snort-inline-users — The goal of this list is to help users debug/use snort_inline

Re: [Snort-inline-users] Probs installing iptables on MacOS X

[Jason <sec...@br...>]

Sorry. I didn't notice that you installed Libnet 1.1 in my last mail.
Install 1.0.2 from fink and it should be fine.

libnet1.0
Set of routines to handle network packets

Installed:	1.0.2a-13
Unstable:	1.0.2a-13
Stable:		None
Binary:		1.0.2a-13

Web site: http://www.packetfactory.net/projects/libnet/

Maintainer: Jeremy Higgs <fi...@hi...>




James Brown wrote:
> When I try it with snort 2.4.3 (typing make) I get the same thing:
> 
> make  all-recursive
> Making all in src
> Making all in sfutil
> make[3]: Nothing to be done for `all'.
> Making all in win32
> make[3]: Nothing to be done for `all'.
> Making all in output-plugins
> make[3]: Nothing to be done for `all'.
> Making all in detection-plugins
> make[3]: Nothing to be done for `all'.
> Making all in preprocessors
> Making all in flow
> Making all in portscan
> make[5]: Nothing to be done for `all'.
> Making all in int-snort
> make[5]: Nothing to be done for `all'.
> make[5]: Nothing to be done for `all-am'.
> Making all in HttpInspect
> Making all in include
> make[5]: Nothing to be done for `all'.
> Making all in utils
> make[5]: Nothing to be done for `all'.
> Making all in user_interface
> make[5]: Nothing to be done for `all'.
> Making all in session_inspection
> make[5]: Nothing to be done for `all'.
> Making all in mode_inspection
> make[5]: Nothing to be done for `all'.
> Making all in anomaly_detection
> make[5]: Nothing to be done for `all'.
> Making all in event_output
> make[5]: Nothing to be done for `all'.
> Making all in server
> make[5]: Nothing to be done for `all'.
> Making all in client
> make[5]: Nothing to be done for `all'.
> Making all in normalization
> make[5]: Nothing to be done for `all'.
> make[5]: Nothing to be done for `all-am'.
> make[4]: Nothing to be done for `all-am'.
> Making all in parser
> make[3]: Nothing to be done for `all'.
> gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../src -I../src/sfutil -I/sw/
> include -I../src/output-plugins -I../src/detection-plugins -I../src/
> preprocessors -I../src/preprocessors/flow -I../src/preprocessors/
> portscan  -I../src/preprocessors/flow/int-snort  -I../src/
> preprocessors/HttpInspect/include  -I/usr/local/include -I/sw/ include 
> -g -O2 -Wall -DGIDS -DIPFW -c `test -f 'inline.c' || echo  './'`inline.c
> inline.c: In function 'InitInlinePostConfig':
> inline.c:126: warning: implicit declaration of function 
> 'libnet_open_raw_sock'
> inline.c:132: error: 'IP_H' undeclared (first use in this function)
> inline.c:132: error: (Each undeclared identifier is reported only once
> inline.c:132: error: for each function it appears in.)
> inline.c:132: error: 'TCP_H' undeclared (first use in this function)
> inline.c:175: warning: implicit declaration of function  'libnet_build_ip'
> inline.c:175: error: 'PRu16' undeclared (first use in this function)
> inline.c:179: warning: passing argument 8 of 'libnet_build_tcp' makes 
> integer from pointer without a cast
> inline.c:179: error: too few arguments to function 'libnet_build_tcp'
> inline.c:182: error: 'ICMP_UNREACH_H' undeclared (first use in this 
> function)
> inline.c:184: warning: implicit declaration of function 
> 'libnet_build_icmp_unreach'
> inline.c: In function 'InitInline':
> inline.c:194: warning: unused variable 'status'
> inline.c: In function 'IpfwLoop':
> inline.c:354: warning: pointer targets in passing argument 3 of 
> 'PcapProcessPacket' differ in signedness
> inline.c: In function 'RejectSocket':
> inline.c:405: error: 'IP_H' undeclared (first use in this function)
> inline.c:405: error: 'TCP_H' undeclared (first use in this function)
> inline.c:420: warning: passing argument 1 of 'libnet_do_checksum'  from
> incompatible pointer type
> inline.c:420: warning: passing argument 2 of 'libnet_do_checksum'  makes
> pointer from integer without a cast
> inline.c:420: error: too few arguments to function 'libnet_do_checksum'
> inline.c:422: warning: implicit declaration of function 'libnet_error'
> inline.c:422: error: 'LIBNET_ERR_CRITICAL' undeclared (first use in 
> this function)
> inline.c:427: warning: implicit declaration of function  'libnet_write_ip'
> inline.c:451: error: 'ICMP_UNREACH_H' undeclared (first use in this 
> function)
> inline.c:460: warning: passing argument 1 of 'libnet_do_checksum'  from
> incompatible pointer type
> inline.c:460: warning: passing argument 2 of 'libnet_do_checksum'  makes
> pointer from integer without a cast
> inline.c:460: error: too few arguments to function 'libnet_do_checksum'
> inline.c: In function 'HandlePacket':
> inline.c:699: warning: unused variable 'status'
> make[3]: *** [inline.o] Error 1
> make[2]: *** [all-recursive] Error 1
> make[1]: *** [all-recursive] Error 1
> make: *** [all] Error 2
> 
> James.
> 
> On 25/10/2005, at 12:41 AM, Jason wrote:
> 
>> try 2.4.3 from snort.org. lots of pointer warnings but I had no issues
>> with it at all beyond that.
>>
>> James Brown wrote:
>>
>>>
>>> On 25/10/2005, at 12:09 AM, Jason wrote:
>>>
>>>
>>>> I did not use the 2.3.0-RC1 inline port. I used snort proper from
>>>> snort.org with it's native inline capabilities. You will need to  
>>>> provide
>>>> a config.guess for the OS X box or just use fink to install the  
>>>> libnet.
>>>>
>>>
>>>
>>> Have just installed Fink and used it to install libnet 1.1.0-3  and  now
>>> I have got the ./configure line to work. Running make now! Lots  of
>>> warnings about pointers differing in signness.
>>>
>>> Actually, it has now failed:
>>>
>>> inline.c:420: warning: passing argument 1 of 'libnet_do_checksum'   from
>>> incompatible pointer type
>>> inline.c:420: warning: passing argument 2 of 'libnet_do_checksum'  
>>> makes
>>> pointer from integer without a cast
>>> inline.c:420: error: too few arguments to function  'libnet_do_checksum'
>>> inline.c:422: warning: implicit declaration of function  'libnet_error'
>>> inline.c:422: error: 'LIBNET_ERR_CRITICAL' undeclared (first use in
>>> this function)
>>> inline.c:427: warning: implicit declaration of function  
>>> 'libnet_write_ip'
>>> inline.c:451: error: 'ICMP_UNREACH_H' undeclared (first use in this
>>> function)
>>> inline.c:460: warning: passing argument 1 of 'libnet_do_checksum'   from
>>> incompatible pointer type
>>> inline.c:460: warning: passing argument 2 of 'libnet_do_checksum'  
>>> makes
>>> pointer from integer without a cast
>>> inline.c:460: error: too few arguments to function  'libnet_do_checksum'
>>> inline.c: In function 'HandlePacket':
>>> inline.c:699: warning: unused variable 'status'
>>> make[3]: *** [inline.o] Error 1
>>> make[2]: *** [all-recursive] Error 1
>>> make[1]: *** [all-recursive] Error 1
>>> make: *** [all] Error 2
>>>
>>> Any suggestions?
>>>
>>> Thanks,
>>>
>>> James.
>>>
>>>
>>>>
>>>> James Brown wrote:
>>>>
>>>>
>>>>> Have just tried to install snort_inline-2.3.0-RC1 as per Nick's
>>>>> instructions. Unfortunately, after typing ./configure -- enable-- 
>>>>> inline
>>>>> --enable-ipfw I get:
>>>>>
>>>>> checking for pcre_compile in -lpcre... yes
>>>>> checking "for libnet.h version 1.0.x"...
>>>>>
>>>>> **********************************************
>>>>>   ERROR: unable to find libnet 1.0.x (libnet.h)
>>>>>   checked in the following places
>>>>> **********************************************
>>>>>
>>>
>>>
>>>
>>
>>
> 

