snort-inline-users Mailing List for snort_inline (Page 34)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi,

I've been trying for about 4 days to write a rule to drop ares 
connections/downloads, but I'm having no success.
Has anyone successfully written a rule to block ares?

Thx,
Jason

Hi,

I am trying to write a signature for the mytob virus. I have the ClamAV
signature for the virus but clam extracts the .exe from the .zip file
and then does a match so the clam signature seems useless.

How do I identify the base64 string in the mytob zip file that uniquely
identifies the virus?

- Siddhartha

>Is there perhaps a kind of IP_QUEUE mmap solution which will save cpu
by not >having to actually copy the packet from kernel to userspace?
(e.g. similar to >mmap pcap where ring buffers in the kernel are
mapped to userspace directly)

hmmmm, not currently.  You want to write one?

Regards,

Will

On 5/25/05, Bert van Leeuwen <ber...@gm...> wrote:
> Perhaps it is not possible with snort-inline, that is what I am trying to
> determine. I was hoping the "per-flow" rules would somehow be able to tur=
n
> off after a while, e.g. after n bytes of content had been seen etc., but =
I
> guess there will always be many "per packet" rules checking for things li=
ke
> illegal IP fragments and IP header weirdness etc.=20
>=20
> I was not considering using custom signatures or any other customised
> solution. The more I think about this, what I wanted to achieve doesn't
> sound possible, at least not with snort, and perhaps not at all.
>=20
> Is there perhaps a kind of IP_QUEUE mmap solution which will save cpu by =
not
> having to actually copy the packet from kernel to userspace? (e.g. simila=
r
> to mmap pcap where ring buffers in the kernel are mapped to userspace
> directly)
>=20
> Roland Turner said:=20
>=20
> > I'm not sure that I understand how this is possible. The fact that the
> > first n packets of a flow don't match any signatures does not mean that=
 no
> > subsequent packets will.
> >=20
> > Do you have a specific situation in mind? (Custom signatures perhaps?)
> >=20
> >=20
> > - Raz
> >=20
>=20
>

Perhaps it is not possible with snort-inline, that is what I am trying to=
=20
determine. I was hoping the "per-flow" rules would somehow be able to turn=
=20
off after a while, e.g. after n bytes of content had been seen etc., but I=
=20
guess there will always be many "per packet" rules checking for things like=
=20
illegal IP fragments and IP header weirdness etc.=20

I was not considering using custom signatures or any other customised=20
solution. The more I think about this, what I wanted to achieve doesn't=20
sound possible, at least not with snort, and perhaps not at all.

Is there perhaps a kind of IP_QUEUE mmap solution which will save cpu by no=
t=20
having to actually copy the packet from kernel to userspace? (e.g. similar=
=20
to mmap pcap where ring buffers in the kernel are mapped to userspace=20
directly)

Roland Turner said:=20

I'm not sure that I understand how this is possible. The fact that the
> first n packets of a flow don't match any signatures does not mean that n=
o
> subsequent packets will.
>=20
> Do you have a specific situation in mind? (Custom signatures perhaps?)
>=20
>=20
> - Raz
>

Nick,

Oops, it was late, I missed the HUP part of that.  Yeah, we need
ipq_destroy_handle in Restart() as well, so thanks.

Regards,

Will

On 5/24/05, Nick Rogness <ni...@ro...> wrote:
> On Mon, 23 May 2005, Will Metcalf wrote:
>=20
> >>        The question is does sending a SIGHUP normally restart
> >>        snort_inline?
> >
> > yup
> >
> > Take a look at CleanExit() in snort.c, we nuke our ipq_handle with
> > ipq_destroy_handle, not sure what the IPFW equivalent is.
>=20
>        It doesn't appear that you are destroying the ipq handle when a
>        SIGHUP is received (via Restart()).  It looks only like it is
>        referenced inside of CleanExit(), which is not called during a
>        SIGHUP.  I don't know if destroying the ipq handle is necessary
>        during a SIGHUP or not, but I added your destroy code inside of
>        Restart just as it is in CleanExit().
>=20
>        Attached a 3 diff files to be patched against 2.3.0-RC1.  This
>        includes the ipq_destroy stuff added in Restart().  If that isn't
>        necessary, I can take it out and resubmit the patch.
>=20
> Nick Rogness <ni...@ro...>
> -
>   How many people here have telekenetic powers? Raise my hand.
>                                -Emo Philips
>=20
>=20
>

