel, i
> have ip_queue and bridge modules installed in the kernel, but my bridge
> stop passign traffic when I set iptables.. do I need this modules for
> the bridge?
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by the JBoss Inc.
> Get Certified Today * Register for a JBoss Training Course
> Free Certification Exam for All Training Attendees Through End of 2005
> Visit http://www.jboss.com/services/certification for more information
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

[Snort-inline-users] Modules for iptables

[Javier R. P. <jr...@on...>]

Hi, some doubts, searching the web and reading some manuals, talk about 
setting ebtables, CONFIG_IP_NF_MATCH_PHYSDEV as modules in the kernel, i 
have ip_queue and bridge modules installed in the kernel, but my bridge 
stop passign traffic when I set iptables.. do I need this modules for 
the bridge?

FW: [Snort-inline-users] some doubts about snort-inline

[Bobby <bma...@pb...>]

I believe the interface to listen on should be -i br0 not -i eth1.
BMatz

> -----Original Message-----
> From: sno...@li...
> [mailto:sno...@li...]On Behalf Of
> Javier Reyna Padilla
> Sent: Sunday, October 30, 2005 5:46 PM
> To: sno...@li...
> Subject: [Snort-inline-users] some doubts about snort-inline
> 
> 
> So.. I am working with a soekris box,, really nice .. and want 
> snort-inline working in that soekris box... I have 3 interfaces, I am 
> using gentoo linux..
> I have setup the bridge and pass traffic throught it if I set
> 
> iptables -A FORWARD -j QUEUE
> 
> and then:
> snort -Qdv -c /etc/snort_inline/snort_inline.conf -i eth1
> 
> I can see tha traffic from muy lap top, but after i set the iptables 
> rule all the traffic does not pass trought the interfaces. I am using 
> eth0 for managment, eth1 and eth2 for the bridge.
> 
> I get rc.firewall script, erease some var that dont use, an start it in 
> the box, but if I use rc.firewall, snort_inlien can not see traffic from 
> iptables. It has the bridge option and queue set but there no traffic in 
> snort_inline.
> 
> My questions are:
> 1. What do I need to forward traffic from eth1 to eth2 and viceversa 
> with iptables and sen tha traffic to snort using queue? Can you help me 
> with some simple rules?
> 
> 2. In the gentoo conf.d/snort files it says the -i options should be set 
> when using -Q:  snort -Qdv -c /etc/snort_inline/snort_inline.conf -i 
> eth1 , so what for is the -i interface  I must select one interface form 
> the bridge, the internal, external? the bridge or the managment? I 
> supposed is for etting the promiscuos interface but if snort -Q is 
> getting all from iptables, what is this interface for?
> 
> Thanks in advance!
> 
> Regards!
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by the JBoss Inc.
> Get Certified Today * Register for a JBoss Training Course
> Free Certification Exam for All Training Attendees Through End of 2005
> Visit http://www.jboss.com/services/certification for more information
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> 

[Snort-inline-users] some doubts about snort-inline

[Javier R. P. <jr...@on...>]

So.. I am working with a soekris box,, really nice .. and want 
snort-inline working in that soekris box... I have 3 interfaces, I am 
using gentoo linux..
I have setup the bridge and pass traffic throught it if I set

iptables -A FORWARD -j QUEUE

and then:
snort -Qdv -c /etc/snort_inline/snort_inline.conf -i eth1

I can see tha traffic from muy lap top, but after i set the iptables 
rule all the traffic does not pass trought the interfaces. I am using 
eth0 for managment, eth1 and eth2 for the bridge.

I get rc.firewall script, erease some var that dont use, an start it in 
the box, but if I use rc.firewall, snort_inlien can not see traffic from 
iptables. It has the bridge option and queue set but there no traffic in 
snort_inline.

My questions are:
1. What do I need to forward traffic from eth1 to eth2 and viceversa 
with iptables and sen tha traffic to snort using queue? Can you help me 
with some simple rules?

2. In the gentoo conf.d/snort files it says the -i options should be set 
when using -Q:  snort -Qdv -c /etc/snort_inline/snort_inline.conf -i 
eth1 , so what for is the -i interface  I must select one interface form 
the bridge, the internal, external? the bridge or the managment? I 
supposed is for etting the promiscuos interface but if snort -Q is 
getting all from iptables, what is this interface for?

Thanks in advance!

Regards!

Re: [Snort-inline-users] Snort-Inline in gentoo

[<tut...@pa...>]

On Sat, Oct 29, 2005 at 03:33:37PM -0500, Javier Reyna Padilla wrote:
> I want to setup snort-inline in gentoo but I do not see an ebuild for 
> snort-inline, the snort ebuild set a use flog for inline, so I think it 
> compiles the snort-inline binarie, bur after the compilation there is no 
> snort-inline binarie neither snort-inline.conf.... so how do I install 
> snort-inlien in gentoo. ?? I hope somebody help me!
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by the JBoss Inc.
> Get Certified Today * Register for a JBoss Training Course
> Free Certification Exam for All Training Attendees Through End of 2005
> Visit http://www.jboss.com/services/certification for more information
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> 
The inline binaries have the same name as the std binaries. It runs
in inline mode by virtue of the -Q option. (IIRC the snort ebuild sets
that option in /etc/conf.d/snort when you use the inline USE flag.

tut.

[Snort-inline-users] Snort-Inline in gentoo

[Javier R. P. <jr...@on...>]

I want to setup snort-inline in gentoo but I do not see an ebuild for 
snort-inline, the snort ebuild set a use flog for inline, so I think it 
compiles the snort-inline binarie, bur after the compilation there is no 
snort-inline binarie neither snort-inline.conf.... so how do I install 
snort-inlien in gentoo. ?? I hope somebody help me!

