Menu
▾
▴
snort-inline-users — The goal of this list is to help users debug/use snort_inline
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(15) |
Jun
(23) |
Jul
(54) |
Aug
(20) |
Sep
(18) |
Oct
(19) |
Nov
(36) |
Dec
(30) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(48) |
Feb
(16) |
Mar
(36) |
Apr
(36) |
May
(45) |
Jun
(47) |
Jul
(93) |
Aug
(29) |
Sep
(28) |
Oct
(42) |
Nov
(45) |
Dec
(53) |
| 2005 |
Jan
(62) |
Feb
(51) |
Mar
(65) |
Apr
(28) |
May
(57) |
Jun
(23) |
Jul
(24) |
Aug
(72) |
Sep
(16) |
Oct
(53) |
Nov
(53) |
Dec
(3) |
| 2006 |
Jan
(56) |
Feb
(6) |
Mar
(15) |
Apr
(14) |
May
(35) |
Jun
(57) |
Jul
(35) |
Aug
(7) |
Sep
(22) |
Oct
(16) |
Nov
(18) |
Dec
(9) |
| 2007 |
Jan
(8) |
Feb
(3) |
Mar
(11) |
Apr
(35) |
May
(6) |
Jun
(10) |
Jul
(26) |
Aug
(4) |
Sep
|
Oct
(29) |
Nov
|
Dec
(7) |
| 2008 |
Jan
(1) |
Feb
(2) |
Mar
(2) |
Apr
(13) |
May
(8) |
Jun
(3) |
Jul
(19) |
Aug
(20) |
Sep
(6) |
Oct
(5) |
Nov
|
Dec
(4) |
| 2009 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(10) |
Jul
(2) |
Aug
(5) |
Sep
|
Oct
(1) |
Nov
|
Dec
(5) |
| 2010 |
Jan
(10) |
Feb
(10) |
Mar
(2) |
Apr
|
May
(7) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2011 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Nick R. <ni...@ro...> - 2005-03-16 19:54:16
|
On Tue, 8 Mar 2005, alfa wrote: > Hi, > > I am a newbie, I just installed snort_inline with support of ipfw and > clamav on FreeBSD 4.10. It seems running well, but when i try to > download eicar testfile. it pass thru. Will & Victor have verified that the problem is not with snort_inline, but rather with the ClamAV signature. I believe the same should be the case even for the FreeBSD snort_inline. Basically, once it is out of the kernel (from divert), it follows the same path as the Linux snort_inline. Cheers, Nick Rogness <ni...@ro...> - How many people here have telekenetic powers? Raise my hand. -Emo Philips |
|
From: Alex M. <ale...@ya...> - 2005-03-15 16:19:19
|
Please remove my name from your list.
ale...@ya...
Thanks,
Alex
--- Mohamed Berzig <mb...@gm...> wrote:
> small problem: I can always download viruses via
> HTTP whereas I have
> to configure the "preprocessor clamav" well,
> somebody has an idea on
> my problem?
> Here my configuration of snort_inline:
>
> var HOME_NET any
> var HONEYNET any
> var EXTERNAL_NET any
> var SMTP_SERVERS any
> var TELNET_SERVERS any
> var HTTP_SERVERS any
> var SQL_SERVERS any
>
> var HTTP_PORTS 80
>
> var SHELLCODE_PORTS !80
>
> var ORACLE_PORTS 1521
>
> config checksum_mode: none
>
> var RULE_PATH rules
>
> config layer2resets
>
> preprocessor stickydrop: max_entries 3000,log
> preprocessor stickydrop-timeouts: sfportscan 3000,
> portscan2 3000, clamav 3000
>
> preprocessor flow: stats_interval 0 hash 2
>
>
> preprocessor stream4: disable_evasion_alerts,
> stream4inline,
> enforce_state, memcap 134217728, timeout 3600
> preprocessor stream4_reassemble: both
>
> preprocessor clamav: ports all !22 !443,
> action-drop, dbdir
> /usr/share/clamav, dbreload-time 43200
>
> preprocessor http_inspect: global \
> iis_unicode_map unicode.map 1252
>
> preprocessor http_inspect_server: server default \
> profile all ports { 80 8080 8180 }
> oversize_dir_length 500
>
> preprocessor rpc_decode: 111 32771
>
> preprocessor bo
> preprocessor telnet_decode
> preprocessor sfportscan: proto { all } \
> memcap { 10000000 } \
> sense_level { low }
>
> include /etc/snort/classification.config
> include /etc/snort/reference.config
>
> include $RULE_PATH/exploit.rules
> include $RULE_PATH/finger.rules
> include $RULE_PATH/ftp.rules
> include $RULE_PATH/telnet.rules
> .
> .
> .
>
>
> Here my configuration of iptables:
>
> iptables -A INPUT -p tcp --sport 80 -j QUEUE
> iptables -A OUTPUT -p tcp --dport 80 -j QUEUE
>
>
>
-------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT
> Products from real users.
> Discover which products truly live up to the hype.
> Start reading now.
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
>
https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
__________________________________
Do you Yahoo!?