Bert van Leeuwen said:

> I'm trying to find out whether it is possible (with snort-inline) to
> detect  that a particular IP flow (i.e. src/dst IP, UDP/TCP src/dst
> port tuple) has  "passed" all the available rules, in other words that
> none of the rules  match or will match a particular flow. The reason

I'm not sure that I understand how this is possible. The fact that the
first n packets of a flow don't match any signatures does not mean that no
subsequent packets will.

Do you have a specific situation in mind? (Custom signatures perhaps?)

- Raz

I'm trying to find out whether it is possible (with snort-inline) to detect=
=20
that a particular IP flow (i.e. src/dst IP, UDP/TCP src/dst port tuple) has=
=20
"passed" all the available rules, in other words that none of the rules=20
match or will match a particular flow. The reason for this is that I want t=
o=20
have the ability to add a temporary iptables rule automatically to prevent =
a=20
known non-intrusion flows from going into the queue in the first place, to=
=20
improve network performance (by not having to copy packets from kernel to=
=20
user space) for flows that are determined to be "OK".
I've been looking through the source code and docs for a way to do this, bu=
t=20
to no avail. Is this possible at all with the snort rules architecture?=20
Essentially every rule would have to indicate whether it matches, doesn't=
=20
match, can't compute yet (e.g. not enough data received yet), or won't ever=
=20
match. At some point hopefully all rules exit the "can't compute yet" state=
,=20
and then if all of them either "don't match" or "won't match" one can say=
=20
that a flow has "passed" the intrusion prevention system.

christiaan wrote:

> Hi
>
> I am new to IPS and I have been doing some research  to try to 
> understand what is the most effective way to deploy.  Is it effective 
> to deploy a bridging firewall/IPS on a file server in an intranet or 
> LAN to provide an extra layer of security?  The LAN/intranet would be 
> behind an IPtables firewall.
>
> If it is possible what would be the most effective method of utilising 
> ebtables. Should the topology be:
>
> IPtables router  »   bridge IPS/ file server   »   LAN/Intranet
>
AFAIK, This would be the best way of implementation topology, 
Because,you can inspect and  prevent all vulnerable packets from 
internet ,before it is reaching your LAN using IPS also viceversa.

Thanks,
bharthix
--
http://bharthix.tk/

On Mon, 23 May 2005, Will Metcalf wrote:

>>        The question is does sending a SIGHUP normally restart
>>        snort_inline?
>
> yup
>
> Take a look at CleanExit() in snort.c, we nuke our ipq_handle with 
> ipq_destroy_handle, not sure what the IPFW equivalent is.

 	It doesn't appear that you are destroying the ipq handle when a
 	SIGHUP is received (via Restart()).  It looks only like it is
 	referenced inside of CleanExit(), which is not called during a
 	SIGHUP.  I don't know if destroying the ipq handle is necessary
 	during a SIGHUP or not, but I added your destroy code inside of
 	Restart just as it is in CleanExit().

 	Attached a 3 diff files to be patched against 2.3.0-RC1.  This
 	includes the ipq_destroy stuff added in Restart().  If that isn't
 	necessary, I can take it out and resubmit the patch.

Nick Rogness <ni...@ro...>
-
   How many people here have telekenetic powers? Raise my hand.
   				-Emo Philips

On Mon, 23 May 2005, Will Metcalf wrote:

>>        The question is does sending a SIGHUP normally restart
>>        snort_inline?
>
> yup
>
> Take a look at CleanExit() in snort.c, we nuke our ipq_handle with
> ipq_destroy_handle, not sure what the IPFW equivalent is.

 	Just closing the socket().  I'll work on that a bit and patch
 	against 2.3.0-RC1.

 	Also, I submitted snort_inline into the main FreeBSD ports tree.
 	Just waiting for approval.