Re: [Snort-inline-users] Probs installing iptables on MacOS X

[Nick R. <ni...@ro...>]

On the status of running snort_inline on Mac OS X:

There appears to be a problem with MacOS and mangling the packet in inline
mode.  Snort_inline is working and passing packets OK through the
firewall...it just appears that there is something wrong with the packets
after inline inspects them.

Also, rejects cause bus error's (which is bad!).  I think we'd have to do
some work on the code to make this work.  Yeh, it compiles, but it doesn't
work.  I would guess that it would take some time to get this working. 
I'll put it on my things to do list.  Until then, you're probably not able
to use inline mode on Mac OSX :-(  Sorry.

I'm CC'ing the list to let everyone know.

Nick Rogness <ni...@ro...>

Re: [Snort-inline-users] clamav preprocessor don't work

[Will M. <wil...@gm...>]

The stream4 re assembler basically builds what pcap thinks is a valid
IPV4 packet.  The maximum amount of data allowed in a valid IPV4
packet is 65535 bytes.  Actually it is  65515 for the payload and 20
for the header.

Regards,

Will

On 10/26/05, davide belloni <dav...@gm...> wrote:
> ok, tnx Victor & Will!
>  The virus isn't see by clamav because i'm doing the module that detect t=
his
> virus.
>  So, if i work with snort inline the reassembler don't work for the probl=
ems
> write here:
> http://sourceforge.net/mailarchive/forum.php?thread_id=3D7914106&forum_id=
=3D32933
>  also, if i work with simple snort, stream4 reassemble only max 65 KB for
> the reason that you have got me.right?
>  Can i change the constant MAX_STREAM_SIZE?or is a limit and PCAP fail?
>
> 2005/10/25, Victor Julien <vi...@nk...>:
> > > Ok, i've found the problem, the maximum packet that arrive me is 65 K=
B
> > > over
> > > 220 KB; someone can say me if it is normal that stream4 don't reassem=
ble
> > > the
> > > whole stream? I'm doing university thesis.Tnx
> > >
> > Yes it is limited by MAX_STREAM_SIZE and that is defined as 65535 IIRC.
> >
> > Regards,
> > Victor
> >
> >
> >
>
>
>
> --
>
> China

Re: [Snort-inline-users] Probs installing iptables on MacOS X

[Will M. <wil...@gm...>]

No, you need to edit your var RULE_PATH  snort.conf file and tell it
where your rules are.

Regards,

Will

On 10/26/05, James Brown <jl...@bo...> wrote:
> I downloaded the Current one for registered users.
>
> Decompressed the file, then put the 'rules' folder in ~/snort-2.4.3/etc/
>
> Typing "sudo snort -J 500 -c ./etc/snort.conf" still gives me:
>
> ERROR: Unable to open rules file: ../rules/local.rules or ./etc/../
> rules/local.rules
> Fatal Error, Quitting..
>
> Do I need to run ./configure again? I take it that the rules folder
> can be several layers deep in the etc folder? Ie I can have one for
> Current rule, one for Community rules, etc?
>
> Thanks,
>
> James.
>
> On 26/10/2005, at 12:48 AM, Jason Brvenik wrote:
>
> >
> >
> > James Brown wrote:
> >
> >> OK. I'll try to remove the extra libnet.
> >>
> >> But I have almost got it to work on my machine at work (logging in
> >> remotely). This machine did not have as many mistakes made on it - I
> >> did them on my home machine (ie extra libnet installs, etc).
> >>
> >> On the one at work I tried to start snort by typing:
> >>
> >> sudo snort -J 500 -c snort.conf
> >>
> >> It goes for a while, then stops because it could not find the
> >> local.rules file.
> >>
> >
> > You need to register and download a rules pack from snort.org
> >
> > http://www.snort.org/pub-bin/downloads.cgi
> >
> >
> >>
> >> Their is such a file in my snort_inline 2.3.0-RC1 folder. Should
> >> I  use
> >> this? I presume that I move it into the snort directory (snort/
> >> etc/ ?)
> >> and somehow let it know that that is where it is?
> >>
> >> Anyway, it is almost 1am here, up in just over 5 hours for work, so I
> >> better leave you alone and go to bed!
> >>
> >> Thanks again for your help.
> >>
> >>
> >
> > Happily.
> >
> >
>
>
>
>

Re: [Snort-inline-users] Probs installing iptables on MacOS X

[James B. <jl...@bo...>]

I downloaded the Current one for registered users.

Decompressed the file, then put the 'rules' folder in ~/snort-2.4.3/etc/

Typing "sudo snort -J 500 -c ./etc/snort.conf" still gives me:

ERROR: Unable to open rules file: ../rules/local.rules or ./etc/../ 
rules/local.rules
Fatal Error, Quitting..

Do I need to run ./configure again? I take it that the rules folder  
can be several layers deep in the etc folder? Ie I can have one for  
Current rule, one for Community rules, etc?

Thanks,

James.