Re: [Snort-inline-users] Probs installing iptables on MacOS X

[James B. <jl...@bo...>]

When I try it with snort 2.4.3 (typing make) I get the same thing:

make  all-recursive
Making all in src
Making all in sfutil
make[3]: Nothing to be done for `all'.
Making all in win32
make[3]: Nothing to be done for `all'.
Making all in output-plugins
make[3]: Nothing to be done for `all'.
Making all in detection-plugins
make[3]: Nothing to be done for `all'.
Making all in preprocessors
Making all in flow
Making all in portscan
make[5]: Nothing to be done for `all'.
Making all in int-snort
make[5]: Nothing to be done for `all'.
make[5]: Nothing to be done for `all-am'.
Making all in HttpInspect
Making all in include
make[5]: Nothing to be done for `all'.
Making all in utils
make[5]: Nothing to be done for `all'.
Making all in user_interface
make[5]: Nothing to be done for `all'.
Making all in session_inspection
make[5]: Nothing to be done for `all'.
Making all in mode_inspection
make[5]: Nothing to be done for `all'.
Making all in anomaly_detection
make[5]: Nothing to be done for `all'.
Making all in event_output
make[5]: Nothing to be done for `all'.
Making all in server
make[5]: Nothing to be done for `all'.
Making all in client
make[5]: Nothing to be done for `all'.
Making all in normalization
make[5]: Nothing to be done for `all'.
make[5]: Nothing to be done for `all-am'.
make[4]: Nothing to be done for `all-am'.
Making all in parser
make[3]: Nothing to be done for `all'.
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../src -I../src/sfutil -I/sw/ 
include -I../src/output-plugins -I../src/detection-plugins -I../src/ 
preprocessors -I../src/preprocessors/flow -I../src/preprocessors/ 
portscan  -I../src/preprocessors/flow/int-snort  -I../src/ 
preprocessors/HttpInspect/include  -I/usr/local/include -I/sw/ 
include  -g -O2 -Wall -DGIDS -DIPFW -c `test -f 'inline.c' || echo  
'./'`inline.c
inline.c: In function 'InitInlinePostConfig':
inline.c:126: warning: implicit declaration of function  
'libnet_open_raw_sock'
inline.c:132: error: 'IP_H' undeclared (first use in this function)
inline.c:132: error: (Each undeclared identifier is reported only once
inline.c:132: error: for each function it appears in.)
inline.c:132: error: 'TCP_H' undeclared (first use in this function)
inline.c:175: warning: implicit declaration of function  
'libnet_build_ip'
inline.c:175: error: 'PRu16' undeclared (first use in this function)
inline.c:179: warning: passing argument 8 of 'libnet_build_tcp' makes  
integer from pointer without a cast
inline.c:179: error: too few arguments to function 'libnet_build_tcp'
inline.c:182: error: 'ICMP_UNREACH_H' undeclared (first use in this  
function)
inline.c:184: warning: implicit declaration of function  
'libnet_build_icmp_unreach'
inline.c: In function 'InitInline':
inline.c:194: warning: unused variable 'status'
inline.c: In function 'IpfwLoop':
inline.c:354: warning: pointer targets in passing argument 3 of  
'PcapProcessPacket' differ in signedness
inline.c: In function 'RejectSocket':
inline.c:405: error: 'IP_H' undeclared (first use in this function)
inline.c:405: error: 'TCP_H' undeclared (first use in this function)
inline.c:420: warning: passing argument 1 of 'libnet_do_checksum'  
from incompatible pointer type
inline.c:420: warning: passing argument 2 of 'libnet_do_checksum'  
makes pointer from integer without a cast
inline.c:420: error: too few arguments to function 'libnet_do_checksum'
inline.c:422: warning: implicit declaration of function 'libnet_error'
inline.c:422: error: 'LIBNET_ERR_CRITICAL' undeclared (first use in  
this function)
inline.c:427: warning: implicit declaration of function  
'libnet_write_ip'
inline.c:451: error: 'ICMP_UNREACH_H' undeclared (first use in this  
function)
inline.c:460: warning: passing argument 1 of 'libnet_do_checksum'  
from incompatible pointer type
inline.c:460: warning: passing argument 2 of 'libnet_do_checksum'  
makes pointer from integer without a cast
inline.c:460: error: too few arguments to function 'libnet_do_checksum'
inline.c: In function 'HandlePacket':
inline.c:699: warning: unused variable 'status'
make[3]: *** [inline.o] Error 1
make[2]: *** [all-recursive] Error 1
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2

