snort-inline-users Mailing List for snort_inline (Page 28)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi,

--

China

Did you actually download unzip and try to move the extracted viri
through the inline box?  Remember, we can't deal with zipped files and
all files on this site are zipped.  We cannot unzip because we are
only scanning fragments of files.

Regards,

Will

On 9/26/05, Holger Moskopp <gan...@mo...> wrote:
>  Hi,
>
>  i tested in the meantime a lot of virii from that page.
>  But no one was alerted by ClamAV and Snort-inline.
>
>  Could it be, that ClamAV isn`t correct installed?
>  I got a Debian Sarge and installed it with apt-get install clamav.
>  but there is only the viridataset and the freshclamavdeamon.
>  Could it be that i need the deamon clamd?
>
>  How could i find out, if clamav is correct installed for the use
>  of Snort-inline?
>
>  Many greetings
>  Holger
>
>  Cole schrieb:
>
> Hi.
>
> This website has a collection of virii. http://vx.netlux.org/ The problem=
 is
> that clamav does not
> pickup a large amount of virii on the actual page, but it does pickup qui=
te
> a lot. So try it out
> with that.
>
> /Cole
>
> -----Original Message-----
> From: sno...@li...
> [mailto:sno...@li...] On
> Behalf Of Holger Moskopp
> Sent: Wednesday, September 07, 2005 10:14 PM
> To: Victor Julien
> Cc: sno...@li...
> Subject: Re: [Snort-inline-users] Show what Snort-inline is able to do
>
> Hmm? and where can i get a Virus for testing?
>
> Or is there a known webpage with a virus?
>
>
> Victor Julien schrieb:
>
>
>
>
>  Will wrote that eicar changed their side. How can i test if ClamAV work?
>
>  I think the easiest way would be to put a virus on an ftp-server and
> then try to download it through the snort_inline firewall.
>
> Good luck,
> Victor
>
>
>
>
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practic=
es
> Agile & Plan-Driven Development * Managing Projects & Teams * Testing & Q=
A
> Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
>
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practic=
es
> Agile & Plan-Driven Development * Managing Projects & Teams * Testing & Q=
A
> Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
>
>

Hi,

i tested in the meantime a lot of virii from that page.
But no one was alerted by ClamAV and Snort-inline.

Could it be, that ClamAV isn`t correct installed?
I got a Debian Sarge and installed it with apt-get install clamav.
but there is only the viridataset and the freshclamavdeamon.
Could it be that i need the deamon clamd?

How could i find out, if clamav is correct installed for the use
of Snort-inline?

Many greetings
Holger

Cole schrieb:

> 
>Hi.
>
>This website has a collection of virii. http://vx.netlux.org/ The problem is that clamav does not
>pickup a large amount of virii on the actual page, but it does pickup quite a lot. So try it out
>with that.
>
>/Cole
>
>-----Original Message-----
>From: sno...@li...
>[mailto:sno...@li...] On Behalf Of Holger Moskopp
>Sent: Wednesday, September 07, 2005 10:14 PM
>To: Victor Julien
>Cc: sno...@li...
>Subject: Re: [Snort-inline-users] Show what Snort-inline is able to do
>
>Hmm? and where can i get a Virus for testing?
>
>Or is there a known webpage with a virus?
>
>
>Victor Julien schrieb:
>
>  
>
>>>Will wrote that eicar changed their side. How can i test if ClamAV work?
>>>      
>>>
>>I think the easiest way would be to put a virus on an ftp-server and 
>>then try to download it through the snort_inline firewall.
>>
>>Good luck,
>>Victor
>>
>>    
>>
>
>
>
>-------------------------------------------------------
>SF.Net email is Sponsored by the Better Software Conference & EXPO
>September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
>Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
>Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
>_______________________________________________
>Snort-inline-users mailing list
>Sno...@li...
>https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
>
>-------------------------------------------------------
>SF.Net email is Sponsored by the Better Software Conference & EXPO
>September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
>Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
>Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
>_______________________________________________
>Snort-inline-users mailing list
>Sno...@li...
>https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>  
>

friends,
  I have three questions on snort inline :
  the possibility to analyze the zipados archives
 . snort clamav is performace of snort inline you has some study of case
 thanks

Javier,

It's kind of like this, we are implementing new features into the
snort-inline code.  Thing's like  Bait-And-Switch, ClamAV,
sticky-drop, stream4inline, future support of NFQUEUE.  Victor and I
have not released a new version of snort_inline because we feel that
not having a fully functional stream reassembly preprocessor is a show
stopper.  We are still working the Sourcefire guy's on some things, I
sent Marty a patch not to long ago to convert the reject code from
libnet to libdnet and to fix some FreeBSD and sighup stuff in the
regular snort distribution.