On 26/10/2005, at 12:48 AM, Jason Brvenik wrote:

>
>
> James Brown wrote:
>
>> OK. I'll try to remove the extra libnet.
>>
>> But I have almost got it to work on my machine at work (logging in
>> remotely). This machine did not have as many mistakes made on it - I
>> did them on my home machine (ie extra libnet installs, etc).
>>
>> On the one at work I tried to start snort by typing:
>>
>> sudo snort -J 500 -c snort.conf
>>
>> It goes for a while, then stops because it could not find the
>> local.rules file.
>>
>
> You need to register and download a rules pack from snort.org
>
> http://www.snort.org/pub-bin/downloads.cgi
>
>
>>
>> Their is such a file in my snort_inline 2.3.0-RC1 folder. Should  
>> I  use
>> this? I presume that I move it into the snort directory (snort/  
>> etc/ ?)
>> and somehow let it know that that is where it is?
>>
>> Anyway, it is almost 1am here, up in just over 5 hours for work, so I
>> better leave you alone and go to bed!
>>
>> Thanks again for your help.
>>
>>
>
> Happily.
>
>

Re: [Snort-inline-users] clamav preprocessor don't work

[davide b. <dav...@gm...>]

ok, tnx Victor & Will!
The virus isn't see by clamav because i'm doing the module that detect this
virus.
So, if i work with snort inline the reassembler don't work for the problems
write here:
http://sourceforge.net/mailarchive/forum.php?thread_id=3D7914106&forum_id=
=3D32933
also, if i work with simple snort, stream4 reassemble only max 65 KB for th=
e
reason that you have got me.right?
Can i change the constant MAX_STREAM_SIZE?or is a limit and PCAP fail?

2005/10/25, Victor Julien <vi...@nk...>:
>
> > Ok, i've found the problem, the maximum packet that arrive me is 65 KB
> > over
> > 220 KB; someone can say me if it is normal that stream4 don't reassembl=
e
> > the
> > whole stream? I'm doing university thesis.Tnx
> >
> Yes it is limited by MAX_STREAM_SIZE and that is defined as 65535 IIRC.
>
> Regards,
> Victor
>
>
>


--

China

Re: [Snort-inline-users] clamav preprocessor don't work

[Victor J. <vi...@nk...>]

> Ok, i've found the problem, the maximum packet that arrive me is 65 KB
> over
> 220 KB; someone can say me if it is normal that stream4 don't reassemble
> the
> whole stream? I'm doing university thesis.Tnx
>
Yes it is limited by MAX_STREAM_SIZE and that is defined as 65535 IIRC.

Regards,
Victor

Re: [Snort-inline-users] SIGHUP patch for snort_inline not always reliable

[Adrian S. <soo...@gm...>]

Is it possible to put a semaphores around or disable interrupts while
processing the interrupt handler? I don't know how that is done in C.

-Adrian

On 10/25/05, Victor Julien <vi...@nk...> wrote:
>
> Adrian Soogemackelyk wrote:
> > I recently patched my snort_inline 2.3.0 with the patch regarding a
> > SIGHUP-able snort_line supplied in this mailing list from a few months
> > back. The patch applied cleanly. I can sighup snort_inline, and it
> > reloads a new ruleset. I wanted to make sure that the functionality was
> > reliable before I put my snort_inline box inline, seeing that I want to
> > write a utility that will update the snort rules regularly and sighup
> > snort_line to reread the rulesets (keeping the same pid around is
> > helpful in this case).
> >
> > I put my Celeron 2.4 Ghz Snort IPS box with snort_inline under heavy
> > load (blasted it with iperf and ping floods), and ran a bash script tha=
t
> > would send a SIGHUP to snort_inline once every five seconds, The script
> > would also check to see if the pid changed or disappeared. Within ten
> > minutes every time, snort_inline dies miserably or is in memory (state
> > 'S'), but does not pass traffic. I don't know why the sighup isn't
> > always reliable. Any ideas why?
>
> It looks like when a SIGHUP is received, the function SigHupHandler() is
> called. That function in turn calls Restart(). From what i can see
> nothing will prevent the system from running Restart() again before the
> previous run is done. This means we can have multiple Restarts running
> at the same time which will not work...
>
> I'll look into this...
>
> Regards,
> Victor
>

Re: [Snort-inline-users] SIGHUP patch for snort_inline not always reliable

[Victor J. <vi...@nk...>]

Adrian Soogemackelyk wrote:
> I recently patched my snort_inline 2.3.0 with the patch regarding a 
> SIGHUP-able snort_line supplied in this mailing list from a few months 
> back.  The patch applied cleanly.  I can sighup snort_inline, and it 
> reloads a new ruleset.  I wanted to make sure that the functionality was 
> reliable before I put my snort_inline box inline, seeing that I want to 
> write a utility that will update the snort rules regularly and sighup 
> snort_line to reread the rulesets (keeping the same pid around is 
> helpful in this case).
> 
> I put my Celeron 2.4 Ghz Snort IPS box with snort_inline under heavy 
> load (blasted it with iperf and ping floods), and ran a bash script that 
> would send a SIGHUP to snort_inline once every five seconds,  The script 
> would also check to see if the pid changed or disappeared.  Within ten 
> minutes every time, snort_inline dies miserably or is in memory (state 
> 'S'), but does not pass traffic.  I don't know why the sighup isn't 
> always reliable.  Any ideas why?

It looks like when a SIGHUP is received, the function SigHupHandler() is 
called. That function in turn calls Restart(). From what i can see 
nothing will prevent the system from running Restart() again before the 
previous run is done. This means we can have multiple Restarts running 
at the same time which will not work...

I'll look into this...