Take Yahoo! Mail with you! Get it on your mobile phone.
http://mobile.yahoo.com/maildemo
|
|
From: <bw...@op...> - 2005-03-15 15:27:39
|
I am wanting to use it in bridge-mode. > Bill wrote: > > >> Is anybody using a stock Debian kernel with Snort-Inline? I am using >> Sarge and not having any luck. Is anybody get a different apt-get >> source? Thanks, > > > With a 2.4 kernel you will of course require the bridge-netfilter patch > (e.g. ebtables-brnf-3_vs_2.4.23.diff.gz), which means Debian's stock > kernels are out. This stuff is native to the 2.6 kernels though, > including Debian's stock kernels. > > - Raz > > > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real > users. Discover which products truly live up to the hype. Start reading > now. http://ads.osdn.com/?ad_id=3D6595&alloc_id=3D14396&op=3Dclick > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
|
From: Victor J. <vi...@nk...> - 2005-03-15 15:17:25
|
On Tuesday 15 March 2005 16:13, Roland Turner (SourceForge) wrote: > Bill wrote: > > Is anybody using a stock Debian kernel with Snort-Inline? I am using > > Sarge and not having any luck. Is anybody get a different apt-get > > source? Thanks, > > With a 2.4 kernel you will of course require the bridge-netfilter patch > (e.g. ebtables-brnf-3_vs_2.4.23.diff.gz), which means Debian's stock > kernels are out. This stuff is native to the 2.6 kernels though, including > Debian's stock kernels. This is only true is you need to run in bridge-mode. Snort_inline can also run in NAT-mode. Then no patching is required for 2.4. Regards, Victor > - Raz > > > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
|
From: Roland T. (SourceForge) <raz...@co...> - 2005-03-15 15:16:32
|
Eek! Think first, type second. I wrote: > With a 2.4 kernel you will of course require the bridge-netfilter patch > (e.g. ebtables-brnf-3_vs_2.4.23.diff.gz), which means Debian's stock > kernels are out. This stuff is native to the 2.6 kernels though, > including Debian's stock kernels. This advice only applies if you are bridging. If you are routing then, as Victor points out, the stock 2.4 kernels and ip_queue are all that you need. - Raz |
|
From: Roland T. (SourceForge) <raz...@co...> - 2005-03-15 15:13:27
|
Bill wrote: > Is anybody using a stock Debian kernel with Snort-Inline? I am using > Sarge and not having any luck. Is anybody get a different apt-get > source? Thanks, With a 2.4 kernel you will of course require the bridge-netfilter patch (e.g. ebtables-brnf-3_vs_2.4.23.diff.gz), which means Debian's stock kernels are out. This stuff is native to the 2.6 kernels though, including Debian's stock kernels. - Raz |
|
From: Victor J. <vi...@nk...> - 2005-03-15 15:11:03
|
On Tuesday 15 March 2005 16:01, bw...@op... wrote: > Is anybody using a stock Debian kernel with Snort-Inline? I am using > Sarge and not having any luck. Is anybody get a different apt-get source? > Thanks, > Bill Which kernel are you using? I use kernel-image-2.4.26-1-686 without any=20 problems. You can check using: dpkg --list | grep kernel-image and uname -a Is the ip_queue module loaded? Regards, Victor > > > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_ide95&alloc_id=14396&op=CCk > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
|
From: <bw...@op...> - 2005-03-15 15:01:21
|
Is anybody using a stock Debian kernel with Snort-Inline? I am using Sarge and not having any luck. Is anybody get a different apt-get source= ? Thanks, Bill |
|
From: Victor J. <vi...@nk...> - 2005-03-15 14:40:37
|
On Tuesday 15 March 2005 14:42, Mohamed Berzig wrote:
> Hello, I thank you for your answer, indeed I have test with the virus
> sober and it was to detect successfully, I did one test with a
> compressed file, the virus was not detected. For what this
> limitation whereas libclamav makes it possible to detect viruses in
> compressed files?
The ClamAV preprocessor uses the cl_scanbuf function from libclamav. This
function can only scan a raw databuffer for virusses. This buffer is not
unpacked or preprocessed in any way. Furthermore, the data ClamAV
preprocessor feeds to cl_scanbuf is almost never a complete file, but most of
the time a part of it, together with html data for example (this makes
unpacking impossible).
The ClamAV preprocessor is not a replacement for a HTTP Proxy that scans all
downloaded files. The ClamAV preprocessor (hopefully) is able to detect
virusses that can execute immediately in the browser, im-client or
email-client. At least that's how i use it :-)
In Snort_inline 2.3.2RC2 (hopefully out soon) we will introduce an option to
also use cl_scandesc from libclamav. This should be able to detect some more
virusses, but the problem of the partial and unclean buffer won't be fixed by
it.
I hope this answers your question.
Regards,
Victor
> Cordially.
>
>
> On Mon, 14 Mar 2005 17:57:13 -0600, William Metcalf
>
> <Wil...@kc...> wrote:
> > If you are testing with eicar and clam.exe they won't do you any good.
> > The "problem" is with the signature in the ClamAV database for these two
> > test files. The signature for eicar and clame.exe is only triggered if
> > the signature is at the beginning of a file or in this case a buffer. If
> > you are downloading over the web, these signatures will not fire. Victor
> > and I tested this weekend to make sure we could still catch live virii
> > over port 80 and we could.
> >
> > Regards,
> >
> > Will
> > Mohamed Berzig <mb...@gm...>
> >
> >
> >
> >
> >
> >
> >
> > Mohamed Berzig <mb...@gm...>
> > Sent by: sno...@li...