Nick Rogness <ni...@ro...>
-
   How many people here have telekenetic powers? Raise my hand.
   				-Emo Philips

On Mon, 23 May 2005, Will Metcalf wrote:

>>        The question is does sending a SIGHUP normally restart
>>        snort_inline?
>
> yup
That's encouraging. Waiting for the patch now.

Thanks in advance.
Senthil.
-- 
Today's fortune:
One cannot make an omelette without breaking eggs -- but it is amazing
how many eggs one can break without making a decent omelette.
                 -- Professor Charles P. Issawi

>        The question is does sending a SIGHUP normally restart
>        snort_inline? =20

yup

Take a look at CleanExit() in snort.c, we nuke our ipq_handle with
ipq_destroy_handle, not sure what the IPFW equivalent is.

Regards,

Will
On 5/23/05, Nick Rogness <ni...@ro...> wrote:
> On Mon, 23 May 2005, C.G.Senthilkumar. wrote:
>=20
> > Hi,
> >
> > Following up on my previous e-mail.
> >
> > Since, SIGHUP didn't restart the snort_inline daemon cleanly, I tried
> > running snort_inline in foreground. I was not expecting a SIGHUP to
> > restart snort_inline, but was trying to debug. When I sent a SIGHUP, I
> > got the following error:
> >
> > IpfwLoop: can't bind divert socket: Address already in use
>=20
>        This means that the DIVERT socket that snort_inline listens on is
>        being used by something else, namely the existing snort_inline.
>=20
>        The question is does sending a SIGHUP normally restart
>        snort_inline?  If it does, I will submit a patch.
>=20
> >
> > Is that any use?
> >
> > Any help would be very useful.
> >
> > Thanks in advance.
> > Senthil.
> >
> > On Mon, 23 May 2005, C.G.Senthilkumar. wrote:
> >
> >>
> >> Hi,
> >> This is the command line I use to invoke snort_iniline on FreeBSD 4.10
> >> with
> >> ipfw on it:
> >> /usr/local/bin/sudo /usr/local/bin/snort_inline -J 500 -c
> >> /users/someuser/snort/snort_inline-2.3.0-RC1/etc/snort_inline.conf -D
> >>
> >> Once in a while, I update the rules files. Now, I want snort_inline to
> >> read in
> >> the updated rules files, so I send it a SIGHUP signal using:
> >> sudo kill -s HUP 2381
> >>
> >> sudo tail -n 1 /var/log/message gives:
> >> May 23 14:14:28 node1 snort_inline: Snort initialization completed
> >> successfully
> >> (pid=3D2381)
> >>
> >> However, I don't see snort_inline running after sending the SIGHUP.
> >>
> >> Is there a problem with using sudo and sending SIGHUP? What am I missi=
ng
> >> here?
> >> Except for restarting, other things seem to work fine.
> >>
> >> Any help will be very useful.
> >>
> >> Thanks in advance.
> >> Senthil.
> >>
> >
> > --
> > Today's fortune:
> > Learning at some schools is like drinking from a firehose.
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by Oracle Space Sweepstakes
> > Want to be the first software developer in space?
> > Enter now for the Oracle Space Sweepstakes!
> > http://ads.osdn.com/?ad_id=3D7412&alloc_id=3D16344&op=3Dclick
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >
>=20
> Nick Rogness <ni...@ro...>
> -
>   How many people here have telekenetic powers? Raise my hand.
>                                -Emo Philips
>=20
>=20
>=20
> -------------------------------------------------------
> This SF.Net email is sponsored by Oracle Space Sweepstakes
> Want to be the first software developer in space?
> Enter now for the Oracle Space Sweepstakes!
> http://ads.osdn.com/?ad_id=3D7412&alloc_id=3D16344&op=3Dclick
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

On Mon, 23 May 2005, C.G.Senthilkumar. wrote:

> Hi,
>
> Following up on my previous e-mail.
>
> Since, SIGHUP didn't restart the snort_inline daemon cleanly, I tried 
> running snort_inline in foreground. I was not expecting a SIGHUP to 
> restart snort_inline, but was trying to debug. When I sent a SIGHUP, I 
> got the following error:
>
> IpfwLoop: can't bind divert socket: Address already in use

 	This means that the DIVERT socket that snort_inline listens on is
 	being used by something else, namely the existing snort_inline.