So for bleeding-edge type features stay tuned.......  If you want to
just use basic Inline feature set stuff download snort and
--enable-inline.

Regards,

Will

On 9/15/05, Javier Reyna Padilla <jr...@on...> wrote:
> I know that snort-inline is part of the code of snort now....
> snort-inline as a patch is still maitained or you are working in the
> integrated code in snort? Is there anydifference for using snort-inline
> or the compiled version of snort whit the option inline?
>=20
>=20
> -------------------------------------------------------
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's Geronimo App Server. Downl=
oad
> it for free - -and be entered to win a 42" plasma tv or your very own
> Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

I know that snort-inline is part of the code of snort now.... 
snort-inline as a patch is still maitained or you are working in the 
integrated code in snort? Is there anydifference for using snort-inline 
or the compiled version of snort whit the option inline?

basically we are just providing ClamAv and Bait-and-Switch as separate
patches against vanilla snort, until we can find the time to work out
the issues with stream4inline.  Victor and I are coding this weekend
so hopefully we will have a release of snort-inline sometime before
the end of the decade ;-)

Regards,

Will

On 9/14/05, Mohamed Berzig <mb...@gm...> wrote:
> Hello,
> What is the difference between snort-inline and snort-clamav ?
> Sincerly.
>=20
>=20
> -------------------------------------------------------
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's Geronimo App Server. Downl=
oad
> it for free - -and be entered to win a 42" plasma tv or your very own
> Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

Hello,
What is the difference between snort-inline and snort-clamav ?
Sincerly.

The diff that I created for 2.4.0 applies cleanly, and builds ok for
me against the snort-2.4.0-spade.tgz file on bleeding snort.  Here is
the like to the ClamAV diff to 2.4.0 not a lot of changes from the
last diff.  I think I fixed some compiler warnings.......

http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/snort-2.4.0-clamonly-1.dif=
f?root=3DSnort-Clamav&rev=3D1.1&view=3Dlog

Regards,

Will
On 9/10/05, Thanasin Jitkaew <tha...@gb...> wrote:
> After spending long time searching google. I found only snort with
> clamav support only or snort with spade support only.
> Are there any snort with clamav and spade support yet ?
>=20
> I would like to try spade while still having clamav features.
> Can they mixed together or active at the same time ?
>=20
> Best Regards,
> Thanasin
>=20
>=20
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practic=
es
> Agile & Plan-Driven Development * Managing Projects & Teams * Testing & Q=
A
> Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

After spending long time searching google. I found only snort with 
clamav support only or snort with spade support only.
Are there any snort with clamav and spade support yet ?

I would like to try spade while still having clamav features.
Can they mixed together or active at the same time ?

Best Regards,
Thanasin

Hi.

This website has a collection of virii. http://vx.netlux.org/ The problem is that clamav does not
pickup a large amount of virii on the actual page, but it does pickup quite a lot. So try it out
with that.

/Cole

-----Original Message-----
From: sno...@li...
[mailto:sno...@li...] On Behalf Of Holger Moskopp
Sent: Wednesday, September 07, 2005 10:14 PM
To: Victor Julien
Cc: sno...@li...
Subject: Re: [Snort-inline-users] Show what Snort-inline is able to do

Hmm? and where can i get a Virus for testing?

Or is there a known webpage with a virus?

Victor Julien schrieb:

>> Will wrote that eicar changed their side. How can i test if ClamAV work?
>
>
> I think the easiest way would be to put a virus on an ftp-server and 
> then try to download it through the snort_inline firewall.
>
> Good luck,
> Victor
>

-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-inline-users mailing list
Sno...@li...
https://lists.sourceforge.net/lists/listinfo/snort-inline-users

Hmm? and where can i get a Virus for testing?

Or is there a known webpage with a virus?