> >
> > 03/14/2005 09:10 AM
> > Please respond to
> > Mohamed Berzig <mb...@gm...>
> >
> >
> > To
> > sno...@li...
> >
> >
> > cc
> >
> >
> >
> > Subject
> > [Snort-inline-users] Snort_inline and ClamAV
> >
> >
> > small problem: I can always download viruses via HTTP whereas I have
> > to configure the "preprocessor clamav" well, somebody has an idea on
> > my problem?
> > Here my configuration of snort_inline:
> >
> > var HOME_NET any
> > var HONEYNET any
> > var EXTERNAL_NET any
> > var SMTP_SERVERS any
> > var TELNET_SERVERS any
> > var HTTP_SERVERS any
> > var SQL_SERVERS any
> >
> > var HTTP_PORTS 80
> >
> > var SHELLCODE_PORTS !80
> >
> > var ORACLE_PORTS 1521
> >
> > config checksum_mode: none
> >
> > var RULE_PATH rules
> >
> > config layer2resets
> >
> > preprocessor stickydrop: max_entries 3000,log
> > preprocessor stickydrop-timeouts: sfportscan 3000, portscan2 3000,
> > clamav 3000
> >
> > preprocessor flow: stats_interval 0 hash 2
> >
> >
> > preprocessor stream4: disable_evasion_alerts, stream4inline,
> > enforce_state, memcap 134217728, timeout 3600
> > preprocessor stream4_reassemble: both
> >
> > preprocessor clamav: ports all !22 !443, action-drop, dbdir
> > /usr/share/clamav, dbreload-time 43200
> >
> > preprocessor http_inspect: global \
> > iis_unicode_map unicode.map 1252
> >
> > preprocessor http_inspect_server: server default \
> > profile all ports { 80 8080 8180 } oversize_dir_length 500
> >
> > preprocessor rpc_decode: 111 32771
> >
> > preprocessor bo
> > preprocessor telnet_decode
> > preprocessor sfportscan: proto { all } \
> > memcap { 10000000 } \
> > sense_level { low }
> >
> > include /etc/snort/classification.config
> > include /etc/snort/reference.config
> >
> > include $RULE_PATH/exploit.rules
> > include $RULE_PATH/finger.rules
> > include $RULE_PATH/ftp.rules
> > include $RULE_PATH/telnet.rules
> > .
> > .
> > .
> >
> >
> > Here my configuration of iptables:
> >
> > iptables -A INPUT -p tcp --sport 80 -j QUEUE
> > iptables -A OUTPUT -p tcp --dport 80 -j QUEUE
> >
> >
> > -------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT Products from real users.
> > Discover which products truly live up to the hype. Start reading now.
> > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
|
|
From: Mohamed B. <mb...@gm...> - 2005-03-15 13:42:34
|
Hello, I thank you for your answer, indeed I have test with the virus
sober and it was to detect successfully, I did one test with a
compressed file, the virus was not detected. For what this
limitation whereas libclamav makes it possible to detect viruses in
compressed files?
Cordially.
On Mon, 14 Mar 2005 17:57:13 -0600, William Metcalf
<Wil...@kc...> wrote:
>
>
> If you are testing with eicar and clam.exe they won't do you any good. The
> "problem" is with the signature in the ClamAV database for these two test
> files. The signature for eicar and clame.exe is only triggered if the
> signature is at the beginning of a file or in this case a buffer. If you are
> downloading over the web, these signatures will not fire. Victor and I
> tested this weekend to make sure we could still catch live virii over port
> 80 and we could.
>
> Regards,
>
> Will
> Mohamed Berzig <mb...@gm...>
>
>
>
>
>
>
>
> Mohamed Berzig <mb...@gm...>
> Sent by: sno...@li...
>
> 03/14/2005 09:10 AM
> Please respond to
> Mohamed Berzig <mb...@gm...>
>
>
> To
> sno...@li...
>
>
> cc
>
>
>
> Subject
> [Snort-inline-users] Snort_inline and ClamAV
>
>
> small problem: I can always download viruses via HTTP whereas I have
> to configure the "preprocessor clamav" well, somebody has an idea on
> my problem?
> Here my configuration of snort_inline:
>
> var HOME_NET any
> var HONEYNET any
> var EXTERNAL_NET any
> var SMTP_SERVERS any
> var TELNET_SERVERS any
> var HTTP_SERVERS any
> var SQL_SERVERS any
>
> var HTTP_PORTS 80
>
> var SHELLCODE_PORTS !80
>
> var ORACLE_PORTS 1521
>
> config checksum_mode: none
>
> var RULE_PATH rules
>
> config layer2resets
>
> preprocessor stickydrop: max_entries 3000,log
> preprocessor stickydrop-timeouts: sfportscan 3000, portscan2 3000, clamav
> 3000
>
> preprocessor flow: stats_interval 0 hash 2
>
>
> preprocessor stream4: disable_evasion_alerts, stream4inline,
> enforce_state, memcap 134217728, timeout 3600
> preprocessor stream4_reassemble: both
>
> preprocessor clamav: ports all !22 !443, action-drop, dbdir
> /usr/share/clamav, dbreload-time 43200
>
> preprocessor http_inspect: global \
> iis_unicode_map unicode.map 1252
>
> preprocessor http_inspect_server: server default \
> profile all ports { 80 8080 8180 } oversize_dir_length 500
>
> preprocessor rpc_decode: 111 32771
>
> preprocessor bo
> preprocessor telnet_decode
> preprocessor sfportscan: proto { all } \
> memcap { 10000000 } \
> sense_level { low }
>
> include /etc/snort/classification.config
> include /etc/snort/reference.config
>
> include $RULE_PATH/exploit.rules
> include $RULE_PATH/finger.rules
> include $RULE_PATH/ftp.rules
> include $RULE_PATH/telnet.rules
> .