Regards,
Victor

Re: [Snort-inline-users] clamav preprocessor don't work

[davide b. <dav...@gm...>]

Ok, i've found the problem, the maximum packet that arrive me is 65 KB over
220 KB; someone can say me if it is normal that stream4 don't reassemble th=
e
whole stream? I'm doing university thesis.Tnx

2005/10/24, davide belloni <dav...@gm...>:
>
> Hi, i've try other virus of 200 KB and it isn't detect by
> snort-clamav....instead with only clamav yes.....why? i use clamav after
> stream4.
>
> 2005/10/23, davide belloni <dav...@gm...>:
> >
> > Hi, now my snort-inline + clamav catch the virus....but the virus
> > present in ftp://ftp.digitalfuture.it ,06.exe, isn't catch....it would
> > be because it's 224 KB and stream4 don't reassemble all? who works stre=
am4?
> > Moreover for catch this virus my clamav needs the whole file, because i=
t
> > isn't catch by signature, but with algorithmic engine, and clamav must =
have
> > the file like if it were by filesistem.
> > Someone can halp me??
> >
>
>
>
> --
>
> China




--

China

Re: [Snort-inline-users] Probs installing iptables on MacOS X

[Jason <sec...@br...>]

if you are using 2.4.3 the binary will be snort not snort_inline

James Brown wrote:
> Finally got ./configure --enable-inline --enable-ipfw to work.
> Then make and make install (for Snort 2.4.3).
> I then type:
> sudo snort_inline -J 500 -c snort_inline.conf
> 
> But is says:
> sudo: snort_inline: command not found
> 
> Does this mean that the configure/make/make install did not actually
> work? Or do I have to cd to somewhere to run it?
> 
> BTW, when I try to ./configure snort_inline-2.3.0-RC1 it still gives me
> the error:
> checking "for libnet.h version 1.0.x"... no
> configure: error: "libnet 1.0.x could not be found.  please download and
> install the library from http://www.packetfactory.net/libnet/"
> 
> But snort proper does not!
> 
> Thanks,
> 
> James.
> 
> On 25/10/2005, at 12:41 AM, Jason wrote:
> 
>> try 2.4.3 from snort.org. lots of pointer warnings but I had no issues
>> with it at all beyond that.
>>
>> James Brown wrote:
>>
>>>
>>> On 25/10/2005, at 12:09 AM, Jason wrote:
>>>
>>>
>>>> I did not use the 2.3.0-RC1 inline port. I used snort proper from
>>>> snort.org with it's native inline capabilities. You will need to 
>>>> provide
>>>> a config.guess for the OS X box or just use fink to install the  libnet.
>>>>
> 

Re: [Snort-inline-users] Probs installing iptables on MacOS X

[James B. <jl...@bo...>]

Installed libnet 1.0.2a from Fink.
Ran './config --enable-inline --enable-ipfw' with no problems.
But when I type 'make', I get:

make  all-recursive
Making all in src
Making all in sfutil
make[3]: Nothing to be done for `all'.
Making all in win32
make[3]: Nothing to be done for `all'.
Making all in output-plugins
make[3]: Nothing to be done for `all'.
Making all in detection-plugins
make[3]: Nothing to be done for `all'.
Making all in preprocessors
Making all in flow
Making all in portscan
make[5]: Nothing to be done for `all'.
Making all in int-snort
make[5]: Nothing to be done for `all'.
make[5]: Nothing to be done for `all-am'.
Making all in HttpInspect
Making all in include
make[5]: Nothing to be done for `all'.
Making all in utils
make[5]: Nothing to be done for `all'.
Making all in user_interface
make[5]: Nothing to be done for `all'.
Making all in session_inspection
make[5]: Nothing to be done for `all'.
Making all in mode_inspection
make[5]: Nothing to be done for `all'.
Making all in anomaly_detection
make[5]: Nothing to be done for `all'.
Making all in event_output
make[5]: Nothing to be done for `all'.
Making all in server
make[5]: Nothing to be done for `all'.
Making all in client
make[5]: Nothing to be done for `all'.
Making all in normalization
make[5]: Nothing to be done for `all'.
make[5]: Nothing to be done for `all-am'.
make[4]: Nothing to be done for `all-am'.
Making all in parser
make[3]: Nothing to be done for `all'.
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../src -I../src/sfutil -I/sw/ 
include -I../src/output-plugins -I../src/detection-plugins -I../src/ 
preprocessors -I../src/preprocessors/flow -I../src/preprocessors/ 
portscan  -I../src/preprocessors/flow/int-snort  -I../src/ 
preprocessors/HttpInspect/include  -I/usr/local/include -I/sw/ 
include  -g -O2 -Wall -DGIDS -DIPFW -c `test -f 'inline.c' || echo  
'./'`inline.c
In file included from inline.c:6:
/sw/include/libnet.h:87:2: error: #error "byte order has not been  
specified, you'll "
In file included from ../src/preprocessors/stream.h:4,
                  from decode.h:47,
                  from inline.c:8:
./snort_packet_header.h:14: error: parse error before string constant
./snort_packet_header.h:19: error: parse error before '}' token
./snort_packet_header.h:19: warning: type defaults to 'int' in  
declaration of 'SnortPktHeader'
./snort_packet_header.h:19: warning: data definition has no type or  
storage class
In file included from decode.h:47,
                  from inline.c:8:
../src/preprocessors/stream.h:123: error: parse error before  
'SnortPktHeader'
../src/preprocessors/stream.h:123: warning: no semicolon at end of  
struct or union
../src/preprocessors/stream.h:131: error: parse error before '}' token
../src/preprocessors/stream.h:131: warning: type defaults to 'int' in  
declaration of 'StreamPacketData'
../src/preprocessors/stream.h:131: warning: data definition has no  
type or storage class
inline.c: In function 'InitInlinePostConfig':
inline.c:176: warning: pointer targets in passing argument 11 of  
'libnet_build_ip' differ in signedness
inline.c:179: warning: pointer targets in passing argument 10 of  
'libnet_build_tcp' differ in signedness
inline.c:183: warning: pointer targets in passing argument 11 of  
'libnet_build_ip' differ in signedness
inline.c:185: warning: pointer targets in passing argument 13 of  
'libnet_build_icmp_unreach' differ in signedness
inline.c: In function 'InitInline':
inline.c:194: warning: unused variable 'status'
inline.c: In function 'IpfwLoop':
inline.c:354: warning: pointer targets in passing argument 3 of  
'PcapProcessPacket' differ in signedness
inline.c: In function 'RejectSocket':
inline.c:420: warning: pointer targets in passing argument 1 of  
'libnet_do_checksum' differ in signedness
inline.c:427: warning: pointer targets in passing argument 2 of  
'libnet_write_ip' differ in signedness
inline.c:460: warning: pointer targets in passing argument 1 of  
'libnet_do_checksum' differ in signedness
inline.c:468: warning: pointer targets in passing argument 2 of  
'libnet_write_ip' differ in signedness
inline.c: In function 'HandlePacket':
inline.c:699: warning: unused variable 'status'
make[3]: *** [inline.o] Error 1
make[2]: *** [all-recursive] Error 1
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2

I'd appreciate any help.