James.

On 25/10/2005, at 12:41 AM, Jason wrote:

> try 2.4.3 from snort.org. lots of pointer warnings but I had no issues
> with it at all beyond that.
>
> James Brown wrote:
>
>>
>> On 25/10/2005, at 12:09 AM, Jason wrote:
>>
>>
>>> I did not use the 2.3.0-RC1 inline port. I used snort proper from
>>> snort.org with it's native inline capabilities. You will need to   
>>> provide
>>> a config.guess for the OS X box or just use fink to install the   
>>> libnet.
>>>
>>
>>
>> Have just installed Fink and used it to install libnet 1.1.0-3  
>> and  now
>> I have got the ./configure line to work. Running make now! Lots  of
>> warnings about pointers differing in signness.
>>
>> Actually, it has now failed:
>>
>> inline.c:420: warning: passing argument 1 of 'libnet_do_checksum'   
>> from
>> incompatible pointer type
>> inline.c:420: warning: passing argument 2 of 'libnet_do_checksum'   
>> makes
>> pointer from integer without a cast
>> inline.c:420: error: too few arguments to function  
>> 'libnet_do_checksum'
>> inline.c:422: warning: implicit declaration of function  
>> 'libnet_error'
>> inline.c:422: error: 'LIBNET_ERR_CRITICAL' undeclared (first use in
>> this function)
>> inline.c:427: warning: implicit declaration of function   
>> 'libnet_write_ip'
>> inline.c:451: error: 'ICMP_UNREACH_H' undeclared (first use in this
>> function)
>> inline.c:460: warning: passing argument 1 of 'libnet_do_checksum'   
>> from
>> incompatible pointer type
>> inline.c:460: warning: passing argument 2 of 'libnet_do_checksum'   
>> makes
>> pointer from integer without a cast
>> inline.c:460: error: too few arguments to function  
>> 'libnet_do_checksum'
>> inline.c: In function 'HandlePacket':
>> inline.c:699: warning: unused variable 'status'
>> make[3]: *** [inline.o] Error 1
>> make[2]: *** [all-recursive] Error 1
>> make[1]: *** [all-recursive] Error 1
>> make: *** [all] Error 2
>>
>> Any suggestions?
>>
>> Thanks,
>>
>> James.
>>
>>
>>>
>>> James Brown wrote:
>>>
>>>
>>>> Have just tried to install snort_inline-2.3.0-RC1 as per Nick's
>>>> instructions. Unfortunately, after typing ./configure -- 
>>>> enable--  inline
>>>> --enable-ipfw I get:
>>>>
>>>> checking for pcre_compile in -lpcre... yes
>>>> checking "for libnet.h version 1.0.x"...
>>>>
>>>> **********************************************
>>>>   ERROR: unable to find libnet 1.0.x (libnet.h)
>>>>   checked in the following places
>>>> **********************************************
>>>>
>>
>>
>>
>
>

Re: [Snort-inline-users] Probs installing iptables on MacOS X

[James B. <jl...@bo...>]

On 25/10/2005, at 12:09 AM, Jason wrote:

> I did not use the 2.3.0-RC1 inline port. I used snort proper from
> snort.org with it's native inline capabilities. You will need to  
> provide
> a config.guess for the OS X box or just use fink to install the  
> libnet.

Have just installed Fink and used it to install libnet 1.1.0-3 and  
now I have got the ./configure line to work. Running make now! Lots  
of warnings about pointers differing in signness.

Actually, it has now failed:

inline.c:420: warning: passing argument 1 of 'libnet_do_checksum'  
from incompatible pointer type
inline.c:420: warning: passing argument 2 of 'libnet_do_checksum'  
makes pointer from integer without a cast
inline.c:420: error: too few arguments to function 'libnet_do_checksum'
inline.c:422: warning: implicit declaration of function 'libnet_error'
inline.c:422: error: 'LIBNET_ERR_CRITICAL' undeclared (first use in  
this function)
inline.c:427: warning: implicit declaration of function  
'libnet_write_ip'
inline.c:451: error: 'ICMP_UNREACH_H' undeclared (first use in this  
function)
inline.c:460: warning: passing argument 1 of 'libnet_do_checksum'  
from incompatible pointer type
inline.c:460: warning: passing argument 2 of 'libnet_do_checksum'  
makes pointer from integer without a cast
inline.c:460: error: too few arguments to function 'libnet_do_checksum'
inline.c: In function 'HandlePacket':
inline.c:699: warning: unused variable 'status'
make[3]: *** [inline.o] Error 1
make[2]: *** [all-recursive] Error 1
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2

Any suggestions?