> .
> .
>
>
> Here my configuration of iptables:
>
> iptables -A INPUT -p tcp --sport 80 -j QUEUE
> iptables -A OUTPUT -p tcp --dport 80 -j QUEUE
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
>
>
>
|
|
From: Mohamed B. <mb...@gm...> - 2005-03-14 23:48:57
|
small problem: I can always download viruses via HTTP whereas I have
to configure the "preprocessor clamav" well, somebody has an idea on
my problem?
Here my configuration of snort_inline:
var HOME_NET any
var HONEYNET any
var EXTERNAL_NET any
var SMTP_SERVERS any
var TELNET_SERVERS any
var HTTP_SERVERS any
var SQL_SERVERS any
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
config checksum_mode: none
var RULE_PATH rules
config layer2resets
preprocessor stickydrop: max_entries 3000,log
preprocessor stickydrop-timeouts: sfportscan 3000, portscan2 3000, clamav 3000
preprocessor flow: stats_interval 0 hash 2
preprocessor stream4: disable_evasion_alerts, stream4inline,
enforce_state, memcap 134217728, timeout 3600
preprocessor stream4_reassemble: both
preprocessor clamav: ports all !22 !443, action-drop, dbdir
/usr/share/clamav, dbreload-time 43200
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
include /etc/snort/classification.config
include /etc/snort/reference.config
include $RULE_PATH/exploit.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
.
.
.
Here my configuration of iptables:
iptables -A INPUT -p tcp --sport 80 -j QUEUE
iptables -A OUTPUT -p tcp --dport 80 -j QUEUE
|
|
From: Will M. <wil...@gm...> - 2005-03-14 21:53:19
|
autoreconf -f
Regards,
Will
On Mon, 14 Mar 2005 14:48:15 -0700, Ken Dyke <ke...@bo...> wrote:
> On Mon, Mar 14, 2005 at 01:51:28PM -0600, William Metcalf (Wil...@kc...) wrote:
> > I see whats wrong, I just don't have time to fix it right now. If you need
> > a quick fix, just hardcode your directory into configure.in and run
> > ./configure again.
> >
> > change the following line in configure.in
> >
> > libnet_dir="/usr/include /usr/local/include"
> >
> > to include the path to libnet.h
>
> /* output from grep of configure.in */
> snort-inline-2.2.0a:$ grep libnet_dir configure.in
> libnet_dir="/home/openwrt/buildroot/build_mipsel/staging_dir/mipsel-linux-uclibc/include"
> for i in $libnet_dir; do
> libnet_dir="${with_libnet_includes}"
> libnet_dir="/home/openwrt/buildroot/build_mipsel/staging_dir/mipsel-linux-uclibc/include"
> libnet_dir=`libnet-config --cflags | cut -dI -f2`
> for i in $libnet_dir; do
> FAIL_MESSAGE("libnet 1.0.2a (libnet.h)", $libnet_dir)
>
> /* output from grep of libnet.h */
> snort-inline-2.2.0a:$ grep LIBNET_VERSION /home/openwrt/buildroot/build_mipsel/staging_dir/mipsel-linux-uclibc/include/libnet.h
> #define LIBNET_VERSION "1.0.2a"
>
> Baffles me. :-/
> --
> I reason and act, therefore, ken_i_m
> "Doing my part to spread the free
> and open software (FOSS) memes".
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
|
|
From: Ken D. <ke...@bo...> - 2005-03-14 21:48:26
|
On Mon, Mar 14, 2005 at 01:51:28PM -0600, William Metcalf (Wil...@kc...) wrote:
> I see whats wrong, I just don't have time to fix it right now. If you need
> a quick fix, just hardcode your directory into configure.in and run
> ./configure again.
>
> change the following line in configure.in
>
> libnet_dir="/usr/include /usr/local/include"
>
> to include the path to libnet.h
/* output from grep of configure.in */
snort-inline-2.2.0a:$ grep libnet_dir configure.in
libnet_dir="/home/openwrt/buildroot/build_mipsel/staging_dir/mipsel-linux-uclibc/include"
for i in $libnet_dir; do
libnet_dir="${with_libnet_includes}"
libnet_dir="/home/openwrt/buildroot/build_mipsel/staging_dir/mipsel-linux-uclibc/include"
libnet_dir=`libnet-config --cflags | cut -dI -f2`
for i in $libnet_dir; do
FAIL_MESSAGE("libnet 1.0.2a (libnet.h)", $libnet_dir)
/* output from grep of libnet.h */
snort-inline-2.2.0a:$ grep LIBNET_VERSION /home/openwrt/buildroot/build_mipsel/staging_dir/mipsel-linux-uclibc/include/libnet.h
#define LIBNET_VERSION "1.0.2a"
Baffles me. :-/
--
I reason and act, therefore, ken_i_m
"Doing my part to spread the free
and open software (FOSS) memes".
|
|
From: Ken D. <ke...@bo...> - 2005-03-14 17:28:20
|
On Mon, Mar 14, 2005 at 10:48:48AM -0600, William Metcalf (Wil...@kc...) wrote:
> Works ok for me, what exactly are you passing to ./configure?