 	The question is does sending a SIGHUP normally restart
 	snort_inline?  If it does, I will submit a patch.

>
> Is that any use?
>
> Any help would be very useful.
>
> Thanks in advance.
> Senthil.
>
> On Mon, 23 May 2005, C.G.Senthilkumar. wrote:
>
>> 
>> Hi,
>> This is the command line I use to invoke snort_iniline on FreeBSD 4.10 
>> with
>> ipfw on it:
>> /usr/local/bin/sudo /usr/local/bin/snort_inline -J 500 -c 
>> /users/someuser/snort/snort_inline-2.3.0-RC1/etc/snort_inline.conf -D
>> 
>> Once in a while, I update the rules files. Now, I want snort_inline to 
>> read in
>> the updated rules files, so I send it a SIGHUP signal using:
>> sudo kill -s HUP 2381
>> 
>> sudo tail -n 1 /var/log/message gives:
>> May 23 14:14:28 node1 snort_inline: Snort initialization completed 
>> successfully
>> (pid=2381)
>> 
>> However, I don't see snort_inline running after sending the SIGHUP.
>> 
>> Is there a problem with using sudo and sending SIGHUP? What am I missing 
>> here?
>> Except for restarting, other things seem to work fine.
>> 
>> Any help will be very useful.
>> 
>> Thanks in advance.
>> Senthil.
>> 
>
> -- 
> Today's fortune:
> Learning at some schools is like drinking from a firehose.
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by Oracle Space Sweepstakes
> Want to be the first software developer in space?
> Enter now for the Oracle Space Sweepstakes!
> http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

Nick Rogness <ni...@ro...>
-
   How many people here have telekenetic powers? Raise my hand.
   				-Emo Philips

Hi,

Following up on my previous e-mail.

Since, SIGHUP didn't restart the snort_inline daemon cleanly, I tried
running snort_inline in foreground. I was not expecting a SIGHUP to
restart snort_inline, but was trying to debug. When I sent a SIGHUP,
I got the following error:

IpfwLoop: can't bind divert socket: Address already in use

Is that any use?

Any help would be very useful.

Thanks in advance.
Senthil.

On Mon, 23 May 2005, C.G.Senthilkumar. wrote:

>
> Hi,
> This is the command line I use to invoke snort_iniline on FreeBSD 4.10 with
> ipfw on it:
> /usr/local/bin/sudo /usr/local/bin/snort_inline -J 500 -c 
> /users/someuser/snort/snort_inline-2.3.0-RC1/etc/snort_inline.conf -D
>
> Once in a while, I update the rules files. Now, I want snort_inline to read 
> in
> the updated rules files, so I send it a SIGHUP signal using:
> sudo kill -s HUP 2381
>
> sudo tail -n 1 /var/log/message gives:
> May 23 14:14:28 node1 snort_inline: Snort initialization completed 
> successfully
> (pid=2381)
>
> However, I don't see snort_inline running after sending the SIGHUP.
>
> Is there a problem with using sudo and sending SIGHUP? What am I missing 
> here?
> Except for restarting, other things seem to work fine.
>
> Any help will be very useful.
>
> Thanks in advance.
> Senthil.
>

-- 
Today's fortune:
Learning at some schools is like drinking from a firehose.

Hi,
This is the command line I use to invoke snort_iniline on FreeBSD 4.10 with
ipfw on it:
/usr/local/bin/sudo /usr/local/bin/snort_inline -J 500 -c /users/someuser/snort/snort_inline-2.3.0-RC1/etc/snort_inline.conf -D

Once in a while, I update the rules files. Now, I want snort_inline to read in
the updated rules files, so I send it a SIGHUP signal using:
sudo kill -s HUP 2381

sudo tail -n 1 /var/log/message gives:
May 23 14:14:28 node1 snort_inline: Snort initialization completed successfully
(pid=2381)

However, I don't see snort_inline running after sending the SIGHUP.

Is there a problem with using sudo and sending SIGHUP? What am I missing here?
Except for restarting, other things seem to work fine.

Any help will be very useful.

Thanks in advance.
Senthil.
-- 
Today's fortune:
Learning at some schools is like drinking from a firehose.

