Menu
▾
▴
snort-inline-users — The goal of this list is to help users debug/use snort_inline
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(15) |
Jun
(23) |
Jul
(54) |
Aug
(20) |
Sep
(18) |
Oct
(19) |
Nov
(36) |
Dec
(30) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(48) |
Feb
(16) |
Mar
(36) |
Apr
(36) |
May
(45) |
Jun
(47) |
Jul
(93) |
Aug
(29) |
Sep
(28) |
Oct
(42) |
Nov
(45) |
Dec
(53) |
| 2005 |
Jan
(62) |
Feb
(51) |
Mar
(65) |
Apr
(28) |
May
(57) |
Jun
(23) |
Jul
(24) |
Aug
(72) |
Sep
(16) |
Oct
(53) |
Nov
(53) |
Dec
(3) |
| 2006 |
Jan
(56) |
Feb
(6) |
Mar
(15) |
Apr
(14) |
May
(35) |
Jun
(57) |
Jul
(35) |
Aug
(7) |
Sep
(22) |
Oct
(16) |
Nov
(18) |
Dec
(9) |
| 2007 |
Jan
(8) |
Feb
(3) |
Mar
(11) |
Apr
(35) |
May
(6) |
Jun
(10) |
Jul
(26) |
Aug
(4) |
Sep
|
Oct
(29) |
Nov
|
Dec
(7) |
| 2008 |
Jan
(1) |
Feb
(2) |
Mar
(2) |
Apr
(13) |
May
(8) |
Jun
(3) |
Jul
(19) |
Aug
(20) |
Sep
(6) |
Oct
(5) |
Nov
|
Dec
(4) |
| 2009 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(10) |
Jul
(2) |
Aug
(5) |
Sep
|
Oct
(1) |
Nov
|
Dec
(5) |
| 2010 |
Jan
(10) |
Feb
(10) |
Mar
(2) |
Apr
|
May
(7) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2011 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: C.G.Senthilkumar. <che...@cs...> - 2005-05-16 16:40:29
|
I have a similar problem. I want to update the existing rules without
restarting Snort-inline. I know of no straight-forward solutions,
but I hope people have some work-arounds for the time-being.
Please include me in any replies.
Thanks in advance,
Senthil.
--
Today's fortune:
Johnny Carson's Definition:
The smallest interval of time known to man is that which occurs
in Manhattan between the traffic signal turning green and the
taxi driver behind you blowing his horn.
|
|
From: verystrong\@inwind\.it <ver...@in...> - 2005-05-16 12:47:15
|
Hi, I've a problem with snort_inline's rules... I must to create and app= ly rules when snort_inline is Up... If I change rules when is UP there = isn't any effects....I must restart It to take effects How can I do??=0D = thanks sorry for my english=0A=0A=0A=0A_______________________________= _____________________________=0A6X velocizzare la tua navigazione a 56k? = 6X Web Accelerator di Libero!=0AScaricalo su INTERNET GRATIS 6X http://ww= w.libero.it=0A |
|
From: Will M. <wil...@gm...> - 2005-05-13 15:41:58
|
And you are running in bridge mode and not NAT mode? If you start snort with -v instead of -D do you see any traffic? Regards, Will On 5/13/05, Norwich University - Information Security <in...@no...> wrote: > 2.6.x >=20 > Will Metcalf wrote: > > Are you using the 2.4.x series of kernel or 2.6.x? > > > > Regards, > > > > Will > > > > On 5/13/05, Norwich University - Information Security > > <in...@no...> wrote: > > > >> > >>I'm starting snort with... > >> > >>snort -QD -c /etc/snort/snort.conf -l /var/log/snort_inline > >> > >> > >>Will Metcalf wrote: > >> > >>>>'cat /proc/sys/net/ipv4/ip_forward' shows a 1 > >>> > >>> > >>>if you are bridiging traffic, this should be set to 0. > >>> > >>>what are you passing to snort on the command line? > >>> > >>>Regards, > >>> > >>>Will > >>> > >>>On 5/12/05, Norwich University - Information Security > >>><in...@no...> wrote: > >>> > >>>Hi, > >>> > >>>I'm setting up/testing snort inline like so... > >>> > >>>PC ---x----(snort_inline)--------network > >>> > >>>(yes that's a x-over cable) > >>> > >>>Bridging seems to work. Output from 'snort -Qvc <configuration file>' > >>>shows headers so iptables should be sending traffic to the QUEUE and > >>>snort should be seeing it. > >>> > >>>'cat /proc/sys/net/ipv4/ip_forward' shows a 1 > >>> > >>>I'm just using a simple iptables script for testing... > >>> > >>>$IPTABLES -F > >>>$IPTABLES -X > >>>$IPTABLES -P FORWARD ACCEPT > >>>$IPTABLES -P INPUT ACCEPT > >>>$IPTABLES -P OUTPUT ACCEPT > >>>$IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT > >>>$IPTABLES -A OUTPUT -d 127.0.0.1 -j ACCEPT > >>> > >>>$IPTABLES -N ssh-allowed-in > >>>$IPTABLES -F ssh-allowed-in > >>>$IPTABLES -A ssh-allowed-in --proto tcp --destination-port ssh -m sta= te > >>>--state NEW,ESTABLISHED -j ACCEPT > >>>$IPTABLES -A ssh-allowed-in --proto tcp --source-port ssh -m sta= te > >>>--state NEW,ESTABLISHED -j ACCEPT > >>> > >>>$IPTABLES -N ssh-allowed-out > >>>$IPTABLES -F ssh-allowed-out > >>>$IPTABLES -A ssh-allowed-out --proto tcp --destination-port ssh -m sta= te > >>>--state NEW,ESTABLISHED -j ACCEPT > >>>$IPTABLES -A ssh-allowed-out --proto tcp --source-port ssh -m sta= te > >>>--state NEW,ESTABLISHED -j ACCEPT > >>> > >>>$IPTABLES -A INPUT -j ssh-allowed-in > >>>$IPTABLES -A FORWARD -j QUEUE > >>>$IPTABLES -A OUTPUT -j ssh-allowed-out > >>> > >>>And in my snort.conf I'm just using any/any right now... > >>> > >>>var HOME_NET any > >>>var EXTERNAL_NET any > >>> > >>>And I'm NOT loading any rules. > >>> > >>>I thought if I did not load any rules traffic would enter the FORWARD > >>>chain and be sent to QUEUE. Since no rules are loaded nothing should b= e > >>>dropping packets and the traffic should be allowed out. > >>> > >>>I must be missing something though, because no traffic is getting > >>>through from the PC. If I remove $IPTABLES -A FORWARD -j QUEUE from t= he > >>>iptables script it works (obviously). To my untrained eye it looks lik= e > >>>the traffic is getting stuck (for the lack of a better word) in QUEUE. > >>> > >>>What am i missing? > >>> > >>>Jason > >>> > >> > >>------------------------------------------------------- > >>This SF.Net email is sponsored by Oracle Space Sweepstakes > >>Want to be the first software developer in space? > >>Enter now for the Oracle Space Sweepstakes! > >>http://ads.osdn.com/?ad_id=3D7393&alloc_id=3D16281&op=3Dclick > >>_______________________________________________ > >>Snort-inline-users mailing list > >>Sno...@li... > >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users > >> > >>------------------------------------------------------- > >>This SF.Net email is sponsored by Oracle Space Sweepstakes > >>Want to be the first software developer in space? > >>Enter now for the Oracle Space Sweepstakes! > >>http://ads.osdn.com/?ad_id=3D7393&alloc_id=3D16281&op=3Dclick > >>_______________________________________________ > >>Snort-inline-users mailing list > >>Sno...@li... > >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users > >> >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by Oracle Space Sweepstakes > Want to be the first software developer in space? > Enter now for the Oracle Space Sweepstakes! > http://ads.osdn.com/?ad_id=3D7393&alloc_id=3D16281&op=3Dclick > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Norwich U. - I. S. <in...@no...> - 2005-05-13 15:32:48
|
2.6.x Will Metcalf wrote: > Are you using the 2.4.x series of kernel or 2.6.x? > > Regards, > > Will > > On 5/13/05, Norwich University - Information Security > <in...@no...> wrote: > >> >>I'm starting snort with... >> >>snort -QD -c /etc/snort/snort.conf -l /var/log/snort_inline >> >> >>Will Metcalf wrote: >> >>>>'cat /proc/sys/net/ipv4/ip_forward' shows a 1 >>> >>> >>>if you are bridiging traffic, this should be set to 0. >>> >>>what are you passing to snort on the command line? >>> >>>Regards, >>> >>>Will >>> >>>On 5/12/05, Norwich University - Information Security >>><in...@no...> wrote: >>> >>>Hi, >>> >>>I'm setting up/testing snort inline like so... >>> >>>PC ---x----(snort_inline)--------network >>> >>>(yes that's a x-over cable) >>> >>>Bridging seems to work. Output from 'snort -Qvc <configuration file>' >>>shows headers so iptables should be sending traffic to the QUEUE and >>>snort should be seeing it. >>> >>>'cat /proc/sys/net/ipv4/ip_forward' shows a 1 >>> >>>I'm just using a simple iptables script for testing... >>> >>>$IPTABLES -F >>>$IPTABLES -X >>>$IPTABLES -P FORWARD ACCEPT >>>$IPTABLES -P INPUT ACCEPT >>>$IPTABLES -P OUTPUT ACCEPT >>>$IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT >>>$IPTABLES -A OUTPUT -d 127.0.0.1 -j ACCEPT >>> >>>$IPTABLES -N ssh-allowed-in >>>$IPTABLES -F ssh-allowed-in >>>$IPTABLES -A ssh-allowed-in --proto tcp --destination-port ssh -m state >>>--state NEW,ESTABLISHED -j ACCEPT >>>$IPTABLES -A ssh-allowed-in --proto tcp --source-port ssh -m state >>>--state NEW,ESTABLISHED -j ACCEPT >>> >>>$IPTABLES -N ssh-allowed-out >>>$IPTABLES -F ssh-allowed-out >>>$IPTABLES -A ssh-allowed-out --proto tcp --destination-port ssh -m state >>>--state NEW,ESTABLISHED -j ACCEPT >>>$IPTABLES -A ssh-allowed-out --proto tcp --source-port ssh -m state >>>--state NEW,ESTABLISHED -j ACCEPT >>> >>>$IPTABLES -A INPUT -j ssh-allowed-in >>>$IPTABLES -A FORWARD -j QUEUE >>>$IPTABLES -A OUTPUT -j ssh-allowed-out >>> >>>And in my snort.conf I'm just using any/any right now... >>> >>>var HOME_NET any >>>var EXTERNAL_NET any >>> >>>And I'm NOT loading any rules. >>> >>>I thought if I did not load any rules traffic would enter the FORWARD >>>chain and be sent to QUEUE. Since no rules are loaded nothing should be >>>dropping packets and the traffic should be allowed out. >>> >>>I must be missing something though, because no traffic is getting >>>through from the PC. If I remove $IPTABLES -A FORWARD -j QUEUE from the >>>iptables script it works (obviously). To my untrained eye it looks like >>>the traffic is getting stuck (for the lack of a better word) in QUEUE. >>> >>>What am i missing? >>> >>>Jason >>> >> >>------------------------------------------------------- >>This SF.Net email is sponsored by Oracle Space Sweepstakes >>Want to be the first software developer in space? >>Enter now for the Oracle Space Sweepstakes! >>http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click >>_______________________________________________ >>Snort-inline-users mailing list >>Sno...