Thanks,

James.

On 25/10/2005, at 11:20 AM, Jason wrote:


> I have it in mine. I believe you need to enable the Unstable  
> repository
> to get 1.0.2
>
> If that does not work I've attached the .deb built on 10.4.2
>
> James Brown wrote:
>
>
>> Libnet 1.0.2a-13 does not appear when I type fink list libnet.
>>
>> James.
>>
>> On 25/10/2005, at 12:50 AM, Jason wrote:
>>
>>
>>
>>> Sorry. I didn't notice that you installed Libnet 1.1 in my last  
>>> mail.
>>> Install 1.0.2 from fink and it should be fine.
>>>
>>> libnet1.0
>>> Set of routines to handle network packets
>>>
>>> Installed:    1.0.2a-13
>>> Unstable:    1.0.2a-13
>>> Stable:        None
>>> Binary:        1.0.2a-13
>>>
>>> Web site: http://www.packetfactory.net/projects/libnet/
>>>
>>> Maintainer: Jeremy Higgs <fi...@hi...>
>>>
>>>
>>>
>>>
>>> James Brown wrote:
>>>
>>>
>>>
>>>> When I try it with snort 2.4.3 (typing make) I get the same thing:
>>>>
>>>> make  all-recursive
>>>> Making all in src
>>>> Making all in sfutil
>>>> make[3]: Nothing to be done for `all'.
>>>> Making all in win32
>>>> make[3]: Nothing to be done for `all'.
>>>> Making all in output-plugins
>>>> make[3]: Nothing to be done for `all'.
>>>> Making all in detection-plugins
>>>> make[3]: Nothing to be done for `all'.
>>>> Making all in preprocessors
>>>> Making all in flow
>>>> Making all in portscan
>>>> make[5]: Nothing to be done for `all'.
>>>> Making all in int-snort
>>>> make[5]: Nothing to be done for `all'.
>>>> make[5]: Nothing to be done for `all-am'.
>>>> Making all in HttpInspect
>>>> Making all in include
>>>> make[5]: Nothing to be done for `all'.
>>>> Making all in utils
>>>> make[5]: Nothing to be done for `all'.
>>>> Making all in user_interface
>>>> make[5]: Nothing to be done for `all'.
>>>> Making all in session_inspection
>>>> make[5]: Nothing to be done for `all'.
>>>> Making all in mode_inspection
>>>> make[5]: Nothing to be done for `all'.
>>>> Making all in anomaly_detection
>>>> make[5]: Nothing to be done for `all'.
>>>> Making all in event_output
>>>> make[5]: Nothing to be done for `all'.
>>>> Making all in server
>>>> make[5]: Nothing to be done for `all'.
>>>> Making all in client
>>>> make[5]: Nothing to be done for `all'.
>>>> Making all in normalization
>>>> make[5]: Nothing to be done for `all'.
>>>> make[5]: Nothing to be done for `all-am'.
>>>> make[4]: Nothing to be done for `all-am'.
>>>> Making all in parser
>>>> make[3]: Nothing to be done for `all'.
>>>> gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../src -I../src/sfutil - 
>>>> I/sw/
>>>> include -I../src/output-plugins -I../src/detection-plugins -I../ 
>>>> src/
>>>> preprocessors -I../src/preprocessors/flow -I../src/preprocessors/
>>>> portscan  -I../src/preprocessors/flow/int-snort  -I../src/
>>>> preprocessors/HttpInspect/include  -I/usr/local/include -I/sw/   
>>>> include
>>>> -g -O2 -Wall -DGIDS -DIPFW -c `test -f 'inline.c' || echo
>>>> './'`inline.c
>>>> inline.c: In function 'InitInlinePostConfig':
>>>> inline.c:126: warning: implicit declaration of function
>>>> 'libnet_open_raw_sock'
>>>> inline.c:132: error: 'IP_H' undeclared (first use in this function)
>>>> inline.c:132: error: (Each undeclared identifier is reported  
>>>> only  once
>>>> inline.c:132: error: for each function it appears in.)
>>>> inline.c:132: error: 'TCP_H' undeclared (first use in this  
>>>> function)
>>>> inline.c:175: warning: implicit declaration of function
>>>> 'libnet_build_ip'
>>>> inline.c:175: error: 'PRu16' undeclared (first use in this  
>>>> function)
>>>> inline.c:179: warning: passing argument 8 of 'libnet_build_tcp'  
>>>> makes
>>>> integer from pointer without a cast
>>>> inline.c:179: error: too few arguments to function  
>>>> 'libnet_build_tcp'
>>>> inline.c:182: error: 'ICMP_UNREACH_H' undeclared (first use in this
>>>> function)
>>>> inline.c:184: warning: implicit declaration of function
>>>> 'libnet_build_icmp_unreach'
>>>> inline.c: In function 'InitInline':
>>>> inline.c:194: warning: unused variable 'status'
>>>> inline.c: In function 'IpfwLoop':
>>>> inline.c:354: warning: pointer targets in passing argument 3 of
>>>> 'PcapProcessPacket' differ in signedness
>>>> inline.c: In function 'RejectSocket':
>>>> inline.c:405: error: 'IP_H' undeclared (first use in this function)
>>>> inline.c:405: error: 'TCP_H' undeclared (first use in this  
>>>> function)
>>>> inline.c:420: warning: passing argument 1 of  
>>>> 'libnet_do_checksum'   from
>>>> incompatible pointer type
>>>> inline.c:420: warning: passing argument 2 of 'libnet_do_checksum'
>>>> makes