Here is the relevant section of the makefile:
$(SNORT_INLINE_DIR)/.configured: build_msg $(SNORT_INLINE_DIR)/.unpacked
(cd $(SNORT_INLINE_DIR); rm -rf config.cache; \
$(TARGET_CONFIGURE_OPTS) \
CFLAGS="$(TARGET_CFLAGS)" \
./configure \
--target=$(GNU_TARGET_NAME) \
--host=$(GNU_TARGET_NAME) \
--build=$(GNU_HOST_NAME) \
--prefix=/usr \
--exec-prefix=/usr \
--bindir=/usr/bin \
--sbindir=/usr/sbin \
--libexecdir=/usr/lib \
--sysconfdir=/etc \
--datadir=/usr/share \
--localstatedir=/var \
--mandir=/usr/man \
--infodir=/usr/info \
--program-prefix="" \
--enable-flexresp \
--enable-pthread \
--with-libipq-includes=$(STAGING_DIR)/usr/include/libipq/ \
--with-libipq-librairies=$(STAGING_DIR)/include/ \
--with-libnet-includes=$(STAGING_DIR)/usr/include/ \
--with-libnet-librairies=$(STAGING_DIR)/usr/lib/ \
);
/* various variables used in above */
BASE_DIR:=${shell pwd}
BUILD_DIR:=$(BASE_DIR)/build_$(ARCH)$(ARCH_FPU_SUFFIX)
STAGING_DIR=$(BUILD_DIR)/staging_dir
TARGET_PATH=$(STAGING_DIR)/bin:/bin:/sbin:/usr/bin:/usr/sbin
TARGET_CONFIGURE_OPTS=PATH=$(TARGET_PATH)
TARGET_OPTIMIZATION=-Os -mips2
TARGET_DEBUGGING= #-g
TARGET_CFLAGS=$(TARGET_OPTIMIZATION) $(TARGET_DEBUGGING)
ARCH:=mipsel
OPTIMIZE_FOR_CPU=$(ARCH)
GNU_TARGET_NAME=$(OPTIMIZE_FOR_CPU)-linux
SNORT_INLINE_DIR:=$(BUILD_DIR)/snort_inline-2.2.0a
--
I reason and act, therefore, ken_i_m
"Doing my part to spread the free
and open software (FOSS) memes".
|
|
From: Ken D. <ke...@bo...> - 2005-03-14 16:13:58
|
On Mon, Mar 14, 2005 at 10:03:32AM -0600, William Metcalf (Wil...@kc...) wrote: > which version of snort-inline are you using? snort_inline-2.2.0a Opps, should of had that info in original post. -- I reason and act, therefore, ken_i_m "Doing my part to spread the free and open software (FOSS) memes". |
|
From: Ken D. <ke...@bo...> - 2005-03-13 21:23:43
|
Hi,
I am doing a cross-compile for mips using the current cvs of openwrt. I
have been resolving issues up until now. :-/
The configure detects the pcre, libipq, then fails to detect libnet.h.
/* some configure parameters */
--with-libipq-includes=$(STAGING_DIR)/usr/include/libipq/ \
--with-libipq-librairies=$(STAGING_DIR)/include/ \
--with-libnet-includes=$(STAGING_DIR)/usr/include/ \
--with-libnet-librairies=$(STAGING_DIR)/usr/lib/
/* end configure parameters */
Installed libnet-1.0.2a.tar.gz
I am not a programmer but looking at the strace output (and configure)
is looks like the libnet.h location is hardcoded (/usr/include/libnet.h
& /usr/local/include/libnet.h) and it ignoring the
--with-libnet-includes parameter that I am passing it.
Help greatly appreciated.