Victor Julien schrieb:

>> Will wrote that eicar changed their side. How can i test if ClamAV work?
>
>
> I think the easiest way would be to put a virus on an ftp-server and 
> then try to download it through the snort_inline firewall.
>
> Good luck,
> Victor
>

> I got a Question to Snort-inline and Prerouting.
> 
> I got the following line in my iptabels to lead the SIP-Traffic
> to my SIP-Proxy in the DMZ:
> 
> $IPTABLES -t nat -I PREROUTING -p udp -i $EXTERN_ETH --dport 5060:5062 
> -j DNAT --to $prox
> 
> How can i inspect that with snort-inline?

Just add a -j QUEUE rule in the forward chain of the filter table.

I think this rule should work:

$IPTABLES -t filter -I FORWARD -p udp -i $EXTERN_ETH --dport 5060:5062 
-d $prox -j QUEUE

Don't forget to QUEUE the return traffic as well.

Regards,
Victor

> Will wrote that eicar changed their side. How can i test if ClamAV work?

I think the easiest way would be to put a virus on an ftp-server and 
then try to download it through the snort_inline firewall.

Good luck,
Victor

Hi,

I got a Question to Snort-inline and Prerouting.

I got the following line in my iptabels to lead the SIP-Traffic
to my SIP-Proxy in the DMZ:

$IPTABLES -t nat -I PREROUTING -p udp -i $EXTERN_ETH --dport 5060:5062 
-j DNAT --to $prox

How can i inspect that with snort-inline?

Thank you
Best Regards
Holger

Hi,

As i told i'm working on my Thesis at the FH Cologne.
And you know Students have to know how it work
and they have to show that it work.
My Professor wants to see that.

I got Snort-Inline with ClamAV and a mysqldatabase on
an IP-tabes Firewall. (the Database is in the internal net.)

Is seems that all look well. I testet the Snort/firewall with nessus
and i think ist good. Snort inline fished out over 450 Packets.
I can see that with Base.
And nessus show that only SSH is critcal.

Are there more posibilitys to got Testresults that i can show my Professor?
Especially i want to test the ClamAV preprocessor.
Will wrote that eicar changed their side. How can i test if ClamAV work?

Thank you
Best regards
Holger

Hola a todos,, estoy usando Snort-Inline para intentar
bloquear trafico ya descripto en las reglas que tiene,
por ejemplo hay una que no permite hacer doanload de
mp3 cambiando alert por drop, pero como hago para que
directamente en el buscador denege la opcioon busqueda
por palabra. ?
puesto que solo me da un log del trafico y no de la
accion.

gracias !

___________________________________________________________ 
1GB gratis, Antivirus y Antispam 
Correo Yahoo!, el mejor correo web del mundo 
http://correo.yahoo.com.ar 

Problem solved

i played with the iptabels and it an additional restriction is possible.

Also it is possible to log the stuff.

Thanks
Holger

  Hi,

2 new Questions.

1.)  Will wrote me, that an iptables-rule for HTTP traffic can look like 
that:

 $IPTABLES -t mangle -A FORWARD -p tcp --syn -m state --state NEW
 --dport 8080 -j MARK --set-mark 1

 $IPTABLES -t mangle -A FORWARD -p tcp -m state --state ESTABLISHED
 --sport 8080 -j MARK --set-mark 2

 $IPTABLES -I FORWARD -m mark --mark 1 -j QUEUE
 $IPTABLES -I FORWARD -m mark --mark 2 -j QUEUE

I want to restrict the traffic from both sides.
So i want only start httpsessions  from inside. My old rule looked like 
that:

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTERN_ETH -p tcp -o $EXTERN_ETH --dport 8080 
-m state --state NEW -j ACCEPT

For me it seems ,that now are syns (initaing a http session) from both 
sides are possible.
In the syngress book i read that some attitudes are made by
chosing the "var_net" - Variables.

So have i to change the rule like that:

$IPTABLES -t mangle -A FORWARD -p tcp -s INTERN_ETH --syn -d EXTERN_ETH --dport 8080 /
-m state --state NEW -j MARK --set-mark 1

Or do snort-inline restrict that by himself if i decared my Homenet and 
Externalnet?