>>>> pointer from integer without a cast
>>>> inline.c:420: error: too few arguments to function   
>>>> 'libnet_do_checksum'
>>>> inline.c:422: warning: implicit declaration of function   
>>>> 'libnet_error'
>>>> inline.c:422: error: 'LIBNET_ERR_CRITICAL' undeclared (first use in
>>>> this function)
>>>> inline.c:427: warning: implicit declaration of function
>>>> 'libnet_write_ip'
>>>> inline.c:451: error: 'ICMP_UNREACH_H' undeclared (first use in this
>>>> function)
>>>> inline.c:460: warning: passing argument 1 of  
>>>> 'libnet_do_checksum'   from
>>>> incompatible pointer type
>>>> inline.c:460: warning: passing argument 2 of 'libnet_do_checksum'
>>>> makes
>>>> pointer from integer without a cast
>>>> inline.c:460: error: too few arguments to function   
>>>> 'libnet_do_checksum'
>>>> inline.c: In function 'HandlePacket':
>>>> inline.c:699: warning: unused variable 'status'
>>>> make[3]: *** [inline.o] Error 1
>>>> make[2]: *** [all-recursive] Error 1
>>>> make[1]: *** [all-recursive] Error 1
>>>> make: *** [all] Error 2
>>>>
>>>> James.
>>>>
>>>> On 25/10/2005, at 12:41 AM, Jason wrote:
>>>>
>>>>
>>>>
>>>>
>>>>> try 2.4.3 from snort.org. lots of pointer warnings but I had  
>>>>> no  issues
>>>>> with it at all beyond that.
>>>>>
>>>>> James Brown wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>> On 25/10/2005, at 12:09 AM, Jason wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> I did not use the 2.3.0-RC1 inline port. I used snort proper  
>>>>>>> from
>>>>>>> snort.org with it's native inline capabilities. You will need to
>>>>>>> provide
>>>>>>> a config.guess for the OS X box or just use fink to install the
>>>>>>> libnet.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> Have just installed Fink and used it to install libnet 1.1.0-3
>>>>>> and  now
>>>>>> I have got the ./configure line to work. Running make now!  
>>>>>> Lots  of
>>>>>> warnings about pointers differing in signness.
>>>>>>
>>>>>> Actually, it has now failed:
>>>>>>
>>>>>> inline.c:420: warning: passing argument 1 of
>>>>>> 'libnet_do_checksum'   from
>>>>>> incompatible pointer type
>>>>>> inline.c:420: warning: passing argument 2 of 'libnet_do_checksum'
>>>>>> makes
>>>>>> pointer from integer without a cast
>>>>>> inline.c:420: error: too few arguments to function
>>>>>> 'libnet_do_checksum'
>>>>>> inline.c:422: warning: implicit declaration of function
>>>>>> 'libnet_error'
>>>>>> inline.c:422: error: 'LIBNET_ERR_CRITICAL' undeclared (first  
>>>>>> use in
>>>>>> this function)
>>>>>> inline.c:427: warning: implicit declaration of function
>>>>>> 'libnet_write_ip'
>>>>>> inline.c:451: error: 'ICMP_UNREACH_H' undeclared (first use in  
>>>>>> this
>>>>>> function)
>>>>>> inline.c:460: warning: passing argument 1 of
>>>>>> 'libnet_do_checksum'   from
>>>>>> incompatible pointer type
>>>>>> inline.c:460: warning: passing argument 2 of 'libnet_do_checksum'
>>>>>> makes
>>>>>> pointer from integer without a cast
>>>>>> inline.c:460: error: too few arguments to function
>>>>>> 'libnet_do_checksum'
>>>>>> inline.c: In function 'HandlePacket':
>>>>>> inline.c:699: warning: unused variable 'status'
>>>>>> make[3]: *** [inline.o] Error 1
>>>>>> make[2]: *** [all-recursive] Error 1
>>>>>> make[1]: *** [all-recursive] Error 1
>>>>>> make: *** [all] Error 2
>>>>>>
>>>>>> Any suggestions?
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> James.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> James Brown wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Have just tried to install snort_inline-2.3.0-RC1 as per Nick's
>>>>>>>> instructions. Unfortunately, after typing ./configure --  
>>>>>>>> enable--
>>>>>>>> inline
>>>>>>>> --enable-ipfw I get:
>>>>>>>>
>>>>>>>> checking for pcre_compile in -lpcre... yes
>>>>>>>> checking "for libnet.h version 1.0.x"...
>>>>>>>>
>>>>>>>> **********************************************
>>>>>>>>   ERROR: unable to find libnet 1.0.x (libnet.h)
>>>>>>>>   checked in the following places
>>>>>>>> **********************************************
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>
>>
>> <libnet1.0_1.0.2a-13_darwin-powerpc.deb>
>>
>
>

Re: [Snort-inline-users] Probs installing iptables on MacOS X

[James B. <jl...@bo...>]

Finally got ./configure --enable-inline --enable-ipfw to work.
Then make and make install (for Snort 2.4.3).
I then type:
sudo snort_inline -J 500 -c snort_inline.conf

But is says:
sudo: snort_inline: command not found

Does this mean that the configure/make/make install did not actually  
work? Or do I have to cd to somewhere to run it?