Thanks in advance,
--
I reason and act, therefore, ken_i_m
Chief Gadgeteer, Elegant Innovations
Founder, Bozeman Linux Users Group
(406) 581-0495
|
|
From: Will M. <wil...@gm...> - 2005-03-12 23:28:15
|
List, The nice folks over at Syngress are sending Victor and I a copy of a new book Intrusion Prevention and Active Response. http://www.syngress.com/catalog/?pid=3240 Judging by the author list, and the TOC it should be a good read. Chapter 8 is dedicate do deploying open source IPS solutions such as snort-inline. Micheal Rash of FWSNORT and PSAD fame, is one of the authors. In addition to the distinguished list of authors, technical editing was done by fyodor. If you don't know who fyodor is, stop reading this e-mail, run don't walk to your favorite bookstore and buy a book on network security... any book ;-) Regards, Will |
|
From: Will M. <wil...@gm...> - 2005-03-12 22:47:16
|
It seems as if the clam guy's updated the signature database with a new definition for Eicar, and it is no longer detected in the same manner. I was wrong, about Clam being broken as it still seems to pick-up other virii ok. In addition, it appears as if Victor thinks he has figured out a way to scan file descriptors via writing packet contents to tmp files. We actually should be able to detect more virii using this method. Regards, Will |
|
From: Will M. <wil...@gm...> - 2005-03-12 22:16:39
|
> I'm new to the project and it's not clear to me what are the differences > between snort and snort-inline. When the snort.org guy's decided to integrate our code, we decided to keep this project going to implement bleeding edge features such as the clamav preproc, the stickydrop preproc, and stream4 for InlineMode(); > Am i correct to assume that most features are integrated in snort-2.3.0? Sans the features I mentioned above ;-) > how often do you guys plan to sync up with the snort "official" releases? Don't know, I guess I should discuss this with Marty.... Regards, Will On Mon, 07 Mar 2005 22:40:46 -0800, Florin Andrei <fl...@an...> wrote: > I'm new to the project and it's not clear to me what are the differences > between snort and snort-inline. > Am i correct to assume that most features are integrated in snort-2.3.0? > If yes, what are those few features only present in snort-inline? And > how often do you guys plan to sync up with the snort "official" > releases? Thanks, > > -- > Florin Andrei > > http://florin.myip.org/ > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Will M. <wil...@gm...> - 2005-03-12 22:10:59
|
> 1. I know for inline we have to use the snort_inline.conf. But why is the > snort.conf also in the /etc/ directory when you unpack snort_inline? snort_inline is a patch to the vanilla snort code, we don't remove any files from the orignal source, just add/modify them. >What do we need that for? see above... >Im guessing we can run two instances of snort, and > reference snort_inline.conf for the blocking ruleset, and reference the 2nd > instance of snort for alerting or traffic sniffing (for honeynet) purposes? yeah you can. > But if this is the case, wouldnt we have to install regular snort for the > 2nd instance? no, you can use the snort_inline executable. Can snort_inline be used and act like regular snort if called with snort.conf? yeah but remember kids, currently only one userspace app can hook into ip_queue > 2. I read the Honeynet GenII paper, which talks about how to setup the > rc.firewall.script. It is straight forward. I do not see anything in > snort_inline.conf that references rc.firewall.script. I assume you have to > run the script first, then run snort_inline. What command do you use to > envoke rc.firewall.script? errr ./rc.firewall > 3. I also would like to use the snort_inline startup script. What do I > need to do to use that as well? ./snort.sh > Am Icorrect if I say the 2.6 kernel does not need the a patch because bridging > and iptables working together is built into the new kernels? yes, you are correct.... >Can I just have snort_inline use > the unified binary output plugin for the fastest speed? yeah >Then use Barnyard to gather logs and output to database? should be fine >I would like to test >snort_inline in a gigabit+ environment. cool, let us know how it does. I fear that context switching in ip_queue is going to kill performance. Regards, Will On Sun, 6 Mar 2005 22:37:13 -0500, Peter J Manis <pm...@co...> wrote: > Ive done tons of reading and research so these questions are not being asked > blind. > > 1. I know for inline we have to use the snort_inline.conf. But why is the > snort.conf also in the /etc/ directory when you unpack snort_inline? What > do we need that for? Im guessing we can run two instances of snort, and > reference snort_inline.conf for the blocking ruleset, and reference the 2nd > instance of snort for alerting or traffic sniffing (for honeynet) purposes? > But if this is the case, wouldnt we have to install regular snort for the > 2nd instance? Can snort_inline be used and act like regular snort if called > with snort.conf? > > 2. I read the Honeynet GenII paper, which talks about how to setup the > rc.firewall.script. It is straight forward. I do not see anything in > snort_inline.conf that references rc.firewall.script. I assume you have to > run the script first, then run snort_inline. What command do you use to > envoke rc.firewall.script? > > 3. I also would like to use the snort_inline startup script. What do I > need to do to use that as well? > > 4. I am using a 2.6 kernel (Fedora 3). I read through all of the bridging > how