@li... >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> >>------------------------------------------------------- >>This SF.Net email is sponsored by Oracle Space Sweepstakes >>Want to be the first software developer in space? >>Enter now for the Oracle Space Sweepstakes! >>http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click >>_______________________________________________ >>Snort-inline-users mailing list >>Sno...@li... >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> |
|
From: Will M. <wil...@gm...> - 2005-05-13 15:25:31
|
Are you using the 2.4.x series of kernel or 2.6.x? Regards, Will On 5/13/05, Norwich University - Information Security <in...@no...> wrote: >=20 >=20 > I'm starting snort with... >=20 > snort -QD -c /etc/snort/snort.conf -l /var/log/snort_inline >=20 >=20 > Will Metcalf wrote: > >>'cat /proc/sys/net/ipv4/ip_forward' shows a 1 > > > > > > if you are bridiging traffic, this should be set to 0. > > > > what are you passing to snort on the command line? > > > > Regards, > > > > Will > > > > On 5/12/05, Norwich University - Information Security > > <in...@no...> wrote: > > > > Hi, > > > > I'm setting up/testing snort inline like so... > > > > PC ---x----(snort_inline)--------network > > > > (yes that's a x-over cable) > > > > Bridging seems to work. Output from 'snort -Qvc <configuration file>' > > shows headers so iptables should be sending traffic to the QUEUE and > > snort should be seeing it. > > > > 'cat /proc/sys/net/ipv4/ip_forward' shows a 1 > > > > I'm just using a simple iptables script for testing... > > > > $IPTABLES -F > > $IPTABLES -X > > $IPTABLES -P FORWARD ACCEPT > > $IPTABLES -P INPUT ACCEPT > > $IPTABLES -P OUTPUT ACCEPT > > $IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT > > $IPTABLES -A OUTPUT -d 127.0.0.1 -j ACCEPT > > > > $IPTABLES -N ssh-allowed-in > > $IPTABLES -F ssh-allowed-in > > $IPTABLES -A ssh-allowed-in --proto tcp --destination-port ssh -m stat= e > > --state NEW,ESTABLISHED -j ACCEPT > > $IPTABLES -A ssh-allowed-in --proto tcp --source-port ssh -m stat= e > > --state NEW,ESTABLISHED -j ACCEPT > > > > $IPTABLES -N ssh-allowed-out > > $IPTABLES -F ssh-allowed-out > > $IPTABLES -A ssh-allowed-out --proto tcp --destination-port ssh -m stat= e > > --state NEW,ESTABLISHED -j ACCEPT > > $IPTABLES -A ssh-allowed-out --proto tcp --source-port ssh -m stat= e > > --state NEW,ESTABLISHED -j ACCEPT > > > > $IPTABLES -A INPUT -j ssh-allowed-in > > $IPTABLES -A FORWARD -j QUEUE > > $IPTABLES -A OUTPUT -j ssh-allowed-out > > > > And in my snort.conf I'm just using any/any right now... > > > > var HOME_NET any > > var EXTERNAL_NET any > > > > And I'm NOT loading any rules. > > > > I thought if I did not load any rules traffic would enter the FORWARD > > chain and be sent to QUEUE. Since no rules are loaded nothing should be > > dropping packets and the traffic should be allowed out. > > > > I must be missing something though, because no traffic is getting > > through from the PC. If I remove $IPTABLES -A FORWARD -j QUEUE from th= e > > iptables script it works (obviously). To my untrained eye it looks like > > the traffic is getting stuck (for the lack of a better word) in QUEUE. > > > > What am i missing? > > > > Jason > > >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by Oracle Space Sweepstakes > Want to be the first software developer in space? > Enter now for the Oracle Space Sweepstakes! > http://ads.osdn.com/?ad_id=3D7393&alloc_id=3D16281&op=3Dclick > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by Oracle Space Sweepstakes > Want to be the first software developer in space? > Enter now for the Oracle Space Sweepstakes! > http://ads.osdn.com/?ad_id=3D7393&alloc_id=3D16281&op=3Dclick > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Norwich U. - I. S. <in...@no...> - 2005-05-13 15:16:16
|