2.)  And is there still a possibility to log with iptables like that:

$IPTABLES -N acceptNlog
$IPTABLES -t mangle -A FORWARD -p tcp --syn -m state --state NEW --dport 8080 -j MARK --set-mark 1
$IPTABLES -t mangle -A FORWARD -p tcp -m state --state ESTABLISHED --sport 8080 -j MARK --set-mark 2
$IPTABLES -I FORWARD -m mark --mark 1 -j acceptNlog
$IPTABLES -I FORWARD -m mark --mark 2 -j acceptNlog
$IPTABLES -A acceptNlog -j log --prefix "Accepted by FW and given to Snort-Inline: "
$IPTABLES -A acceptNlog -j QUEUE

I'm not sure with that....

I know that is not a Snort-inline speciffic problem, and i hope that i 
not to bother you
with my "beginner-questions".

Thank you

Best regards.
Holger

Thanks Will,

looks good.

I saw that Howto:
base-centoS PDF.

There they talk about
yum install php-gd.

I don't know if yum work on debian.
And i don´t find a php-gd packet.

Do you know what the eqivalent for debian is?

Is that possbibly the php4-gd packet? Is that compatible?

Or do i need the libgd, as mentioned in the ACID howtos?

Unfortunately i found no depencies four BASE on your link.

Thank you.
Best regards
Holger

William Metcalf schrieb:

> Use base......
>
> http://secureideas.sourceforge.net/
>
> Regards,
>
> Will
>
> Hi,
>
> its me again, with a new problem.
>
> As i told, i got a Snort-inline on a Firewall that communicates with a 
> mysql
> database on a Computer in the internal (protected) net.
>
> With "phpmyadmin" i can see that snort wrote something in the database.
>
> Now i want a comfortable GUI like ACID.
>
> I saw in some Howtos that they copile from sources
> the apache with openssl and php4 for ACID.
> But i got a running apache (installed with apt-get) on
> my Computer where the database is. So i don't
> know if that howto fits to my enviorment.
>
> I saw also that there is a debianpacket
> acidlab-mysql
>
> I am al little bit considerfully. Because while installing
> snort-inline from sources, i got enourmous problems with
> apt-get --purge remove clamav and reinstalling.
> After that nothing worked and i had to play back my
> backup from the system. ( i think there was another
> posibility to rescue the system - but not for a newbee :) )
>
> So got someone experience with that debianpacket?
>
> Could that work?
>
> I got only the running apache and the mysql with the snort-database.
> (the database was builded by the create_mysql skript)
>
> What is the best way for a debian to install ACID?
>
> Thank you
>
> Best Regards
> Holger
>
>
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle 
> Practices
> Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
> Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

Hi,

its me again, with a new problem.

As i told, i got a Snort-inline on a Firewall that communicates with a mysql
database on a Computer in the internal (protected) net.

With "phpmyadmin" i can see that snort wrote something in the database.

Now i want a comfortable GUI like ACID.

I saw in some Howtos that they copile from sources
the apache with openssl and php4 for ACID.
But i got a running apache (installed with apt-get) on
my Computer where the database is. So i don't
know if that howto fits to my enviorment.

I saw also that there is a debianpacket
acidlab-mysql

I am al little bit considerfully. Because while installing
snort-inline from sources, i got enourmous problems with
apt-get --purge remove clamav and reinstalling.
After that nothing worked and i had to play back my
backup from the system. ( i think there was another
posibility to rescue the system - but not for a newbee :) )

So got someone experience with that debianpacket?

Could that work?

I got only the running apache and the mysql with the snort-database.
(the database was builded by the create_mysql skript)

What is the best way for a debian to install ACID?

Thank you

Best Regards
Holger

Hi,

now snort-inline communicates with the mysqldatabase
on the computer in the internal net. :)

The problem was the libmysqlclient14-dev
I "apt-geted" also the libmysqlclient10-dev and after that it worked.