to docs, and confirm I have the bridging packages installed properly in > the kernel. I read about possibly needing some patches to allow bridging to > work with iptables. The bridging website did not have any patches, and > mentioned not worrying if you are using new 2.4 and 2.6 kernels. I just > want to doublecheck since Im asking all these questions anyway. Am I > correct if I say the 2.6 kernel does not need the a patch because bridging > and iptables working together is built into the new kernels? > > 5. The output method for snort_inline.conf are: > alert_fast > alert_full > alert_fast gives you limited information, and alert_full slows Snort down a > lot. I believe both these plugins ask snort to do some extra work to > convert from binary to ascii and log it. Can I just have snort_inline use > the unified binary output plugin for the fastest speed? Then use Barnyard > to gather logs and output to database? I would like to test snort_inline in > a gigabit+ environment. > > Thanks > > Peter |
|
From: Will M. <wil...@gm...> - 2005-03-12 21:51:54
|
B.how to run inline and tranparent proxy, I'm assuming that you are running the proxy on the same box you are running snort-inline on. Try the following, I can't promise anything as I don't have box running NAT mode right now. iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -A INPUT -p tcp --dport 8080 -j QUEUE iptables -A OUTPUT -p tcp --sport 8080 -j QUEUE snort_inline.conf config checksum_mode:none On Tue, 08 Mar 2005 22:43:18 -0500, joe z <sec...@ho...> wrote: > i have snort 2.3, compiled with --enable-inline, on a box behind a firewall, > inline, to scan traffic. two questions. al ittle history first... when i > enable transparent proxy (iptables -t nat -A PREROUTING -p tcp --dport 80 -j > REDIRECT --to-port 8080 ) by itself, it works. just as a router, good. when > i comment out the tp and uncomment ( iptables -t mangle -A PREROUTING -j > QUEUE ) -without snort, it doesn't work(i.e no traffic passes); with snort > running (snort -D -Q -c /etc/snort/rules ) it works but doesn't drop > anything. ip_queue is loaded. i need advice on A. a rule to test the inline > drop functionality and/or advice on proper config.; B.how to run inline and > tranparent proxy; i tried: > > drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE > Malware 180solutions Spyware"; uricontent:"180solutions.com"; nocase; > classtype:trojan-activity; > reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; > flow:to_server,established; sid:2001051; rev:3;) > > and browsed to http://180solutions.com from an internal host. obviously > fruitlously. is that the wrong way to write a drop rule or did i configure > wrong? either way, a simple test drop rule would be much appreciated... > > _________________________________________________________________ > Express yourself instantly with MSN Messenger! Download today - it's FREE! > http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Mohamed B. <mb...@gm...> - 2005-03-12 15:32:31
|
An error is to slip into my last message, but with the preceding configuration I cannot reach has any Web site, I have an error of the type 'connection timeout' and netstat posts SYN_SENT |
|
From: Mohamed B. <mb...@gm...> - 2005-03-12 14:44:11
|
Hello,
Here my configuration of snort_inline:
var HOME_NET any
var HONEYNET any
var EXTERNAL_NET any
var SMTP_SERVERS any
var TELNET_SERVERS any
var HTTP_SERVERS any
var SQL_SERVERS any
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
config checksum_mode: all
var RULE_PATH rules
config layer2resets
preprocessor stickydrop: max_entries 3000,log
preprocessor stickydrop-timeouts: sfportscan 3000, portscan2 3000, clamav 3000
preprocessor flow: stats_interval 0 hash 2
preprocessor stream4: disable_evasion_alerts, stream4inline,
enforce_state, memcap 134217728, timeout 3600
preprocessor stream4_reassemble: both
preprocessor clamav: ports all !22 !443, action-drop, dbdir
/usr/share/clamav, dbreload-time 43200
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
include /etc/snort/classification.config
include /etc/snort/reference.config
include $RULE_PATH/exploit.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
.
.
.
Here rules of iptables:
iptables -A INPUT -j QUEUE
iptables -A OUTPUT -j QUEUE
and here how I start snort_inline But unfortunately I can always
download eicar.com
# snort_inline -D -c /etc/snort/snort_inline.conf -d -Q -i eth0
But unfortunately I can always download eicar.com
On Mon, 7 Mar 2005 13:48:36 -0600, William Metcalf
<Wil...@kc...> wrote:
>
>
> You have to initialize clamav before http_inspect in your snort_inline.conf,
> also are you setup so that your return traffic is going to the QUEUE target?
>
> so something like
>
> iptables -A FORWARD -p tcp --sport 80 -j QUEUE
> iptables -A FORWARD -p tcp --dport 80 -j QUEUE
>
> or
>
> iptables -A INPUT --sport 80 -j QUEUE
> iptables -A OUTPUT --dport 80 -j QUEUE
>
> or you can make use of the RELATED,ESTABLISHED keywords.
>
> Regards,
>
> Will
> Mohamed Berzig <mb...@gm...>
>
>
>
>
>
>
>
> Mohamed Berzig <mb...@gm...>
> Sent by: sno...@li...
>
> 03/07/2005 01:17 PM
> Please respond to
> Mohamed Berzig <mb...@gm...>
>
>
> To
> sno...@li...
>
>
> cc
>
>
>
> Subject
> [Snort-inline-users] still clamAV
>
>
> I have to compile snort_inline with the support of clamav and I have
> to configure snort_inline.conf as to indicate in the comments but when
> I try to download eicar.com snort_inline detecte no virus. I do not
> know if I have to forget something but I have remakes test them
> several times. Greetings.
