snort-inline-users — The goal of this list is to help users debug/use snort_inline

Re: [Snort-inline-users] Clam AV

[Christopher B. <bla...@um...>]

I tried this with a clean build of 2.3.0-RC1, as well as using the
LDFLAGS=-pthread suggestion, both result in

localhost# /usr/local/bin/snort_inline
rcmdsh: unknown user:
\uffff\uffff\uffff\uffffjJ\uffff\uffff\uffffy\uffff\uffffPjW\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffffe\uffff[^_\uffff\uffff\uffffU\uffff\uffff\uffff\uffffLWVS\uffff
Bus error (core dumped)
localhost# Mar 10 13:13:35 localhost /kernel: pid 18143 (snort_inline),
uid 0: exited on signal 10 (core dumped)

Any ideas?  This is ClamAV 0.83 and snort_inline 2.3.0-RC1.  It appears
to be identical behavior.  Is there anything I should try deleting or
reinstalling that may be playing a part in this?  Or even just a way to
get more debugging information for you guys?

Thanks!
Chris

Will Metcalf wrote:
> They changed a function from 0.7x to 0.8x in libclamav, you should be
> ok if you use snort-inline-2.3.0-RC1.  Do me a favor and downlolad and
> try to compile support for 2.3.0-RC1, and let me know if you get the
> same error.  I'll look at backporting the cl_buildtrie changes to
> 2.2.0.
>
> Regards,
>
> Wil
>
>
> On Mon, 28 Feb 2005 00:34:02 -0500, Christopher Black
> <bla...@um...> wrote:
>
>>Yes sir, that's the configuration it's currently running in on quite a
>>few of our client machines.  This is the exact same image, but with the
>>extra flag to configure.
>>
>>Will Metcalf wrote:
>>
>>>Hmmm does it work ok if you don't --enable-clamav?
>>>
>>>Regards,
>>>
>>>Will
>>>On Sun, 27 Feb 2005 18:29:42 -0500, Christopher Black
>>><bla...@um...> wrote:
>>>
>>>
>>>>Excellent information, thank you.
>>>>
>>>>Using snort_inline-2.2.0a and ClamAV 0.8.3, snort_inline crashes
>>>>immediately on boot with this error:
>>>>
>>>>rcmdsh: unknown user: ���$�PjV�s����� F��X
>>>>Bus error (core dumped)
>>>>localhost# Feb 27 18:20:42 localhost /kernel: pid 86955 (snort_inline),
>>>>uid 0: exited on signal 10 (core dumped)
>>>>
>>>>gdb says:
>>>>(gdb) core-file snort_inline.core
>>>>Core was generated by `snort_inline'.
>>>>Program terminated with signal 10, Bus error.
>>>>#0  0x281cb2b0 in ?? ()
>>>>(gdb)
>>>>
>>>>Any ideas?
>>>>
>>>>Thanks!
>>>>
>>>>Chris
>>>>
>>>>Will Metcalf wrote:
>>>>
>>>>
>>>>>>1) Is ClamAV enabled in a default build of snort_inline?
>>>>>
>>>>>
>>>>>The code is there, but by default it is disabled. To enable
>>>>>./configure --enable-clamav
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>2) How are snort_inline and ClamAV interconnected?  ie: is it possible
>>>>>>to upgrade the ClamAV engine without affecting snort_inline?
>>>>>
>>>>>
>>>>>libclamav, you can upgrade as long as you are going from 0.8x to 0.8y
>>>>>or 0.7x to 0.7y you need to rebuild if you go from 0.7x to 0.8x
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>3) In snort_inline 2.2.0a, how are the virus and IDS signature databases
>>>>>>re-read after a change? (Send a SIGHUP, restart, etc)
>>>>>
>>>>>
>>>>>SIGHUP or a restart.  This is manual, in 2.3.0 you can specify an
>>>>>interval at which to reread the AV database.  You still have to SIGHUP
>>>>>snort update the signatures.
>>>>>
>>>>>Regards,
>>>>>
>>>>>Will
>>>>>
>>>>>On Sat, 26 Feb 2005 17:55:11 -0500, Christopher Black
>>>>><bla...@um...> wrote:
>>>>>
>>>>>
>>>>>
>>>>>>Hi all, I have some basic questions about ClamAV support.
>>>>>>
>>>>>>1) Is ClamAV enabled in a default build of snort_inline?
>>>>>>2) How are snort_inline and ClamAV interconnected?  ie: is it possible
>>>>>>to upgrade the ClamAV engine without affecting snort_inline?
>>>>>>3) In snort_inline 2.2.0a, how are the virus and IDS signature databases
>>>>>>re-read after a change? (Send a SIGHUP, restart, etc)
>>>>>>
>>>>>>Thanks!
>>>>>>
>>>>>>Chris
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>--
>>>>
>>>>
>>>>
>>>
>>>
>>--
>>
>>
>>
>
>

--
Christopher Black
Interim Unix/Linux Administrator
University of Michigan | Physics OCS
bla...@um... | (734) 764-3348

Re: [Snort-inline-users] rule to test inline and transparent proxy question

[Dale L. H. P.E. <dh...@ni...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The "180solutions.com" is not part of the uricontent. It is actually
part of the URL (there is a difference). Therefore, it will fail the test.