Thanks for your Help

Best regards
Holger

Will Metcalf schrieb:

>make clean
>
>then run
>
>./configure --enable-inline --enable-clamav --with-mysql=/usr/include/mysql
>
>or whatever
>
>Regards,
>
>Will
>On 8/22/05, Holger Moskopp <gan...@mo...> wrote:
>  
>
>>After may tests on the TTY i wanted to conect Snort-inline with the
>>mysqldatabase.But i got a strange screen while starting snort-inline after
>>changin the snort_inline.conf.
>>
>>I added:
>>
>>### MYSQL Datenbankort
>>output database: log, mysql, user=snort password=<THEPASSWORD>
>>dbname=snort host=<IP-in-INTERN-NET>
>>
>>and i got that screen:
>>
>>.
>>.
>>.
>>.
>>database: 'mysql' support is not compiled into this build of snort
>>
>>ERROR: If this build of snort was obtained as a binary distribution
>>(e.g., rpm,
>>or Windows), then check for alternate builds that contains the necessary
>>'mysql' support.
>>
>>If this build of snort was compiled by you, then re-run the
>>the ./configure script using the '--with-mysql' switch.
>>For non-standard installations of a database, the '--with-mysql=DIR'
>>syntax may need to be used to specify the base directory of the DB install.
>>
>>See the database documentation for cursory details (doc/README.database).
>>and the URL to the most recent database plugin documentation.
>>Fatal Error, Quitting..
>>database: compiled support for ( )
>>database: configured to use mysql
>>
>>
>>
>>
>>I compiled it again with --enable-mysql=/usr/include/mysql
>>
>>but that got brought the same error.
>>
>>As i said, it is a Debian sarge 3.1 and i apt-geted the Packet
>>libmysqlclient14-dev
>>
>>I was wondering because i got no error while compailation.
>>Do i need anything else?
>>
>>Or did i use the wrong path in Debian?
>>On what file is snort_inline aiming while compalation?
>>
>>How know snort-inline that it have to crate a table in the Mysql
>>database? Up to now i only created an empty Database
>>with the rights for Snort-inline.
>>
>>Thank you
>>Best regards
>>Holger
>>
>>
>>
>>
>>
>>
>>
>>
>>Will Metcalf schrieb:
>>
>>    
>>
>>>snort-inline supports logging to a database, just copy the line that
>>>deals with database output from snort.conf to snort-inline.conf and
>>>modify it fit your environment.
>>>
>>>Regards,
>>>
>>>Will
>>>
>>>On 8/19/05, Holger Moskopp <gan...@mo...> wrote:
>>>
>>>
>>>      
>>>
>>>>Hello,
>>>>
>>>>my Name is Holger Moskopp, i´m student at the
>>>>FH-Cologne and working on my thesis. The topic is,
>>>>to build a security solution for an experimantalnetwork
>>>>with special consideration of VoIP aplications
>>>>(for that is the DMZ with a SIP/RTP proxy)
>>>>
>>>>Im also new to that Mailinglist, and i never was before
>>>>Member of a Mailinglist.
>>>>
>>>>I have a separate computer with three Ethernetcards as Firewall.
>>>>eth0 for the external net eth2 for the internal net eth1 for my DMZ
>>>>On that Computer i installed snort-inline.2.2.0a
>>>>
>>>>I want to send all the snort-inline logs to a MYSQL database in the
>>>>internal net. So i configured snort-inline like that:
>>>>
>>>>./configure --/prefix=/opt/snort-inline/
>>>>--with-libipq-includes=/usr/include/libipq
>>>>--enable-flexresp
>>>>--enable-inline
>>>>--enable-clamav
>>>>--with-mysql
>>>>
>>>>all went well with the make and make install.
>>>>
>>>>I copied all files from /etc and the rules.
>>>>
>>>>But how can i say snort-inline, where the mysql database is?
>>>>There is a snort.conf and a snort-inline.conf.
>>>>In the snort.conf is a posiblity to tell snort a output database.
>>>>But not in the snort-inline.conf.
>>>>Have i to do it in the snort.conf, or have i to copy that line in
>>>>the snort-inline.conf - is the snort.conf needed?
>>>>If yes - take all changings there the same effect like in
>>>>several Howtos described?
>>>>
>>>>
>>>>Thank You
>>>>Best regards
>>>>Holger Moskopp
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>        
>>>>
>>>
>>>      
>>>
>>    
>>
>
>  
>