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
>
>
|
|
From: Nick R. <ni...@ro...> - 2005-03-11 19:41:27
|
On Tue, 8 Mar 2005, alfa wrote: > Hi, > > I am a newbie, I just installed snort_inline with support of ipfw and > clamav on FreeBSD 4.10. It seems running well, but when i try to > download eicar testfile. it pass thru. Is snort_inline even seeing the traffic? Write a log rule for that piece of traffic so snort_inline logs it. Also, you can write an ipfw log rule between rule #60 -> #65000 to see if it is passing on the through snort_inline or not. I haven't played with ClamAV much so I will investigate this more. > > listed below are my ipfw rules: > > 00050 298848 156441501 divert 8668 ip from any to any via fxp0 > 00060 376 52493 divert 7500 ip from any to any > 00100 68 3400 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 65000 585828 313867668 allow ip from any to any > 65535 0 0 allow ip from any to any > > and i then started snort_inline > (snort_inline -J 7500 -D -c /etc/snort_inline/etc/snort_inline.conf). > > attached are my snort_inline config file and startup messages. > > btw. what does snort_inline-2.3.0-RC1.diff used for? when i patched > snort_inline with this file i cannot compile. > > Thanks/Alfa > > Nick Rogness <ni...@ro...> - How many people here have telekenetic powers? Raise my hand. -Emo Philips |
|
From: William M. <Wil...@kc...> - 2005-03-10 18:35:02
|
List, Once again sorry for the delay. I will try to answer all of your e-mail this= weekend. I'm swamped with my paying job. Regards, Will ----------------- Sent from my BlackBerry Handheld. ----- Original Message ----- From: snort-inline-users-admin Sent: 03/10/2005 12:12 PM To: Will Metcalf <wil...@gm...> Cc: sno...@li... Subject: Re: [Snort-inline-users] Clam AV I tried this with a clean build of 2.3.0-RC1, as well as using the LDFLAGS=3D-pthread suggestion, both result in localhost# /usr/local/bin/snort_inline rcmdsh: unknown user: \uffff\uffff\uffff\uffffjJ\uffff\uffff\uffffy\uffff\uffffPjW\uffff\uffff\ufff= f\uffff\uffff\uffff\uffff\uffffe\uffff[^_\uffff\uffff\uffffU\uffff\uffff\ufff= f\uffffLWVS\uffff Bus error (core dumped) localhost# Mar 10 13:13:35 localhost /kernel: pid 18143 (snort_inline), uid 0: exited on signal 10 (core dumped) Any ideas? This is ClamAV 0.83 and snort_inline 2.3.0-RC1. It appears to be identical behavior. Is there anything I should try deleting or reinstalling that may be playing a part in this? Or even just a way to get more debugging information for you guys? Thanks! Chris Will Metcalf wrote: > They changed a function from 0.7x to 0.8x in libclamav, you should be > ok if you use snort-inline-2.3.0-RC1. Do me a favor and downlolad and > try to compile support for 2.3.0-RC1, and let me know if you get the > same error. I'll look at backporting the cl_buildtrie changes to > 2.2.0. > > Regards, > > Wil > > > On Mon, 28 Feb 2005 00:34:02 -0500, Christopher Black > <bla...@um...> wrote: > >>Yes sir, that's the configuration it's currently running in on quite a >>few of our client machines. This is the exact same image, but with the >>extra flag to configure. >> >>Will Metcalf wrote: >> >>>Hmmm does it work ok if you don't --enable-clamav? >>> >>>Regards, >>> >>>Will >>>On Sun, 27 Feb 2005 18:29:42 -0500, Christopher Black >>><bla...@um...> wrote: >>> >>> >>>>Excellent information, thank you. >>>> >>>>Using snort_inline-2.2.0a and ClamAV 0.8.3, snort_inline crashes >>>>immediately on boot with this error: >>>> >>>>rcmdsh: unknown user: =EF=BF=BD=EF=BF=BD=EF=BF=BD$=EF=BF=BDPjV=EF=BF=BDs= =EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD F=EF=BF=BD=EF=BF=BDX >>>>Bus error (core dumped) >>>>localhost# Feb 27 18:20:42 localhost /kernel: pid 86955 (snort_inline), >>>>uid 0: exited on signal 10 (core dumped) >>>> >>>>gdb says: >>>>(gdb) core-file snort_inline.core >>>>Core was generated by `snort_inline'. >>>>Program terminated with signal 10, Bus error. >>>>#0 0x281cb2b0 in ?? () >>>>(gdb) >>>> >>>>Any ideas? >>>> >>>>Thanks! >>>> >>>>Chris >>>> >>>>Will Metcalf wrote: >>>> >>>> >>>>>>1) Is ClamAV enabled in a default build of snort_inline? >>>>> >>>>> >>>>>The code is there, but by default it is disabled. To enable >>>>>./configure --enable-clamav >>>>> >>>>> >>>>> >>>>> >>>>>>2) How are snort_inline and ClamAV interconnected? ie: is it possible >>>>>>to upgrade the ClamAV engine without affecting snort_inline? >>>>> >>>>> >>>>>libclamav, you can upgrade as long as you are going from 0.8x to 0.8y >>>>>or 0.7x to 0.7y you need to rebuild if you go from 0.7x to 0.8x >>>>> >>>>> >>>>> >>>>> >>>>>>3) In snort_inline 2.2.0a, how are the virus and IDS signature databases >>>>>>re-read after a change? (Send a SIGHUP, restart, etc) >>>>> >>>>> >>>>>SIGHUP or a restart. This is manual, in 2.3.0 you can specify an >>>>>interval at which to reread the AV database. You still have to SIGHUP >>>>>snort update the signatures. >>>>> >>>>>Regards, >>>>> >>>>>Will >>>>> >>>>>On Sat, 26 Feb 2005 17:55:11 -0500, Christopher Black >>>>><bla...@um...> wrote: >>>>> >>>>> >>>>> >>>>>>Hi all, I have some basic questions about ClamAV support. >>>>>> >>>>>>1) Is ClamAV enabled in a default build of snort_inline? >>>>>>2) How are snort_inline and ClamAV interconnected? ie: is it possible >>>>>>to upgrade the ClamAV engine without affecting snort_inline? >>>>>>3) In snort_inline 2.2.0a, how are the virus and IDS signature databases >>>>>>re-read after a change? (Send a SIGHUP, restart, etc) >>>>>> >>>>>>Thanks! >>>>>> >>>>>>Chris >>>>>> >>>>>> >>>>>> >>>> >>>>-- >>>> >>>> >>>> >>> >>> >>-- >> >> >> > > -- Christopher Black Interim Unix/Linux Administrator University of Michigan | Physics OCS bla...@um... | (734) 764-3348 |
133 messages has been excluded from this view by a project administrator.