BTW, when I try to ./configure snort_inline-2.3.0-RC1 it still gives  
me the error:
checking "for libnet.h version 1.0.x"... no
configure: error: "libnet 1.0.x could not be found.  please download  
and install the library from http://www.packetfactory.net/libnet/"

But snort proper does not!

Thanks,

James.

On 25/10/2005, at 12:41 AM, Jason wrote:

> try 2.4.3 from snort.org. lots of pointer warnings but I had no issues
> with it at all beyond that.
>
> James Brown wrote:
>
>>
>> On 25/10/2005, at 12:09 AM, Jason wrote:
>>
>>
>>> I did not use the 2.3.0-RC1 inline port. I used snort proper from
>>> snort.org with it's native inline capabilities. You will need to   
>>> provide
>>> a config.guess for the OS X box or just use fink to install the   
>>> libnet.
>>>

Re: [Snort-inline-users] Probs installing iptables on MacOS X

[James B. <jl...@bo...>]

How can you download 1.0.2a-13 using Fink?

If I type in "fink find libnet", it only shows:

      libnet     1.1.0-3     Set of routines to handle network packets
      libnet-pm581    1.17-10    Perl modules, simple programming  
interface
p   libnet-pm586         [virtual package]

Thanks,

James.

On 25/10/2005, at 12:50 AM, Jason wrote:

> Sorry. I didn't notice that you installed Libnet 1.1 in my last mail.
> Install 1.0.2 from fink and it should be fine.
>
> libnet1.0
> Set of routines to handle network packets
>
> Installed:    1.0.2a-13
> Unstable:    1.0.2a-13
> Stable:        None
> Binary:        1.0.2a-13
>
> Web site: http://www.packetfactory.net/projects/libnet/
>
> Maintainer: Jeremy Higgs <fi...@hi...>
>
>
>
>
> James Brown wrote:
>
>> When I try it with snort 2.4.3 (typing make) I get the same thing:
>>
>> make  all-recursive
>> Making all in src
>> Making all in sfutil
>> make[3]: Nothing to be done for `all'.
>> Making all in win32
>> make[3]: Nothing to be done for `all'.
>> Making all in output-plugins
>> make[3]: Nothing to be done for `all'.
>> Making all in detection-plugins
>> make[3]: Nothing to be done for `all'.
>> Making all in preprocessors
>> Making all in flow
>> Making all in portscan
>> make[5]: Nothing to be done for `all'.
>> Making all in int-snort
>> make[5]: Nothing to be done for `all'.
>> make[5]: Nothing to be done for `all-am'.
>> Making all in HttpInspect
>> Making all in include
>> make[5]: Nothing to be done for `all'.
>> Making all in utils
>> make[5]: Nothing to be done for `all'.
>> Making all in user_interface
>> make[5]: Nothing to be done for `all'.
>> Making all in session_inspection
>> make[5]: Nothing to be done for `all'.
>> Making all in mode_inspection
>> make[5]: Nothing to be done for `all'.
>> Making all in anomaly_detection
>> make[5]: Nothing to be done for `all'.
>> Making all in event_output
>> make[5]: Nothing to be done for `all'.
>> Making all in server
>> make[5]: Nothing to be done for `all'.
>> Making all in client
>> make[5]: Nothing to be done for `all'.
>> Making all in normalization
>> make[5]: Nothing to be done for `all'.
>> make[5]: Nothing to be done for `all-am'.
>> make[4]: Nothing to be done for `all-am'.
>> Making all in parser
>> make[3]: Nothing to be done for `all'.
>> gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../src -I../src/sfutil -I/sw/
>> include -I../src/output-plugins -I../src/detection-plugins -I../src/
>> preprocessors -I../src/preprocessors/flow -I../src/preprocessors/
>> portscan  -I../src/preprocessors/flow/int-snort  -I../src/
>> preprocessors/HttpInspect/include  -I/usr/local/include -I/sw/  
>> include
>> -g -O2 -Wall -DGIDS -DIPFW -c `test -f 'inline.c' || echo   
>> './'`inline.c
>> inline.c: In function 'InitInlinePostConfig':
>> inline.c:126: warning: implicit declaration of function
>> 'libnet_open_raw_sock'
>> inline.c:132: error: 'IP_H' undeclared (first use in this function)
>> inline.c:132: error: (Each undeclared identifier is reported only  
>> once
>> inline.c:132: error: for each function it appears in.)
>> inline.c:132: error: 'TCP_H' undeclared (first use in this function)
>> inline.c:175: warning: implicit declaration of function   
>> 'libnet_build_ip'
>> inline.c:175: error: 'PRu16' undeclared (first use in this function)
>> inline.c:179: warning: passing argument 8 of 'libnet_build_tcp' makes
>> integer from pointer without a cast
>> inline.c:179: error: too few arguments to function 'libnet_build_tcp'
>> inline.c:182: error: 'ICMP_UNREACH_H' undeclared (first use in this
>> function)
>> inline.c:184: warning: implicit declaration of function
>> 'libnet_build_icmp_unreach'
>> inline.c: In function 'InitInline':
>> inline.c:194: warning: unused variable 'status'
>> inline.c: In function 'IpfwLoop':
>> inline.c:354: warning: pointer targets in passing argument 3 of
>> 'PcapProcessPacket' differ in signedness
>> inline.c: In function 'RejectSocket':
>> inline.c:405: error: 'IP_H' undeclared (first use in this function)
>> inline.c:405: error: 'TCP_H' undeclared (first use in this function)
>> inline.c:420: warning: passing argument 1 of 'libnet_do_checksum'   
>> from
>> incompatible pointer type
>> inline.c:420: warning: passing argument 2 of 'libnet_do_checksum'   
>> makes
>> pointer from integer without a cast
>> inline.c:420: error: too few arguments to function  
>> 'libnet_do_checksum'
>> inline.c:422: warning: implicit declaration of function  
>> 'libnet_error'
>> inline.c:422: error: 'LIBNET_ERR_CRITICAL' undeclared (first use in
>> this function)
>> inline.c:427: warning: implicit declaration of function   
>> 'libnet_write_ip'
>> inline.c:451: error: 'ICMP_UNREACH_H' undeclared (first use in this
>> function)
>> inline.c:460: warning: passing argument 1 of 'libnet_do_checksum'   
>> from
>> incompatible pointer type
>> inline.c:460: warning: passing argument 2 of 'libnet_do_checksum'   
>> makes
>> pointer from integer without a cast
>> inline.c:460: error: too few arguments to function  
>> 'libnet_do_checksum'
>> inline.c: In function 'HandlePacket':
>> inline.c:699: warning: unused variable 'status'
>> make[3]: *** [inline.o] Error 1
>> make[2]: *** [all-recursive] Error 1
>> make[1]: *** [all-recursive] Error 1
>> make: *** [all] Error 2
>>
>> James.
>>
>> On 25/10/2005, at 12:41 AM, Jason wrote:
>>
>>
>>> try 2.4.3 from snort.org. lots of pointer warnings but I had no  
>>> issues
>>> with it at all beyond that.
>>>
>>> James Brown wrote:
>>>
>>>
>>>>
>>>> On 25/10/2005, at 12:09 AM, Jason wrote:
>>>>
>>>>
>>>>
>>>>> I did not use the 2.3.0-RC1 inline port. I used snort proper from
>>>>> snort.org with it's native inline capabilities. You will need to
>>>>> provide
>>>>> a config.guess for the OS X box or just use fink to install the
>>>>> libnet.
>>>>>
>>>>>
>>>>
>>>>
>>>> Have just installed Fink and used it to install libnet 1.1.0-3   
>>>> and  now
>>>> I have got the ./configure line to work. Running make now! Lots  of
>>>> warnings about pointers differing in signness.
>>>>
>>>> Actually, it has now failed:
>>>>
>>>> inline.c:420: warning: passing argument 1 of  
>>>> 'libnet_do_checksum'   from
>>>> incompatible pointer type
>>>> inline.c:420: warning: passing argument 2 of 'libnet_do_checksum'
>>>> makes
>>>> pointer from integer without a cast
>>>> inline.c:420: error: too few arguments to function   
>>>> 'libnet_do_checksum'
>>>> inline.c:422: warning: implicit declaration of function   
>>>> 'libnet_error'
>>>> inline.c:422: error: 'LIBNET_ERR_CRITICAL' undeclared (first use in
>>>> this function)
>>>> inline.c:427: warning: implicit declaration of function
>>>> 'libnet_write_ip'
>>>> inline.c:451: error: 'ICMP_UNREACH_H' undeclared (first use in this
>>>> function)
>>>> inline.c:460: warning: passing argument 1 of  
>>>> 'libnet_do_checksum'   from
>>>> incompatible pointer type
>>>> inline.c:460: warning: passing argument 2 of 'libnet_do_checksum'
>>>> makes
>>>> pointer from integer without a cast
>>>> inline.c:460: error: too few arguments to function   
>>>> 'libnet_do_checksum'
>>>> inline.c: In function 'HandlePacket':
>>>> inline.c:699: warning: unused variable 'status'
>>>> make[3]: *** [inline.o] Error 1
>>>> make[2]: *** [all-recursive] Error 1
>>>> make[1]: *** [all-recursive] Error 1
>>>> make: *** [all] Error 2
>>>>
>>>> Any suggestions?
>>>>
>>>> Thanks,
>>>>
>>>> James.
>>>>
>>>>
>>>>
>>>>>
>>>>> James Brown wrote:
>>>>>
>>>>>
>>>>>
>>>>>> Have just tried to install snort_inline-2.3.0-RC1 as per Nick's
>>>>>> instructions. Unfortunately, after typing ./configure -- enable--
>>>>>> inline
>>>>>> --enable-ipfw I get:
>>>>>>
>>>>>> checking for pcre_compile in -lpcre... yes
>>>>>> checking "for libnet.h version 1.0.x"...
>>>>>>
>>>>>> **********************************************
>>>>>>   ERROR: unable to find libnet 1.0.x (libnet.h)
>>>>>>   checked in the following places
>>>>>> **********************************************
>>>>>>
>>>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>
>

Re: [Snort-inline-users] clamav preprocessor don't work

[davide b. <dav...@gm...>]

Hi, i've try other virus of 200 KB and it isn't detect by
snort-clamav....instead with only clamav yes.....why? i use clamav after
stream4.

2005/10/23, davide belloni <dav...@gm...>:
>
> Hi, now my snort-inline + clamav catch the virus....but the virus present
> in ftp://ftp.digitalfuture.it ,06.exe, isn't catch....it would be because
> it's 224 KB and stream4 don't reassemble all? who works stream4? Moreover
> for catch this virus my clamav needs the whole file, because it isn't cat=
ch
> by signature, but with algorithmic engine, and clamav must have the file
> like if it were by filesistem.
> Someone can halp me??
>



--

China

Re: [Snort-inline-users] Probs installing iptables on MacOS X

[Victor J. <vi...@nk...>]

> Have just installed Fink and used it to install libnet 1.1.0-3

You need libnet 1.0.2a for snort_inline...

Regards,
Victor