I'm starting snort with... snort -QD -c /etc/snort/snort.conf -l /var/log/snort_inline Will Metcalf wrote: >>'cat /proc/sys/net/ipv4/ip_forward' shows a 1 > > > if you are bridiging traffic, this should be set to 0. > > what are you passing to snort on the command line? > > Regards, > > Will > > On 5/12/05, Norwich University - Information Security > <in...@no...> wrote: > > Hi, > > I'm setting up/testing snort inline like so... > > PC ---x----(snort_inline)--------network > > (yes that's a x-over cable) > > Bridging seems to work. Output from 'snort -Qvc <configuration file>' > shows headers so iptables should be sending traffic to the QUEUE and > snort should be seeing it. > > 'cat /proc/sys/net/ipv4/ip_forward' shows a 1 > > I'm just using a simple iptables script for testing... > > $IPTABLES -F > $IPTABLES -X > $IPTABLES -P FORWARD ACCEPT > $IPTABLES -P INPUT ACCEPT > $IPTABLES -P OUTPUT ACCEPT > $IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT > $IPTABLES -A OUTPUT -d 127.0.0.1 -j ACCEPT > > $IPTABLES -N ssh-allowed-in > $IPTABLES -F ssh-allowed-in > $IPTABLES -A ssh-allowed-in --proto tcp --destination-port ssh -m state > --state NEW,ESTABLISHED -j ACCEPT > $IPTABLES -A ssh-allowed-in --proto tcp --source-port ssh -m state > --state NEW,ESTABLISHED -j ACCEPT > > $IPTABLES -N ssh-allowed-out > $IPTABLES -F ssh-allowed-out > $IPTABLES -A ssh-allowed-out --proto tcp --destination-port ssh -m state > --state NEW,ESTABLISHED -j ACCEPT > $IPTABLES -A ssh-allowed-out --proto tcp --source-port ssh -m state > --state NEW,ESTABLISHED -j ACCEPT > > $IPTABLES -A INPUT -j ssh-allowed-in > $IPTABLES -A FORWARD -j QUEUE > $IPTABLES -A OUTPUT -j ssh-allowed-out > > And in my snort.conf I'm just using any/any right now... > > var HOME_NET any > var EXTERNAL_NET any > > And I'm NOT loading any rules. > > I thought if I did not load any rules traffic would enter the FORWARD > chain and be sent to QUEUE. Since no rules are loaded nothing should be > dropping packets and the traffic should be allowed out. > > I must be missing something though, because no traffic is getting > through from the PC. If I remove $IPTABLES -A FORWARD -j QUEUE from the > iptables script it works (obviously). To my untrained eye it looks like > the traffic is getting stuck (for the lack of a better word) in QUEUE. > > What am i missing? > > Jason > ------------------------------------------------------- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click _______________________________________________ Snort-inline-users mailing list Sno...@li... https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
|
From: Will M. <wil...@gm...> - 2005-05-12 22:21:05
|
>'cat /proc/sys/net/ipv4/ip_forward' shows a 1 if you are bridiging traffic, this should be set to 0. what are you passing to snort on the command line? Regards, Will On 5/12/05, Norwich University - Information Security <in...@no...> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 >=20 > Hi, >=20 > I'm setting up/testing snort inline like so... >=20 > PC ---x----(snort_inline)--------network >=20 > (yes that's a x-over cable) >=20 > Bridging seems to work. Output from 'snort -Qvc <configuration file>' > shows headers so iptables should be sending traffic to the QUEUE and > snort should be seeing it. >=20 > 'cat /proc/sys/net/ipv4/ip_forward' shows a 1 >=20 > I'm just using a simple iptables script for testing... >=20 > $IPTABLES -F > $IPTABLES -X > $IPTABLES -P FORWARD ACCEPT > $IPTABLES -P INPUT ACCEPT > $IPTABLES -P OUTPUT ACCEPT > $IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT > $IPTABLES -A OUTPUT -d 127.0.0.1 -j ACCEPT >=20 > $IPTABLES -N ssh-allowed-in > $IPTABLES -F ssh-allowed-in > $IPTABLES -A ssh-allowed-in --proto tcp --destination-port ssh -m state > - --state NEW,ESTABLISHED -j ACCEPT > $IPTABLES -A ssh-allowed-in --proto tcp --source-port ssh -m state > - --state NEW,ESTABLISHED -j ACCEPT >=20 > $IPTABLES -N ssh-allowed-out > $IPTABLES -F ssh-allowed-out > $IPTABLES -A ssh-allowed-out --proto tcp --destination-port ssh -m state > - --state NEW,ESTABLISHED -j ACCEPT > $IPTABLES -A ssh-allowed-out --proto tcp --source-port ssh -m state > - --state NEW,ESTABLISHED -j ACCEPT >=20 > $IPTABLES -A INPUT -j ssh-allowed-in > $IPTABLES -A FORWARD -j QUEUE > $IPTABLES -A OUTPUT -j ssh-allowed-out >=20 > And in my snort.conf I'm just using any/any right now... >=20 > var HOME_NET any > var EXTERNAL_NET any >=20 > And I'm NOT loading any rules. >=20 > I thought if I did not load any rules traffic would enter the FORWARD > chain and be sent to QUEUE. Since