You would want to deploy it as:

Router -> Bridge -> LAN

The bridge acts as the intermediary and if you were to place it on the
LAN instead of in-front of it you would now be doing IDS instead of IPS.

christiaan wrote:

> Hi
>
> I am new to IPS and I have been doing some research  to try to
> understand what is the most effective way to deploy.  Is it effective
> to deploy a bridging firewall/IPS on a file server in an intranet or
> LAN to provide an extra layer of security?  The LAN/intranet would be
> behind an IPtables firewall.
>
> If it is possible what would be the most effective method of utilising
> ebtables. Should the topology be:
>
> IPtables router  =BB   bridge IPS/ file server   =BB   LAN/Intranet
>
> or
>
>
> IPtables router  =BB LAN/Intranet  =BB    bridge IPS/ file server
>
> Thanks in advance
>
> Chris
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by Oracle Space Sweepstakes
> Want to be the first software developer in space?
> Enter now for the Oracle Space Sweepstakes!
> http://ads.osdn.com/?ad_idt12&alloc_id=16344&op=3Dclick
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users

Hi,
Is there a project that integrates snort_inline with
FreeBSD or OpenBSD PF(4) filtering subsystem.

Thank you...
Alberto Alesina

__________________________________ 
Yahoo! Mail 
Stay connected, organized, and protected. Take the tour: 
http://tour.mail.yahoo.com/mailtour.html 

Hi

I am new to IPS and I have been doing some research  to try to=20
understand what is the most effective way to deploy.  Is it effective to=20
deploy a bridging firewall/IPS on a file server in an intranet or LAN to=20
provide an extra layer of security?  The LAN/intranet would be behind an=20
IPtables firewall.

If it is possible what would be the most effective method of utilising=20
ebtables. Should the topology be:

IPtables router  =BB   bridge IPS/ file server   =BB   LAN/Intranet

or

IPtables router  =BB LAN/Intranet  =BB    bridge IPS/ file server

Thanks in advance

Chris

> of a denial of service attack. For example, if I know a specific IP
> address is running an active intrusion blocking system, I can spoof an
> attack from microsoft and google, which the active IPS will respond by
> putting the appropriate IP addresses into a block list, either timed or
This is exactly where snort-inline adds value to regular firewalls. It drops
connections based on malicious content/matching rules rather than a black
list of IP addresses.

Snort-Inline just blocks the malicious portion of a stream of packets.  I=
t
does not create firewall rules to block for an amount of time unless you
configure it to do so.  By default it only blocks that malicious content,
so if you are spoofing an address you cannot create a DoS situation unles=
s
you overload the IPS device because it is only dropping those malicious
packets (instead of everything from that network and or IP address).

Or at least that is my understanding.

> Hi
>
> I am new to IPS and I have been doing some research  to try to
> understand what is the most effective way deploy IPS.  I read this belo=
w
>
> There can be problems introduced by IPS and the primary one is comprise=
d
of a denial of service attack. For example, if I know a specific IP
address is running an active intrusion blocking system, I can spoof an
attack from microsoft and google, which the active IPS will respond by
putting the appropriate IP addresses into a block list, either timed or
permanent, depending on the configuration. As if that's not bad enough,
what if I could cause it to block out your upstream DNS? Or a zone
server? Or your upstream router? Yes, I can find that out with a
traceroute. Or your default gateway? I can guess that one in 255
attempts. This has traditionally been why network admins have been
reluctant to install active intrusion blocking. Perhaps SonicWall has
mitigated all of these risks. I would want to know this before I
implemented one.
>
> If attacks can be made be utilising I have one simple question is it
easier or more effective to deploy IPS on a bridge or a router?
>
> chris
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by Oracle Space Sweepstakes
> Want to be the first software developer in space?
> Enter now for the Oracle Space Sweepstakes!
> http://ads.osdn.com/?ad_id=3D7412&alloc_id=3D16344&op=3Dclick
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

--=20
Thanks,
Josh Berry | CISSP GCIA
Principal Engineer
LinkNet Security Solutions
469-831-8543
jos...@li...

--=20
Thanks,
Josh Berry | CISSP GCIA
Principal Engineer
LinkNet Security Solutions
469-831-8543
jos...@li...