Thanks,

James.

>
> James Brown wrote:
>
>> Have just tried to install snort_inline-2.3.0-RC1 as per Nick's
>> instructions. Unfortunately, after typing ./configure --enable--  
>> inline
>> --enable-ipfw I get:
>>
>> checking for pcre_compile in -lpcre... yes
>> checking "for libnet.h version 1.0.x"...
>>
>> **********************************************
>>   ERROR: unable to find libnet 1.0.x (libnet.h)
>>   checked in the following places
>> **********************************************

Re: [Snort-inline-users] Probs installing iptables on MacOS X

[Jason <sec...@br...>]

I just built snort-2.4.3 on OS X 1.4.2 proper and can confirm that it
picks up traffic using the divert. If I get time later today I will test
inline capabilities for blocking anf replace.

Nick Rogness wrote:
>>Will,
>>  I believe OS X uses ipfw instead of PF. Hence, ipfw/divert socket as
>>in FreeBSD would be possible? I have not tried it out or had the need
>>for it....:-)
>>
> 
> 
>    If OS X is using ipfw, then you'll need to build it with the proper
> flags (Or it will try and use iptables).  See:
> 
>     http://freebsd.rogness.net/snort_inline
> 
> Nick Rogness <ni...@ro...>
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by the JBoss Inc.
> Get Certified Today * Register for a JBoss Training Course
> Free Certification Exam for All Training Attendees Through End of 2005
> Visit http://www.jboss.com/services/certification for more information
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> 

Re: [Snort-inline-users] Probs installing iptables on MacOS X

[Nick R. <ni...@ro...>]

> Will,
>   I believe OS X uses ipfw instead of PF. Hence, ipfw/divert socket as
> in FreeBSD would be possible? I have not tried it out or had the need
> for it....:-)
>

   If OS X is using ipfw, then you'll need to build it with the proper
flags (Or it will try and use iptables).  See:

    http://freebsd.rogness.net/snort_inline

Nick Rogness <ni...@ro...>

Re: [Snort-inline-users] SIGHUP patch for snort_inline not always reliable

[Will M. <wil...@gm...>]

I'll look into as time permits, I'm very busy these days.

Regards,

Will

On 10/21/05, Adrian Soogemackelyk <soo...@gm...> wrote:
> I recently patched my snort_inline 2.3.0 with the patch regarding a
> SIGHUP-able snort_line supplied in this mailing list from a few months ba=
ck.
>  The patch applied cleanly.  I can sighup snort_inline, and it reloads a =
new
> ruleset.  I wanted to make sure that the functionality was reliable befor=
e I
> put my snort_inline box inline, seeing that I want to write a utility tha=
t
> will update the snort rules regularly and sighup snort_line to reread the
> rulesets (keeping the same pid around is helpful in this case).
>
> I put my Celeron 2.4 Ghz Snort IPS box with snort_inline under heavy load
> (blasted it with iperf and ping floods), and ran a bash script that would
> send a SIGHUP to snort_inline once every five seconds,  The script would
> also check to see if the pid changed or disappeared.  Within ten minutes
> every time, snort_inline dies miserably or is in memory (state 'S'), but
> does not pass traffic.  I don't know why the sighup isn't always reliable=
.
> Any ideas why?
>
> -Adrian
>

Re: [Snort-inline-users] Probs installing iptables on MacOS X

[Will M. <wil...@gm...>]

Then yeah it should be possible, I don't have access to a OSX box, and
my brain is a little shot these day's this wedding is driving me
nut's.  It all soon be over, and I will be able to continue to develop
and answer questions.  Stick with me for about three more weeks folks.
 Victor and I are still coding, just both of us are very busy.

Regards,

Will

On 10/23/05, Murali Raju <pro...@gm...> wrote:
> Will,
>  I believe OS X uses ipfw instead of PF. Hence, ipfw/divert socket as
> in FreeBSD would be possible? I have not tried it out or had the need
> for it....:-)
>
> _Raju
>
> On 10/23/05, Will Metcalf <wil...@gm...> wrote:
> > OSX uses pf as a firewall, there has been no port for pf because pf
> > does not have a divert socket/userspace queueing functionality.
> >
> > Regards,
> >
> > Will
> >
> > On 10/23/05, James Brown <jl...@bo...> wrote:
> > > When I download the iptables and type "make install-devel" I get:
> > >
> > > Making dependencies: please wait...
> > > Something wrong... deleting dependencies.
> > >
> > >
> > >      Please try `make KERNEL_DIR=3Dpath-to-correct-kernel'.
> > >
> > >
> > > make: *** [linux/ip.h] Error 1
> > >
> > >
> > > This is under MacOS X Tiger (10.4.2). Has anyone got snort_inline to
> > > work under MacOS X?
> > >
> > > Thanks,
> > >
> > > James.
> > >
> > >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by the JBoss Inc.
> > Get Certified Today * Register for a JBoss Training Course
> > Free Certification Exam for All Training Attendees Through End of 2005
> > Visit http://www.jboss.com/services/certification for more information
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >
>
>
> --
> May the packets be with you.
>

Re: [Snort-inline-users] Probs installing iptables on MacOS X

[Murali R. <pro...@gm...>]

Will,
  I believe OS X uses ipfw instead of PF. Hence, ipfw/divert socket as
in FreeBSD would be possible? I have not tried it out or had the need
for it....:-)