no rules are loaded nothing should be > dropping packets and the traffic should be allowed out. >=20 > I must be missing something though, because no traffic is getting > through from the PC. If I remove $IPTABLES -A FORWARD -j QUEUE from the > iptables script it works (obviously). To my untrained eye it looks like > the traffic is getting stuck (for the lack of a better word) in QUEUE. >=20 > What am i missing? >=20 > Jason >=20 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (GNU/Linux) >=20 > iD8DBQFCg7ufpmEqH5sLlmsRAmJAAJ9KtjylLX+Vmi6d6cfkzbA+ZBA0QQCeL7vL > FIGsFSbBgw4WK6U/SroKmqo=3D > =3D1+kE > -----END PGP SIGNATURE----- >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by Oracle Space Sweepstakes > Want to be the first software developer in space? > Enter now for the Oracle Space Sweepstakes! > http://ads.osdn.com/?ad_id=3D7393&alloc_id=3D16281&op=3Dclick > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Norwich U. - I. S. <in...@no...> - 2005-05-12 20:25:42
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I'm setting up/testing snort inline like so... PC ---x----(snort_inline)--------network (yes that's a x-over cable) Bridging seems to work. Output from 'snort -Qvc <configuration file>' shows headers so iptables should be sending traffic to the QUEUE and snort should be seeing it. 'cat /proc/sys/net/ipv4/ip_forward' shows a 1 I'm just using a simple iptables script for testing... $IPTABLES -F $IPTABLES -X $IPTABLES -P FORWARD ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT $IPTABLES -A OUTPUT -d 127.0.0.1 -j ACCEPT $IPTABLES -N ssh-allowed-in $IPTABLES -F ssh-allowed-in $IPTABLES -A ssh-allowed-in --proto tcp --destination-port ssh -m state - --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A ssh-allowed-in --proto tcp --source-port ssh -m state - --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -N ssh-allowed-out $IPTABLES -F ssh-allowed-out $IPTABLES -A ssh-allowed-out --proto tcp --destination-port ssh -m state - --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A ssh-allowed-out --proto tcp --source-port ssh -m state - --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -j ssh-allowed-in $IPTABLES -A FORWARD -j QUEUE $IPTABLES -A OUTPUT -j ssh-allowed-out And in my snort.conf I'm just using any/any right now... var HOME_NET any var EXTERNAL_NET any And I'm NOT loading any rules. I thought if I did not load any rules traffic would enter the FORWARD chain and be sent to QUEUE. Since no rules are loaded nothing should be dropping packets and the traffic should be allowed out. I must be missing something though, because no traffic is getting through from the PC. If I remove $IPTABLES -A FORWARD -j QUEUE from the iptables script it works (obviously). To my untrained eye it looks like the traffic is getting stuck (for the lack of a better word) in QUEUE. What am i missing? Jason -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCg7ufpmEqH5sLlmsRAmJAAJ9KtjylLX+Vmi6d6cfkzbA+ZBA0QQCeL7vL FIGsFSbBgw4WK6U/SroKmqo= =1+kE -----END PGP SIGNATURE----- |
|
From: Will M. <wil...@gm...> - 2005-05-12 20:22:06
|
Check out the README.INLINE in the source or... Snort users manual http://www.snort.org/docs/snort_htmanuals/htmanual_233/ or maybe.... http://www.honeynet.org.es/papers/honeywall/ On 5/12/05, Norwich University - Information Security <in...@no...> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 >=20 > Hi, >=20 > I'm looking to setup a snort-inline box, but I'm having some trouble > locating any install documentation. Could someone point me in the right > direction? >=20 > Jason >=20 > - -- >=20 > @XXXXXX{=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D> > Jason Wallace > Chief Information Security Officer > Norwich University > http://www.norwich.edu > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (GNU/Linux) >=20 > iD8DBQFCg2d2pmEqH5sLlmsRAnpfAKCCsME7DN7kPNkIj2LtMBKjUpfK0gCfY6Cl > 1GtPR0ZLZ+SUvsNCv/qGrsw=3D > =3Ds/WE > -----END PGP SIGNATURE----- >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by Oracle Space Sweepstakes > Want to be the first software developer in space? > Enter now for the Oracle Space Sweepstakes! > http://ads.osdn.com/?ad_id=3D7393&alloc_id=3D16281&op=3Dclick > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Norwich U. - I. S. <in...@no...> - 2005-05-12 14:26:26
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I'm looking to setup a snort-inline box, but I'm having some trouble
locating any install documentation. Could someone point me in the right
direction?