> If attacks can be made be utilising I have one simple question is it 
> easier or more effective to deploy IPS on a bridge or a router?
> 
> chris
> 
> 

bridge is better for several reasons:
-doesn't have any ip so harder to detect and hack
-easier to install in your environnement, you don't need to change any
conf (gateway,route...) on your network

Thanks,
-- 

Eric Maheo
Vice President of Engineering,

Applied Watch Technologies, LLC
1134 N. Main St.
Algonquin, IL 60102

Tel: (877) 262-7593 x324
Fax: (877) 262-7593

Email: eri...@ap...
Web: http://www.appliedwatch.com

> -------------------------------------------------------
> This SF.Net email is sponsored by Oracle Space Sweepstakes
> Want to be the first software developer in space?
> Enter now for the Oracle Space Sweepstakes!
> http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users

Hi

I am new to IPS and I have been doing some research  to try to 
understand what is the most effective way deploy IPS.  I read this below

There can be problems introduced by IPS and the primary one is comprised 
of a denial of service attack. For example, if I know a specific IP 
address is running an active intrusion blocking system, I can spoof an 
attack from microsoft and google, which the active IPS will respond by 
putting the appropriate IP addresses into a block list, either timed or 
permanent, depending on the configuration. As if that's not bad enough, 
what if I could cause it to block out your upstream DNS? Or a zone 
server? Or your upstream router? Yes, I can find that out with a 
traceroute. Or your default gateway? I can guess that one in 255 
attempts. This has traditionally been why network admins have been 
reluctant to install active intrusion blocking. Perhaps SonicWall has 
mitigated all of these risks. I would want to know this before I 
implemented one.

If attacks can be made be utilising I have one simple question is it 
easier or more effective to deploy IPS on a bridge or a router?

chris

This is my understanding..

'cos snort-inline matches rules against contents of packets,
all packets need to be passed to snort-inline. If a decision
can be made to drop a connection based on the 3-way handshake
packets, iptables can do that and there is no need for
snort-inline.

Thanks
Senthil.

On Mon, 16 May 2005, Schott, Erik J Mr ANOSC/FCBS wrote:

> Forwarded.
>
> -----Original Message-----
> From: saurabha [mailto:sau...@fu...]
> Sent: Saturday, May 14, 2005 6:00 AM
> To: foc...@se...
> Subject: flow of packet from iptable to snort_inline
>
>
> Hi,
>
> I have query about flow of packets from iptables to snort_inline.
>
> Problem discription:
> -------------------
> Assuming that iptables have filters to allow tcp packets, now since
> the incomming packets (tcp) are permitted, iptables will maintain
> session information in stateful inspection table.
>
> I want to know if iptable send all incomming packets to snort_inline
> or it sends only first few packets.
>
> In case of TCP, does iptables send packets only till 3 way handshake
> is done(before entry is made into stateful table), or it sends all
> packets for that connection to snort_inline.
>
> Thanks & Regards
> Saurabh Agrawal

This depends on the iptables rules set up

Snort inline reads the packets from the libipq and so gets all the packets
that comes to this queue according to the iptables rules.

On 5/16/05, Schott, Erik J Mr ANOSC/FCBS
<eri...@ne...> wrote:
> Forwarded.
>=20
> -----Original Message-----
> From: saurabha [mailto:sau...@fu...]
> Sent: Saturday, May 14, 2005 6:00 AM
> To: foc...@se...
> Subject: flow of packet from iptable to snort_inline
>=20
> Hi,
>=20
> I have query about flow of packets from iptables to snort_inline.
>=20
> Problem discription:
> -------------------
> Assuming that iptables have filters to allow tcp packets, now since
> the incomming packets (tcp) are permitted, iptables will maintain
> session information in stateful inspection table.
>=20
> I want to know if iptable send all incomming packets to snort_inline
> or it sends only first few packets.
>=20
> In case of TCP, does iptables send packets only till 3 way handshake
> is done(before entry is made into stateful table), or it sends all
> packets for that connection to snort_inline.
>=20
> Thanks & Regards
> Saurabh Agrawal
>=20
> *************************************************************************=
**
> This message is proprietary to Future Software Limited (FSL)
> and is intended solely for the use of the individual to whom it
> is addressed. It may contain  privileged or confidential information
> and should not be circulated or used for any purpose other than for
> what it is intended.
>=20
> If you have received this message in error, please notify the
> originator immediately. If you are not the intended recipient,
> you are notified that you are strictly prohibited from using,
> copying, altering, or disclosing the contents of this message.
> FSL accepts no responsibility for loss or damage arising from
> the use of the information transmitted by this email including
> damage from virus.
> *************************************************************************=
**
>=20
> -------------------------------------------------------------------------=
-
> Test Your IDS
>=20
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> -------------------------------------------------------------------------=
-
>=20
> -------------------------------------------------------
> This SF.Net email is sponsored by Oracle Space Sweepstakes
> Want to be the first software developer in space?
> Enter now for the Oracle Space Sweepstakes!
> http://ads.osdn.com/?ad_id=3D7412&alloc_id=3D16344&op=3Dclick
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