_Raju

On 10/23/05, Will Metcalf <wil...@gm...> wrote:
> OSX uses pf as a firewall, there has been no port for pf because pf
> does not have a divert socket/userspace queueing functionality.
>
> Regards,
>
> Will
>
> On 10/23/05, James Brown <jl...@bo...> wrote:
> > When I download the iptables and type "make install-devel" I get:
> >
> > Making dependencies: please wait...
> > Something wrong... deleting dependencies.
> >
> >
> >      Please try `make KERNEL_DIR=3Dpath-to-correct-kernel'.
> >
> >
> > make: *** [linux/ip.h] Error 1
> >
> >
> > This is under MacOS X Tiger (10.4.2). Has anyone got snort_inline to
> > work under MacOS X?
> >
> > Thanks,
> >
> > James.
> >
> >
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by the JBoss Inc.
> Get Certified Today * Register for a JBoss Training Course
> Free Certification Exam for All Training Attendees Through End of 2005
> Visit http://www.jboss.com/services/certification for more information
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>


--
May the packets be with you.

Re: [Snort-inline-users] Probs installing iptables on MacOS X

[Will M. <wil...@gm...>]

OSX uses pf as a firewall, there has been no port for pf because pf
does not have a divert socket/userspace queueing functionality.

Regards,

Will

On 10/23/05, James Brown <jl...@bo...> wrote:
> When I download the iptables and type "make install-devel" I get:
>
> Making dependencies: please wait...
> Something wrong... deleting dependencies.
>
>
>      Please try `make KERNEL_DIR=3Dpath-to-correct-kernel'.
>
>
> make: *** [linux/ip.h] Error 1
>
>
> This is under MacOS X Tiger (10.4.2). Has anyone got snort_inline to
> work under MacOS X?
>
> Thanks,
>
> James.
>
>

Re: [Snort-inline-users] Rules to detect Back Orifice traffic

[Will M. <wil...@gm...>]

Back Orfiice Vulnerability is only for 2.4.x 2.3.x is not vulnerable.

Regards,

Will

On 10/22/05, surya prakash <sur...@ya...> wrote:
> Hi,
>
> What exactly is this Back Orifice Traffic and how to
> detect Back Orifice traffic thru rules. If so can you
> specify the rules to detect the same.
>
> Is it advisable to upgarade to 2.4.3 just because of
> this Back Orifice Vulnerability alone which has fixed
> in 2.4.3.
>
> From where I can get the differences between version
> 2.3 and 2.4.3.
>
> Rgds,
> Surya
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by the JBoss Inc.
> Get Certified Today * Register for a JBoss Training Course
> Free Certification Exam for All Training Attendees Through End of 2005
> Visit http://www.jboss.com/services/certification for more information
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

Re: [Snort-inline-users] clamav preprocessor don't work

[davide b. <dav...@gm...>]

Hi, now my snort-inline + clamav catch the virus....but the virus present i=
n
ftp://ftp.digitalfuture.it ,06.exe, isn't catch....it would be because it's
224 KB and stream4 don't reassemble all? who works stream4? Moreover for
catch this virus my clamav needs the whole file, because it isn't catch by
signature, but with algorithmic engine, and clamav must have the file like
if it were by filesistem.
Someone can halp me??

[Snort-inline-users] Probs installing iptables on MacOS X

[James B. <jl...@bo...>]

When I download the iptables and type "make install-devel" I get:

Making dependencies: please wait...
Something wrong... deleting dependencies.


     Please try `make KERNEL_DIR=path-to-correct-kernel'.


make: *** [linux/ip.h] Error 1


This is under MacOS X Tiger (10.4.2). Has anyone got snort_inline to  
work under MacOS X?

Thanks,

James.

[Snort-inline-users] Rules to detect Back Orifice traffic

[surya p. <sur...@ya...>]

Hi,

What exactly is this Back Orifice Traffic and how to
detect Back Orifice traffic thru rules. If so can you
specify the rules to detect the same.

Is it advisable to upgarade to 2.4.3 just because of
this Back Orifice Vulnerability alone which has fixed
in 2.4.3.

From where I can get the differences between version
2.3 and 2.4.3.

Rgds,
Surya



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

[Snort-inline-users] SIGHUP patch for snort_inline not always reliable

[Adrian S. <soo...@gm...>]

I recently patched my snort_inline 2.3.0 with the patch regarding a
SIGHUP-able snort_line supplied in this mailing list from a few months back=
.
The patch applied cleanly. I can sighup snort_inline, and it reloads a new
ruleset. I wanted to make sure that the functionality was reliable before I
put my snort_inline box inline, seeing that I want to write a utility that
will update the snort rules regularly and sighup snort_line to reread the
rulesets (keeping the same pid around is helpful in this case).

I put my Celeron 2.4 Ghz Snort IPS box with snort_inline under heavy load
(blasted it with iperf and ping floods), and ran a bash script that would
send a SIGHUP to snort_inline once every five seconds, The script would als=
o
check to see if the pid changed or disappeared. Within ten minutes every
time, snort_inline dies miserably or is in memory (state 'S'), but does not
pass traffic. I don't know why the sighup isn't always reliable. Any ideas
why?

-Adrian

Re: [Snort-inline-users] Viri do not pass, but snort_inline is reticent - very strange

[Holger M. <gan...@mo...>]

Problem solved

I found in snort_full the entys from clamav.
And with the search "clamav mysql" i found that:
http://sourceforge.net/mailarchive/message.php?msg_id=10301120

I should more RTFUL
Read the fine User-List :)

Thank you all.