Jason
- --
@XXXXXX{========================>
Jason Wallace
Chief Information Security Officer
Norwich University
http://www.norwich.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFCg2d2pmEqH5sLlmsRAnpfAKCCsME7DN7kPNkIj2LtMBKjUpfK0gCfY6Cl
1GtPR0ZLZ+SUvsNCv/qGrsw=
=s/WE
-----END PGP SIGNATURE-----
|
|
From: christopher <ch...@sy...> - 2005-05-06 02:05:39
|
thanks will for the reply, actually i am using the inline mode of the snort + the convert.sh from the snort_inline to convert all rules to drop. i sending everything FORWARD to QUEUE (iptables -A FORWARD -j QUEUE) On Wed, 2005-05-04 at 07:43 -0500, Will Metcalf wrote: > Need more information about your setup. Did you convert the cyberkit > rule to a drop rule? What traffic are you sending to the QUEUE target > if any? What parameters are you starting snort_inline with? What > version of snort_inline are you using? > > Regards, > > Will > > On 5/4/05, christopher <ch...@sy...> wrote: > > hey guys, > > > > i currently are using snort + inline mode for my IPS which running > > bridging mode in front of my firewall and behind my router. > > > > my snort + inline seem like able to capture data which match the rules > > and log under /snort/alert + i am using base for the GUI. > > > > but i wondering the drop packet actually active or not? since i testing > > via point to point PC through the IPS ( i test via cyberkit icmp) > > bridging. i use cyberkit from PC1 ping to PC2 i can see the log display > > on the alert but the traffic still go through the PC2. > > > > PC1------IPS-------PC2 > > > > cyberkit--------->PC2 > > > > any guide here? thanks > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by: NEC IT Guy Games. > > Get your fingers limbered up and give it your best shot. 4 great events, 4 > > opportunities to win big! Highest score wins.NEC IT Guy Games. Play to > > win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20 > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > -- Christopher Chong Chew Vun Enterprise Deployment Team SYNCHROWEB TECHNOLOGY SDN BHD (670983D) Unit No. CT-05-12, 5th Floor Corporate Tower, Subang Square, Jln SS 15/ 4G Subang Jaya, Selangor D. Ehsan, Malaysia. T. +[60]3 5621 9028 F. +[60]3 5621 8802 HP. +[60]12 3247432 |
|
From: Ken H. <ke...@ac...> - 2005-05-04 12:09:48
|
Victor, Dan's Guardian is only "free" for personal use. Does this DG modification have any licensing restrictions? -----Original Message----- From: Victor Julien [mailto:vi...@nk...] Sent: Wednesday, May 04, 2005 6:37 PM To: Ken Hilliard Cc: sno...@li... Subject: Re: [Snort-inline-users] General anti-virus capabilities Ken Hilliard wrote: > Thanks, Victor for your frank info. I agree with you about layered > security as well. I will install the software and do a little testing. > BTW: do you have any recommendation about any open source HTTP > proxy/virus scanner. I'm going to check out SquidSafe but would like to > know what people in the Linux community are using. I currently use: http://sourceforge.net/projects/dgav/ It is a modification of Dansgardian which adds AV scanning using ClamAV to it, but i believe it can support some other scanners as well. Regards, Victor |
|
From: Victor J. <vi...@nk...> - 2005-05-04 11:37:11
|
Ken Hilliard wrote: > Thanks, Victor for your frank info. I agree with you about layered > security as well. I will install the software and do a little testing. > BTW: do you have any recommendation about any open source HTTP > proxy/virus scanner. I'm going to check out SquidSafe but would like to > know what people in the Linux community are using. I currently use: http://sourceforge.net/projects/dgav/ It is a modification of Dansgardian which adds AV scanning using ClamAV to it, but i believe it can support some other scanners as well. Regards, Victor |
|
From: Ken H. <ke...@ac...> - 2005-05-04 11:27:09
|
Thanks, Victor for your frank info. I agree with you about layered security as well. I will install the software and do a little testing. BTW: do you have any recommendation about any open source HTTP proxy/virus scanner. I'm going to check out SquidSafe but would like to know what people in the Linux community are using. -----Original Message----- From: sno...@li... [mailto:sno...@li...] On Behalf Of Victor Julien Sent: Wednesday, May 04, 2005 4:13 PM To: Ken Hilliard Cc: sno...@li... Subject: Re: [Snort-inline-users] General anti-virus capabilities Ken Hilliard wrote: > I found your project on the ClamAV website. What I'd like to know is > what are the general limitations using this type of scheme for > anit-virus protection for LAN workstations behind the firewall? For > example, when using a web proxy anti-virus solution the software must > completely buffer long web file downloads before it can do virus > scanning. I don't see how this could be done using iptables were you > have to "vote" on a packet-by-packet basis. Secondly, is the current > inline snort version suitable for production use? Hi Ken, The ClamAV preprocessor in Snort is not a replacement for a HTTP Proxy Scanner or a AV Smtp Gateway. Due to the nature of the scanner, we scan only raw and incomplete data. So there is no mime decoding, unzipping, or any other preprocessing of the data. Still, i can catch (and block) viruses in Msn, Smb, Imap, Pop3, Ftp, Http. Maybe not all of then, but i see it as an extra layer of protection. Regards, Victor ------------------------------------------------------- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r _______________________________________________ Snort-inline-users mailing list Sno...@li... https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
|