Forwarded.

-----Original Message-----
From: saurabha [mailto:sau...@fu...]
Sent: Saturday, May 14, 2005 6:00 AM
To: foc...@se...
Subject: flow of packet from iptable to snort_inline

Hi,

I have query about flow of packets from iptables to snort_inline.

Problem discription:
-------------------
Assuming that iptables have filters to allow tcp packets, now since
the incomming packets (tcp) are permitted, iptables will maintain
session information in stateful inspection table.

I want to know if iptable send all incomming packets to snort_inline
or it sends only first few packets.

In case of TCP, does iptables send packets only till 3 way handshake 
is done(before entry is made into stateful table), or it sends all 
packets for that connection to snort_inline.

Thanks & Regards
Saurabh Agrawal

***************************************************************************
This message is proprietary to Future Software Limited (FSL)
and is intended solely for the use of the individual to whom it
is addressed. It may contain  privileged or confidential information
and should not be circulated or used for any purpose other than for
what it is intended.

If you have received this message in error, please notify the
originator immediately. If you are not the intended recipient,
you are notified that you are strictly prohibited from using,
copying, altering, or disclosing the contents of this message.
FSL accepts no responsibility for loss or damage arising from
the use of the information transmitted by this email including
damage from virus.
***************************************************************************

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

2003	Jan	Feb	Mar	Apr (1)	May (15)	Jun (23)	Jul (54)	Aug (20)	Sep (18)	Oct (19)	Nov (36)	Dec (30)
2004	Jan (48)	Feb (16)	Mar (36)	Apr (36)	May (45)	Jun (47)	Jul (93)	Aug (29)	Sep (28)	Oct (42)	Nov (45)	Dec (53)
2005	Jan (62)	Feb (51)	Mar (65)	Apr (28)	May (57)	Jun (23)	Jul (24)	Aug (72)	Sep (16)	Oct (53)	Nov (53)	Dec (3)
2006	Jan (56)	Feb (6)	Mar (15)	Apr (14)	May (35)	Jun (57)	Jul (35)	Aug (7)	Sep (22)	Oct (16)	Nov (18)	Dec (9)
2007	Jan (8)	Feb (3)	Mar (11)	Apr (35)	May (6)	Jun (10)	Jul (26)	Aug (4)	Sep	Oct (29)	Nov	Dec (7)
2008	Jan (1)	Feb (2)	Mar (2)	Apr (13)	May (8)	Jun (3)	Jul (19)	Aug (20)	Sep (6)	Oct (5)	Nov	Dec (4)
2009	Jan (1)	Feb	Mar (1)	Apr	May	Jun (10)	Jul (2)	Aug (5)	Sep	Oct (1)	Nov	Dec (5)
2010	Jan (10)	Feb (10)	Mar (2)	Apr	May (7)	Jun	Jul	Aug	Sep	Oct	Nov (1)	Dec
2011	Jan	Feb (4)	Mar	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2012	Jan	Feb	Mar	Apr (1)	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2013	Jan	Feb (2)	Mar (3)	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec

snort-inline-users Mailing List for snort_inline (Page 34)

snort-inline-users — The goal of this list is to help users debug/use snort_inline