make clean

then run

./configure --enable-inline --enable-clamav --with-mysql=3D/usr/include/mys=
ql

or whatever

Regards,

Will
On 8/22/05, Holger Moskopp <gan...@mo...> wrote:
> After may tests on the TTY i wanted to conect Snort-inline with the
> mysqldatabase.But i got a strange screen while starting snort-inline afte=
r
> changin the snort_inline.conf.
>=20
> I added:
>=20
> ### MYSQL Datenbankort
> output database: log, mysql, user=3Dsnort password=3D<THEPASSWORD>
> dbname=3Dsnort host=3D<IP-in-INTERN-NET>
>=20
> and i got that screen:
>=20
> .
> .
> .
> .
> database: 'mysql' support is not compiled into this build of snort
>=20
> ERROR: If this build of snort was obtained as a binary distribution
> (e.g., rpm,
> or Windows), then check for alternate builds that contains the necessary
> 'mysql' support.
>=20
> If this build of snort was compiled by you, then re-run the
> the ./configure script using the '--with-mysql' switch.
> For non-standard installations of a database, the '--with-mysql=3DDIR'
> syntax may need to be used to specify the base directory of the DB instal=
l.
>=20
> See the database documentation for cursory details (doc/README.database).
> and the URL to the most recent database plugin documentation.
> Fatal Error, Quitting..
> database: compiled support for ( )
> database: configured to use mysql
>=20
>=20
>=20
>=20
> I compiled it again with --enable-mysql=3D/usr/include/mysql
>=20
> but that got brought the same error.
>=20
> As i said, it is a Debian sarge 3.1 and i apt-geted the Packet
> libmysqlclient14-dev
>=20
> I was wondering because i got no error while compailation.
> Do i need anything else?
>=20
> Or did i use the wrong path in Debian?
> On what file is snort_inline aiming while compalation?
>=20
> How know snort-inline that it have to crate a table in the Mysql
> database? Up to now i only created an empty Database
> with the rights for Snort-inline.
>=20
> Thank you
> Best regards
> Holger
>=20
>=20
>=20
>=20
>=20
>=20
>=20
>=20
> Will Metcalf schrieb:
>=20
> >snort-inline supports logging to a database, just copy the line that
> >deals with database output from snort.conf to snort-inline.conf and
> >modify it fit your environment.
> >
> >Regards,
> >
> >Will
> >
> >On 8/19/05, Holger Moskopp <gan...@mo...> wrote:
> >
> >
> >> Hello,
> >>
> >> my Name is Holger Moskopp, i=B4m student at the
> >> FH-Cologne and working on my thesis. The topic is,
> >> to build a security solution for an experimantalnetwork
> >> with special consideration of VoIP aplications
> >> (for that is the DMZ with a SIP/RTP proxy)
> >>
> >> Im also new to that Mailinglist, and i never was before
> >> Member of a Mailinglist.
> >>
> >> I have a separate computer with three Ethernetcards as Firewall.
> >> eth0 for the external net eth2 for the internal net eth1 for my DMZ
> >> On that Computer i installed snort-inline.2.2.0a
> >>
> >> I want to send all the snort-inline logs to a MYSQL database in the
> >> internal net. So i configured snort-inline like that:
> >>
> >> ./configure --/prefix=3D/opt/snort-inline/
> >> --with-libipq-includes=3D/usr/include/libipq
> >> --enable-flexresp
> >> --enable-inline
> >> --enable-clamav
> >> --with-mysql
> >>
> >> all went well with the make and make install.
> >>
> >> I copied all files from /etc and the rules.
> >>
> >> But how can i say snort-inline, where the mysql database is?
> >> There is a snort.conf and a snort-inline.conf.
> >> In the snort.conf is a posiblity to tell snort a output database.
> >> But not in the snort-inline.conf.
> >> Have i to do it in the snort.conf, or have i to copy that line in
> >> the snort-inline.conf - is the snort.conf needed?
> >> If yes - take all changings there the same effect like in
> >> several Howtos described?
> >>
> >>
> >> Thank You
> >> Best regards
> >> Holger Moskopp
> >>
> >>
> >>
> >>
> >>
> >
> >
> >
>=20
>

After may tests on the TTY i wanted to conect Snort-inline with the
mysqldatabase.But i got a strange screen while starting snort-inline after
changin the snort_inline.conf.