@ Will
All the best to you and your bride to be.

greetz
Holger

Will Metcalf schrieb:

>No time to troubleshoot with you, somebody else is going to have to
>help out.  I won't be able to answer any questions until after Nov
>12th.  Working on a big project and getting married.
>
>Regards,
>
>Will
>
>On 10/20/05, Holger Moskopp <gan...@mo...> wrote:
>  
>
>>Very strange - As i told you, i got problems
>>with Clamav and Snort-Inline.
>>
>>If i try to get a virus like
>>Virus.CVC.PVT
>>Virus.Linux.Cassini.1618
>>Virus.Script.ASX.Conp
>>or
>>Virus.Script.BRB.Barbus
>>via ftp it don´t work.
>>
>>it build a datafile on the aim with that name but
>>it is empty (0kb) or smaller than the orginal file.
>>The ftp-connection stands still and if i hit return
>>it said - no connection. (action is drop)
>>
>>It seem that clamav don't let pass the virus.
>>But there is no notification in the mysql-database
>>that a virus was blocked.
>>
>>Normal virifree Data passes ok. Also the Exploid.HTML.Mht
>>passes without any difficultys. Could it be that exploids are not expected
>>on that way? Is it only detected if it comes over a http-connection?
>>
>>Any idieas what could be wrong? Why is snort-inline so reticent in that
>>cause?
>>
>>Thanks
>>Holger
>>
>>
>>-------------------------------------------------------
>>This SF.Net email is sponsored by:
>>Power Architecture Resource Center: Free content, downloads, discussions,
>>and more. http://solutions.newsforge.com/ibmarch.tmpl
>>_______________________________________________
>>Snort-inline-users mailing list
>>Sno...@li...
>>https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>>    
>>
>
>  
>

Re: [Snort-inline-users] Viri do not pass, but snort_inline is reticent - very strange

[Will M. <wil...@gm...>]

No time to troubleshoot with you, somebody else is going to have to
help out.  I won't be able to answer any questions until after Nov
12th.  Working on a big project and getting married.

Regards,

Will

On 10/20/05, Holger Moskopp <gan...@mo...> wrote:
> Very strange - As i told you, i got problems
> with Clamav and Snort-Inline.
>
> If i try to get a virus like
> Virus.CVC.PVT
> Virus.Linux.Cassini.1618
> Virus.Script.ASX.Conp
> or
> Virus.Script.BRB.Barbus
> via ftp it don=B4t work.
>
> it build a datafile on the aim with that name but
> it is empty (0kb) or smaller than the orginal file.
> The ftp-connection stands still and if i hit return
> it said - no connection. (action is drop)
>
> It seem that clamav don't let pass the virus.
> But there is no notification in the mysql-database
> that a virus was blocked.
>
> Normal virifree Data passes ok. Also the Exploid.HTML.Mht
> passes without any difficultys. Could it be that exploids are not expecte=
d
> on that way? Is it only detected if it comes over a http-connection?
>
> Any idieas what could be wrong? Why is snort-inline so reticent in that
> cause?
>
> Thanks
> Holger
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

[Snort-inline-users] Viri do not pass, but snort_inline is reticent - very strange

[Holger M. <gan...@mo...>]

Very strange - As i told you, i got problems
with Clamav and Snort-Inline.

If i try to get a virus like
Virus.CVC.PVT
Virus.Linux.Cassini.1618
Virus.Script.ASX.Conp
or
Virus.Script.BRB.Barbus
via ftp it don´t work.

it build a datafile on the aim with that name but
it is empty (0kb) or smaller than the orginal file.
The ftp-connection stands still and if i hit return
it said - no connection. (action is drop)

It seem that clamav don't let pass the virus.
But there is no notification in the mysql-database
that a virus was blocked.

Normal virifree Data passes ok. Also the Exploid.HTML.Mht
passes without any difficultys. Could it be that exploids are not expected
on that way? Is it only detected if it comes over a http-connection?

Any idieas what could be wrong? Why is snort-inline so reticent in that 
cause?

Thanks
Holger

Re: [Snort-inline-users] Show what Snort-inline is able to do

[Holger M. <gan...@mo...>]

Hi,
sorry for my late answer, but i was also busy with that SIP/RTP-stuff.

I built an island-solution, so that nothing could happen with that viri. :(

| Client |-----------| FW-With snortinline and clamav |--------|  
ftp-server   |

On the server i unziped the viri and tryed to fetch them via FTP to the 
client.
But nothing happen on Clamav. I got the viri on the client.
No logs in the mysql-database from snort-inline.

I contolled if the viri in the clamav database. - They are.

Then i fetched the Exploid.HTML.Mht to the Firewall and tested with 
clamscan if clamav
is able to detect it. - It is!

But in the teamwork with snort-inline nothing happen.

Here are my FTP iptables rules:

$IPTABLES -I FORWARD -m mark --mark 1 -j QUEUE
$IPTABLES -I FORWARD -m mark --mark 2 -j QUEUE
....
$IPTABLES -t mangle -A FORWARD -i $INTERN_ETH -o $EXTERN_ETH -p tcp --dport 20:21 -m state --state NEW -j MARK --set-mark 1
$IPTABLES -t mangle -A FORWARD -i $EXTERN_ETH -o $INTERN_ETH -p tcp --sport 20:21 -m state --state ESTABLISHED -j MARK --set-mark 2

I can see on the Firewall that the packets are inspected by snort-inline 
- but nothing happen.

Any ideas where the mistake is?