From: christopher <ch...@sy...> - 2005-05-04 10:33:00
|
hey guys, i currently are using snort + inline mode for my IPS which running bridging mode in front of my firewall and behind my router. my snort + inline seem like able to capture data which match the rules and log under /snort/alert + i am using base for the GUI. but i wondering the drop packet actually active or not? since i testing via point to point PC through the IPS ( i test via cyberkit icmp) bridging. i use cyberkit from PC1 ping to PC2 i can see the log display on the alert but the traffic still go through the PC2. PC1------IPS-------PC2 cyberkit--------->PC2 any guide here? thanks |
|
From: Victor J. <vi...@nk...> - 2005-05-04 09:12:59
|
Ken Hilliard wrote: > I found your project on the ClamAV website. What I=92d like to know is > what are the general limitations using this type of scheme for > anit-virus protection for LAN workstations behind the firewall? For > example, when using a web proxy anti-virus solution the software must > completely buffer long web file downloads before it can do virus > scanning. I don=92t see how this could be done using iptables were you > have to =93vote=94 on a packet-by-packet basis. Secondly, is the curren= t > inline snort version suitable for production use? Hi Ken, The ClamAV preprocessor in Snort is not a replacement for a HTTP Proxy Scanner or a AV Smtp Gateway. Due to the nature of the scanner, we scan only raw and incomplete data. So there is no mime decoding, unzipping, or any other preprocessing of the data. Still, i can catch (and block) viruses in Msn, Smb, Imap, Pop3, Ftp, Http. Maybe not all of then, but i see it as an extra layer of protection. Regards, Victor |
|
From: christopher <ch...@sy...> - 2005-05-04 06:06:02
|
Dear Ken, snort_inline certainly suitable for production used. just the matter of the rules update only need to purchase from snort. On Tue, 2005-05-03 at 21:53 +0700, Ken Hilliard wrote: > I found your project on the ClamAV website. What I’d like to know is > what are the general limitations using this type of scheme for anit- > virus protection for LAN workstations behind the firewall? For > example, when using a web proxy anti-virus solution the software must > completely buffer long web file downloads before it can do virus > scanning. I don’t see how this could be done using iptables were you > have to “vote” on a packet-by-packet basis. Secondly, is the current > inline snort version suitable for production use? > > > > > Thx, Ken > > -- Christopher Chong Chew Vun Enterprise Deployment Team SYNCHROWEB TECHNOLOGY SDN BHD (670983D) Unit No. CT-05-12, 5th Floor Corporate Tower, Subang Square, Jln SS 15/ 4G Subang Jaya, Selangor D. Ehsan, Malaysia. T. +[60]3 5621 9028 F. +[60]3 5621 8802 HP. +[60]12 3247432 |
|
From: Ken H. <ke...@ac...> - 2005-05-04 05:55:04
|
I found your project on the ClamAV website. What I'd like to know is what are the general limitations using this type of scheme for anit-virus protection for LAN workstations behind the firewall? For example, when using a web proxy anti-virus solution the software must completely buffer long web file downloads before it can do virus scanning. I don't see how this could be done using iptables were you have to "vote" on a packet-by-packet basis. Secondly, is the current inline snort version suitable for production use? Thx, Ken |
|
From: Will M. <wil...@gm...> - 2005-04-25 19:12:45
|
List, I'll add this fix into the 2.3.3 release, sorry it is taking so long for us to get a release out. Victor and I are both very busy with our real jobs, in addition to this we are doing some major reworking of the Reject code and stream4inline. Unless somebody want's to hire us to write snort-inline full time I'm afraid it might be like this for a while. Regards, Will On 4/25/05, Bill Warren <bw...@op...> wrote: > I also had to add that file. I am using snort 2.3.2 from the tar file > not the inline tar file. >=20 > Will Metcalf wrote: >=20 > >Anybody else having this problem? > > > >Regards, > > > >Will > > > >On 4/19/05, Olivier BONHOMME <oli...@b2...> wrote: > > > > > >>Hello everybody, > >> > >>I had a problem about compiling this C file : EINTR was undeclared. I > >>hav to add manually the include <errno.h> in the code. > >> > >>Is that normal ? > >> > >>Best regards, > >>Olivier BONHOMME > >> > >>------------------------------------------------------- > >>This SF.Net email is sponsored by: New Crystal Reports XI. > >>Version 11 adds new functionality designed to reduce time involved in > >>creating, integrating, and deploying reporting solutions. Free runtime = info, > >>new features, or free trial, at: http://www.businessobjects.com/devxi/7= 28 > >>_______________________________________________ > >>Snort-inline-users mailing list > >>Sno...@li... > >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users > >> > >> > >> > > > > > >------------------------------------------------------- > >This SF.Net email is sponsored by: New Crystal Reports XI. > >Version 11 adds new functionality designed to reduce time involved in > >creating, integrating, and deploying reporting solutions. Free runtime i= nfo, > >new features, or free trial, at: http://www.businessobjects.com/devxi/72= 8 > >_______________________________________________ > >Snort-inline-users mailing list > >Sno...@li... > >https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > >=20 >=20 > |
|
From: Bill W. <bw...@op...> - 2005-04-25 16:59:45
|