I added:

### MYSQL Datenbankort
output database: log, mysql, user=snort password=<THEPASSWORD> 
dbname=snort host=<IP-in-INTERN-NET>

and i got that screen:

.
.
.
.
database: 'mysql' support is not compiled into this build of snort

ERROR: If this build of snort was obtained as a binary distribution 
(e.g., rpm,
or Windows), then check for alternate builds that contains the necessary
'mysql' support.

If this build of snort was compiled by you, then re-run the
the ./configure script using the '--with-mysql' switch.
For non-standard installations of a database, the '--with-mysql=DIR'
syntax may need to be used to specify the base directory of the DB install.

See the database documentation for cursory details (doc/README.database).
and the URL to the most recent database plugin documentation.
Fatal Error, Quitting..
database: compiled support for ( )
database: configured to use mysql

I compiled it again with --enable-mysql=/usr/include/mysql

but that got brought the same error.

As i said, it is a Debian sarge 3.1 and i apt-geted the Packet
libmysqlclient14-dev

I was wondering because i got no error while compailation.
Do i need anything else?

Or did i use the wrong path in Debian?
On what file is snort_inline aiming while compalation?

How know snort-inline that it have to crate a table in the Mysql
database? Up to now i only created an empty Database
with the rights for Snort-inline.

Thank you
Best regards
Holger

Will Metcalf schrieb:

>snort-inline supports logging to a database, just copy the line that
>deals with database output from snort.conf to snort-inline.conf and
>modify it fit your environment.
>
>Regards,
>
>Will
>
>On 8/19/05, Holger Moskopp <gan...@mo...> wrote:
>  
>
>> Hello,
>> 
>> my Name is Holger Moskopp, i´m student at the 
>> FH-Cologne and working on my thesis. The topic is, 
>> to build a security solution for an experimantalnetwork 
>> with special consideration of VoIP aplications
>> (for that is the DMZ with a SIP/RTP proxy) 
>> 
>> Im also new to that Mailinglist, and i never was before 
>> Member of a Mailinglist. 
>> 
>> I have a separate computer with three Ethernetcards as Firewall. 
>> eth0 for the external net eth2 for the internal net eth1 for my DMZ 
>> On that Computer i installed snort-inline.2.2.0a
>> 
>> I want to send all the snort-inline logs to a MYSQL database in the 
>> internal net. So i configured snort-inline like that: 
>> 
>> ./configure --/prefix=/opt/snort-inline/ 
>> --with-libipq-includes=/usr/include/libipq 
>> --enable-flexresp 
>> --enable-inline 
>> --enable-clamav 
>> --with-mysql 
>> 
>> all went well with the make and make install.
>> 
>> I copied all files from /etc and the rules. 
>> 
>> But how can i say snort-inline, where the mysql database is? 
>> There is a snort.conf and a snort-inline.conf. 
>> In the snort.conf is a posiblity to tell snort a output database. 
>> But not in the snort-inline.conf. 
>> Have i to do it in the snort.conf, or have i to copy that line in 
>> the snort-inline.conf - is the snort.conf needed? 
>> If yes - take all changings there the same effect like in 
>> several Howtos described? 
>> 
>> 
>> Thank You
>> Best regards
>> Holger Moskopp
>> 
>> 
>>
>>    
>>
>
>  
>

Thank you for your answer, I testet it today without mysql - only with 
2$>/tmp/test
That work- i think  - i can see now the "backcomming" traffic now.
But i can´t see snort_inline anything doing.
There is nothing in the logfiles.
snort_inilne _full or fast are empty

But how can i test if Snort-inline and clamAV is doing anything?

Ist there another possiblity to test that?

Thank you
Best regards
Holger

Will Metcalf schrieb:

>preprocessor stream4: disable_evasion_alerts, iptablesnewmark,
>iptablesestmart, forceipstate
>
>should be 
>
>preprocessor stream4: disable_evasion_alerts,iptablesnewmark
>,iptablesestmark ,forceiptstate
>
>$IPTABLES -A FORWARD -p tcp --dport 8080 -m state --state NEW -j QUEUE
>$IPTABLES -A FORWARD -p tcp --sport 8080 -m state --state ESTABLISHED -j QUEUE
>
>should be something like
>
>$IPTABLES -t mangle -A FORWARD -p tcp --syn -m state --state NEW
>--dport 8080 -j MARK --set-mark 1
>
>$IPTABLES -t mangle -A FORWARD -p tcp -m state --state ESTABLISHED
>--sport 8080 -j MARK --set-mark 2
>
>$IPTABLES -I FORWARD -m mark --mark 1 -j QUEUE
>$IPTABLES -I FORWARD -m mark --mark 2 -j QUEUE
>
>clamav is not detected over http due to a change in the clamav sig for
>eicar.  The new sig only looks for the eicar string within the first
>couple bytes of the fd buffer whatever.  Once you add all of the http
>header stuff the string is no longer contained witihin the first
>couple bytes.
>
>Regards,
>
>Will
>
>
>
>
>
>
>On 8/19/05, Holger Moskopp <gan...@mo...> wrote:
>  
>
>>Hello,
>>
>>I played around with my Snort-inline on the Firewall
>>on a debian sarge 3.1
>>
>>I started it with:
>>
>>./snort-inline -Qvc /opt/snort-inline/etc/snort-inline/snort_inline.conf
>>
>>Here my snort-inline.conf:
>>Only some lines chaned
>>http://www.ganeymed.de/pixx/fw_ids/snort-inline-conf.htm
>>
>>We got proxy-force here so all http go over our httpproxy.
>>I tryed to give all that traffic to snort-inline.
>>Here is my Firewallscript (i marked the snortspecific part red):
>>http://www.ganeymed.de/pixx/fw_ids/snorttest_sh.htm
>>
>>Then i Started snort in adition 2&>/tmp/test send it all to a testfile:
>>http://www.ganeymed.de/pixx/fw_ids/test_aus_temp.htm
>>
>>The startup-looks good to me, but
>>on the bottom, you can see a connection of MY_IP to the Proxy.
>>But no traffic that come back. But all work. I can visit websides
>>from behind the firewall.
>>
>>Also - how can i test snort inline.
>>I tryed eicar.com - but notching was blocked.
>>
>>How can i test, if clamav work together with snort-inline?
>>
>>Thank you
>>Best regards
>>Holger Moskopp
>>
>>
>>
>>
>>-------------------------------------------------------
>>SF.Net email is Sponsored by the Better Software Conference & EXPO
>>September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
>>Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
>>Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
>>_______________________________________________
>>Snort-inline-users mailing list
>>Sno...@li...
>>https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>>    
>>
>
>  
>

2003	Jan	Feb	Mar	Apr (1)	May (15)	Jun (23)	Jul (54)	Aug (20)	Sep (18)	Oct (19)	Nov (36)	Dec (30)
2004	Jan (48)	Feb (16)	Mar (36)	Apr (36)	May (45)	Jun (47)	Jul (93)	Aug (29)	Sep (28)	Oct (42)	Nov (45)	Dec (53)
2005	Jan (62)	Feb (51)	Mar (65)	Apr (28)	May (57)	Jun (23)	Jul (24)	Aug (72)	Sep (16)	Oct (53)	Nov (53)	Dec (3)
2006	Jan (56)	Feb (6)	Mar (15)	Apr (14)	May (35)	Jun (57)	Jul (35)	Aug (7)	Sep (22)	Oct (16)	Nov (18)	Dec (9)
2007	Jan (8)	Feb (3)	Mar (11)	Apr (35)	May (6)	Jun (10)	Jul (26)	Aug (4)	Sep	Oct (29)	Nov	Dec (7)
2008	Jan (1)	Feb (2)	Mar (2)	Apr (13)	May (8)	Jun (3)	Jul (19)	Aug (20)	Sep (6)	Oct (5)	Nov	Dec (4)
2009	Jan (1)	Feb	Mar (1)	Apr	May	Jun (10)	Jul (2)	Aug (5)	Sep	Oct (1)	Nov	Dec (5)
2010	Jan (10)	Feb (10)	Mar (2)	Apr	May (7)	Jun	Jul	Aug	Sep	Oct	Nov (1)	Dec
2011	Jan	Feb (4)	Mar	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2012	Jan	Feb	Mar	Apr (1)	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2013	Jan	Feb (2)	Mar (3)	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec

snort-inline-users Mailing List for snort_inline (Page 28)

snort-inline-users — The goal of this list is to help users debug/use snort_inline