Thank you.
best regards
Holger



Will Metcalf schrieb:

>Did you actually download unzip and try to move the extracted viri
>through the inline box?  Remember, we can't deal with zipped files and
>all files on this site are zipped.  We cannot unzip because we are
>only scanning fragments of files.
>
>Regards,
>
>Will
>
>On 9/26/05, Holger Moskopp <gan...@mo...> wrote:
>  
>
>> Hi,
>>
>> i tested in the meantime a lot of virii from that page.
>> But no one was alerted by ClamAV and Snort-inline.
>>
>> Could it be, that ClamAV isn`t correct installed?
>> I got a Debian Sarge and installed it with apt-get install clamav.
>> but there is only the viridataset and the freshclamavdeamon.
>> Could it be that i need the deamon clamd?
>>
>> How could i find out, if clamav is correct installed for the use
>> of Snort-inline?
>>
>> Many greetings
>> Holger
>>
>> Cole schrieb:
>>
>>Hi.
>>
>>This website has a collection of virii. http://vx.netlux.org/ The problem is
>>that clamav does not
>>pickup a large amount of virii on the actual page, but it does pickup quite
>>a lot. So try it out
>>with that.
>>
>>/Cole
>>
>>-----Original Message-----
>>From: sno...@li...
>>[mailto:sno...@li...] On
>>Behalf Of Holger Moskopp
>>Sent: Wednesday, September 07, 2005 10:14 PM
>>To: Victor Julien
>>Cc: sno...@li...
>>Subject: Re: [Snort-inline-users] Show what Snort-inline is able to do
>>
>>Hmm? and where can i get a Virus for testing?
>>
>>Or is there a known webpage with a virus?
>>
>>
>>Victor Julien schrieb:
>>
>>
>>
>>
>> Will wrote that eicar changed their side. How can i test if ClamAV work?
>>
>> I think the easiest way would be to put a virus on an ftp-server and
>>then try to download it through the snort_inline firewall.
>>
>>Good luck,
>>Victor
>>
>>
>>
>>
>>-------------------------------------------------------
>>SF.Net email is Sponsored by the Better Software Conference & EXPO
>>September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
>>Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
>>Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
>>_______________________________________________
>>Snort-inline-users mailing list
>>Sno...@li...
>>https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>>
>>
>>-------------------------------------------------------
>>SF.Net email is Sponsored by the Better Software Conference & EXPO
>>September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
>>Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
>>Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
>>_______________________________________________
>>Snort-inline-users mailing list
>>Sno...@li...
>>https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>>
>>
>>
>>    
>>
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by:
>Power Architecture Resource Center: Free content, downloads, discussions,
>and more. http://solutions.newsforge.com/ibmarch.tmpl
>_______________________________________________
>Snort-inline-users mailing list
>Sno...@li...
>https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>  
>

Re: [Snort-inline-users] clamav preprocessor don't work

[davide b. <dav...@gm...>]

OK, i found what were the problem, and it's better that you don't know it!!
:D Tnx for all!

2005/10/15, Will Metcalf <wil...@gm...>:
>
> autoreconf -f
>
> On 10/14/05, davide belloni <dav...@gm...> wrote:
> > I've try to install snort 2.4.2: patch it and it return error " Hunk #1
> > succeeded at 859 with fuzz 2". After a search on the net i'v try to
> delete
> > ome line of prelude in configure.in <http://configure.in> . i've try it=
.
> but it return the error "
> > Hunk #1 succeeded at 84 with fuzz 2. (offset -15)". I don't find nothin=
g
> on
> > the net about this....so i patched the configure.in<http://configure.in=
>and configure at hand.
> > then i try configure snort with --enable-clamav & --enable-inline and
> all is
> > ok.....but when i try make...i've got an error:
> >
> > "In function `InitPreprocessors':
> > /home/china/Desktop/Clamav+snort/snort-2.4.2/src/plugbase.c:426:
> > undefined reference to `SetupClamAV'"
> >
> > Someone can help me!?!?!?!?
> >
> > 2005/10/12, Victor Julien <vi...@nk...>:
> > > davide belloni wrote:
> > > > Can i ask the reason of this line:
> > > >
> > > > File descriptor scanning mode: Disabled, using cl_scanbuf
> > > > Directory for tempfiles (file descriptor mode): ''
> > > >
> > > > ????
> > > >
> > >
> > > Originally we used the cl_scanbuf function from clamav to scan the
> > > packet payload. This function however, is going to be removed from a
> > > future clamav release, so we were forced to look into alternatives.
> The
> > > file descriptor mode is what came out of this. Basicly it stores ever=
y
> > > payload on disk (can be a ramdisk for performance) and then scans the
> > > file. You can give the directory where the files are saved as an
> option
> > > to the clamav preprocessor. The file desc mode should be able to
> detect
> > > more viruses because of the way it works internally in clamav.
> > >
> > > Example:
> > > preprocessor clamav: ports all !22 !443, action-drop, dbreload-time
> > > 3600, file-descriptor-mode, descriptor-temp-dir /tmp/snort-inline
> > >
> > > Regards,
> > > Victor
> > >
> >
> >
> >
> > --
> >
> > China
> >
>



--

China

Re: [Snort-inline-users] clamav preprocessor don't work

[Will M. <wil...@gm...>]

autoreconf -f

On 10/14/05, davide belloni <dav...@gm...> wrote:
> I've try to install snort 2.4.2: patch it and it return error " Hunk #1
> succeeded at 859 with fuzz 2". After a search on the net i'v try to delet=
e
> ome line of prelude in configure.in . i've try it. but it return the erro=
r "
> Hunk #1 succeeded at 84 with fuzz 2. (offset -15)". I don't find nothing =
on
> the net about this....so i patched the configure.in and configure at hand=
.
> then i try configure snort with --enable-clamav & --enable-inline and all=
 is
> ok.....but when i try make...i've got an error:
>
>  "In function `InitPreprocessors':
> /home/china/Desktop/Clamav+snort/snort-2.4.2/src/plugbase.c:426:
> undefined reference to `SetupClamAV'"
>
>  Someone can help me!?!?!?!?
>
> 2005/10/12, Victor Julien <vi...@nk...>:
> > davide belloni wrote:
> > > Can i ask the reason of this line:
> > >
> > > File descriptor scanning mode: Disabled, using cl_scanbuf
> > > Directory for tempfiles (file descriptor mode): ''
> > >
> > > ????
> > >
> >
> > Originally we used the cl_scanbuf function from clamav to scan the
> > packet payload. This function however, is going to be removed from a
> > future clamav release, so we were forced to look into alternatives. The
> > file descriptor mode is what came out of this. Basicly it stores every
> > payload on disk (can be a ramdisk for performance) and then scans the
> > file. You can give the directory where the files are saved as an option
> > to the clamav preprocessor. The file desc mode should be able to detect
> > more viruses because of the way it works internally in clamav.
> >
> > Example:
> > preprocessor clamav: ports all !22 !443, action-drop, dbreload-time
> > 3600, file-descriptor-mode, descriptor-temp-dir /tmp/snort-inline
> >
> > Regards,
> > Victor
> >
>
>
>
> --
>
> China
>