I also had to add that file. I am using snort 2.3.2 from the tar file not the inline tar file. Will Metcalf wrote: >Anybody else having this problem? > >Regards, > >Will > >On 4/19/05, Olivier BONHOMME <oli...@b2...> wrote: > > >>Hello everybody, >> >>I had a problem about compiling this C file : EINTR was undeclared. I >>hav to add manually the include <errno.h> in the code. >> >>Is that normal ? >> >>Best regards, >>Olivier BONHOMME >> >>------------------------------------------------------- >>This SF.Net email is sponsored by: New Crystal Reports XI. >>Version 11 adds new functionality designed to reduce time involved in >>creating, integrating, and deploying reporting solutions. Free runtime info, >>new features, or free trial, at: http://www.businessobjects.com/devxi/728 >>_______________________________________________ >>Snort-inline-users mailing list >>Sno...@li... >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> >> >> > > >------------------------------------------------------- >This SF.Net email is sponsored by: New Crystal Reports XI. >Version 11 adds new functionality designed to reduce time involved in >creating, integrating, and deploying reporting solutions. Free runtime info, >new features, or free trial, at: http://www.businessobjects.com/devxi/728 >_______________________________________________ >Snort-inline-users mailing list >Sno...@li... >https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
|
From: Nick R. <ni...@ro...> - 2005-04-25 04:30:53
|
On Sun, 24 Apr 2005, C.G.Senthilkumar. wrote: > > Hi, > I'm trying to install snort_inline-2.2.0a on FreeBSD 4.10 based on 2.2.0a had some misplaced #ifdefs. You have two options: - Build, Compile, Run snort_inline-2.3.0-RC1 instead OR - Apply the patches I submitted to this list for 2.2.0a to work properly. > the instructions at: > http://freebsd.rogness.net/snort_inline/ > > I get a compilation error. The error messages are attached at the > end of this e-mail. I have pkg_add'ed libnet-1.0.2a,1.tgz. > ./configure --enable-inline --enable-ipfw > went through without any complaints. > > Any clues on how to resolve this issue. > Any help will be highly appreciated. > > Thanks in advance. > Senthil. > > Error Message from make > ----------------------- > decode.c: In function `DecodeIP': > decode.c:2008: structure has no member named `log_bad_checksums' > decode.c: In function `DecodeTCP': > decode.c:2395: structure has no member named `log_bad_checksums' > decode.c: In function `DecodeUDP': > decode.c:2588: structure has no member named `log_bad_checksums' > decode.c: In function `DecodeICMP': > decode.c:2777: structure has no member named `log_bad_checksums' > *** Error code 1 > > Stop in /users/cheetanc/tmp/snort_inline-2.2.0a/src. > *** Error code 1 > > Stop in /users/cheetanc/tmp/snort_inline-2.2.0a/src. > *** Error code 1 > > Stop in /users/cheetanc/tmp/snort_inline-2.2.0a. > *** Error code 1 > > Stop in /users/cheetanc/tmp/snort_inline-2.2.0a. > Nick Rogness <ni...@ro...> - How many people here have telekenetic powers? Raise my hand. -Emo Philips |
|
From: C.G.Senthilkumar. <che...@cs...> - 2005-04-25 02:22:53
|
Hi, I'm trying to install snort_inline-2.2.0a on FreeBSD 4.10 based on the instructions at: http://freebsd.rogness.net/snort_inline/ I get a compilation error. The error messages are attached at the end of this e-mail. I have pkg_add'ed libnet-1.0.2a,1.tgz. ./configure --enable-inline --enable-ipfw went through without any complaints. Any clues on how to resolve this issue. Any help will be highly appreciated. Thanks in advance. Senthil. Error Message from make ----------------------- decode.c: In function `DecodeIP': decode.c:2008: structure has no member named `log_bad_checksums' decode.c: In function `DecodeTCP': decode.c:2395: structure has no member named `log_bad_checksums' decode.c: In function `DecodeUDP': decode.c:2588: structure has no member named `log_bad_checksums' decode.c: In function `DecodeICMP': decode.c:2777: structure has no member named `log_bad_checksums' *** Error code 1 Stop in /users/cheetanc/tmp/snort_inline-2.2.0a/src. *** Error code 1 Stop in /users/cheetanc/tmp/snort_inline-2.2.0a/src. *** Error code 1 Stop in /users/cheetanc/tmp/snort_inline-2.2.0a. *** Error code 1 Stop in /users/cheetanc/tmp/snort_inline-2.2.0a. |
|
From: Adayadil T. <ada...@gm...> - 2005-04-20 20:30:35
|
Greetings. Is there a reason for keeping the window size 7000 bytes ? Thanks |
|
From: <dra...@gf...> - 2005-04-20 14:38:32
|
Hi, snort is not replacment for smtp filtering so it's normal,it can block viruses in http,ftp...eicar signature is updated and sometimes it isn't detected.For testing purposes you can try downloading real viruses from www.gfos.hr/~dragovic/nest Regards, Dino Dragovic > Hello again, > > I would want to know if it is normal that real viruses are not detected > when they are sent as an email attachement. But the virus is detected > with FTP, HTTP and IRC. > > For information : EICAR virus is detected only with IRC DCC File transfert > > Best Regards, > Olivier BONHOMME > > > ------------------------------------------------------- > This SF.Net email is sponsored by: New Crystal Reports XI. > Version 11 adds new functionality designed to reduce time involved in > creating, integrating, and deploying reporting solutions. Free runtime > info, > new features, or free trial, at: http://www.businessobjects.com/devxi/728 > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Olivier B. <obo...@ne...> - 2005-04-20 13:08:51
|
Hello again, I would want to know if it is normal that real viruses are not detected when they are sent as an email attachement. But the virus is detected with FTP, HTTP and IRC. For information : EICAR virus is detected only with IRC DCC File transfert Best Regards, Olivier BONHOMME |
133 messages has been excluded from this view by a project administrator.