Re: [Snort-inline-users] clamav preprocessor don't work

[davide b. <dav...@gm...>]

I've try to install snort 2.4.2: patch it and it return error " Hunk #1
succeeded at 859 with fuzz 2". After a search on the net i'v try to delete
ome line of prelude in configure.in <http://configure.in> . i've try it. bu=
t
it return the error " Hunk #1 succeeded at 84 with fuzz 2. (offset -15)". I
don't find nothing on the net about this....so i patched the
configure.in<http://configure.in>and configure at hand. then i try
configure snort with --enable-clamav &
--enable-inline and all is ok.....but when i try make...i've got an error:

"In function `InitPreprocessors':
/home/china/Desktop/Clamav+snort/snort-2.4.2/src/plugbase.c:426: undefined
reference to `SetupClamAV'"

Someone can help me!?!?!?!?

2005/10/12, Victor Julien <vi...@nk...>:
>
> davide belloni wrote:
> > Can i ask the reason of this line:
> >
> > File descriptor scanning mode: Disabled, using cl_scanbuf
> > Directory for tempfiles (file descriptor mode): ''
> >
> > ????
> >
>
> Originally we used the cl_scanbuf function from clamav to scan the
> packet payload. This function however, is going to be removed from a
> future clamav release, so we were forced to look into alternatives. The
> file descriptor mode is what came out of this. Basicly it stores every
> payload on disk (can be a ramdisk for performance) and then scans the
> file. You can give the directory where the files are saved as an option
> to the clamav preprocessor. The file desc mode should be able to detect
> more viruses because of the way it works internally in clamav.
>
> Example:
> preprocessor clamav: ports all !22 !443, action-drop, dbreload-time
> 3600, file-descriptor-mode, descriptor-temp-dir /tmp/snort-inline
>
> Regards,
> Victor
>



--

China

Re: [Snort-inline-users] clamav preprocessor don't work

[Victor J. <vi...@nk...>]

davide belloni wrote:
> Can i ask the reason of this line:
> 
> File descriptor scanning mode: Disabled, using cl_scanbuf
> Directory for tempfiles (file descriptor mode): ''
> 
> ????
> 

Originally we used the cl_scanbuf function from clamav to scan the 
packet payload. This function however, is going to be removed from a 
future clamav release, so we were forced to look into alternatives. The 
file descriptor mode is what came out of this. Basicly it stores every 
payload on disk (can be a ramdisk for performance) and then scans the 
file. You can give the directory where the files are saved as an option 
to the clamav preprocessor. The file desc mode should be able to detect 
more viruses because of the way it works internally in clamav.

Example:
preprocessor clamav: ports all !22 !443, action-drop, dbreload-time 
3600, file-descriptor-mode, descriptor-temp-dir /tmp/snort-inline

Regards,
Victor

Re: [Snort-inline-users] clamav preprocessor don't work

[davide b. <dav...@gm...>]

I've try http://eicar.org/anti_virus_test_file.htm and this 3 files
ftp://ftp.digitalfuture.it/ .
Tnx

2005/10/10, William Metcalf <Wil...@kc...>:
>
> What virii are you downloading?
> -----------------
> Sent from my BlackBerry Handheld.
> ------------------------------
>
> ----- Original Message -----
> * From: *snort-inline-users-admin
> * Sent: *10/10/2005 12:04 PM
> * To: *sno...@li...
> * Subject: *[Snort-inline-users] clamav preprocessor don't work
>
> Hi, i have installed clamav (it works), snort from
> http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/?root=3DSnort-Clamav the
> 2.3.3 version enabling inline to use iptables, and it works. And i've
> enabled clamav. but when i try to download an infected file i can do it a=
nd
> clamav don't drop the packet and don't reset the connection. someone have=
 an
> idea? in snort.conf i wrote:
> ....
> preprocessor stream4_reassemble
>
> preprocessor clamav: ports all, action-drop
> ....
> but clamav don't work!
>
> but it's strange that there isn't the option for stream4 "inline_state",
> too!
>
> please help me!
>
> --
>
> China
>



--

China

[Snort-inline-users] clamav preprocessor don't work

[davide b. <dav...@gm...>]

Hi, i have installed clamav (it works), snort from
http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/?root=3DSnort-Clamav the
2.3.3 version enabling inline to use iptables, and it works. And i've
enabled clamav. but when i try to download an infected file i can do it and
clamav don't drop the packet and don't reset the connection. someone have a=
n
idea? in snort.conf i wrote:
....
preprocessor stream4_reassemble

preprocessor clamav: ports all, action-drop
....
but clamav don't work!

but it's strange that there isn't the option for stream4 "inline_state",
too!

please help me!

--

China

[Snort-inline-users] Clamav+SnortInline=IPS

[davide b. <dav...@gm...>]

Hi
i'm a italian student and ai must create a system IPS with snort-inline and
clamav...someone can help saying me the step to do? i've a linux debian.
Sorry for the last mail.
Tnx

--

China