As an example of this sort of thing, go look at the actual rules at
Bleeding Snort. You will see that there are content searches for the
host, and other specific uricontent searches for the actual page
requests and/or dynamic content requests:

http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/Stable/MALWARE/MALWARE_180Solutions

And, for perhaps more information than you really wanted to know, you
can look at the rfc that explains this far better than I can:

~          http://www.w3.org/Protocols/rfc2616/rfc2616.html

I hope this helps.

joe z wrote:

| i have snort 2.3, compiled with --enable-inline, on a box behind a
| firewall, inline, to scan traffic. two questions.  al ittle history
|  first... when i enable transparent proxy (iptables -t nat -A
| PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080 ) by
| itself, it works. just as a router, good. when i comment out the tp
| and uncomment ( iptables -t mangle -A PREROUTING -j QUEUE )
| -without snort, it doesn't work(i.e no traffic passes); with snort
| running (snort -D -Q -c /etc/snort/rules ) it works but doesn't
| drop anything. ip_queue is loaded.  i need advice on A. a rule to
| test the inline drop functionality and/or advice on proper config.;
| B.how to run inline and tranparent proxy;  i tried:
|
| drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
| (msg:"BLEEDING-EDGE Malware 180solutions Spyware";
| uricontent:"180solutions.com"; nocase; classtype:trojan-activity;
|
reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html;
|  flow:to_server,established; sid:2001051; rev:3;)
|
| and browsed to http://180solutions.com from an internal host.
| obviously fruitlously. is that the wrong way to write a drop rule
| or did i configure wrong? either way, a simple test drop rule would
| be much appreciated...
|
| _________________________________________________________________
| Express yourself instantly with MSN Messenger! Download today -
| it's FREE!
| http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
|
|
|
| ------------------------------------------------------- SF email is
| sponsored by - The IT Product Guide Read honest & candid reviews on
| hundreds of IT Products from real users. Discover which products
| truly live up to the hype. Start reading now.
| http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
| _______________________________________________ Snort-inline-users
| mailing list Sno...@li...
| https://lists.sourceforge.net/lists/listinfo/snort-inline-users
|
|

- --
Dyslexics have more fnu.

- -- Dale L. Handy, P.E.
~   dh...@ni...
~   http://www.nitrosecuity.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFCLx9DJkJUIoExvsURAladAJwKVtZh1kLfUe6IP2LHn2vHq+r88wCeKr6z
gl51LdP+F1smJvtvfq6IYT8=
=jmJl
-----END PGP SIGNATURE-----

[Snort-inline-users] Delay in response

[Will M. <wil...@gm...>]

List,

I promise that I will reply to all of your e-mails.  I have been
really busy with my paying job.  In addition to this, Victor and I
have been busy reviewing the ip_queue code to support multiple queue
targets, and changing to a ulogd style of user space copy i.e.
multiple netlink messages in a single copy to user space.  This should
reduce context switching and enhance performance.

Regards,

Will

Re: [Snort-inline-users] have problem running snort-inline with clamav on FreeBSD

[Richard C. <ric...@gm...>]

I have also had this issue.  I have the following line in my snort_inline.conf:

preprocessor clamav: ports all !22 !443,  dbdir /var/lib/clamav,
dbreload-time 43200

This line is before my http_inspect preprocessor.  I keep the files in
/var/lib/clamav up to date with freshclam running in daemon mode.

I try "wget http://eicar.com/download/eicar.com"  while snort is
running and the download is successful every time.

Thanks,
Rich Compton 


On Mon, 7 Mar 2005 20:38:48 -0600, Will Metcalf
<wil...@gm...> wrote:
> Nick any ideas?  The patch is against snort-2.3.0.
> 
> Regards,
> 
> Will
> 
> 
> On Tue, 8 Mar 2005 10:28:24 +0800, alfa <al...@ia... > wrote:
> >
> > Hi,
> >
> > I am a newbie, I just installed snort_inline with support of ipfw and clamav
> > on FreeBSD 4.10. It seems running well, but when i try to download eicar
> > testfile. it pass thru.
> >
> > listed below are my ipfw rules:
> >
> > 00050 298848 156441501 divert 8668 ip from any to any via fxp0
> > 00060    376     52493 divert 7500 ip from any to any
> > 00100     68      3400 allow ip from any to any via lo0
> > 00200      0         0 deny ip from any to 127.0.0.0/8 
> > 00300      0         0 deny ip from 127.0.0.0/8 to any
> > 65000 585828 313867668 allow ip from any to any
> > 65535      0         0 allow ip from any to any
> >
> > and i then started snort_inline
> > (snort_inline -J 7500 -D -c /etc/snort_inline/etc/snort_inline.conf).
> >
> > attached are my snort_inline config file and startup messages.
> >
> > btw. what does snort_inline-2.3.0-RC1.diff used for? when i patched
> > snort_inline with this file i cannot compile.
> >
> > Thanks/Alfa
> >
> >
> >
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click 
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li... 
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users 
> 


-- 
Thanks,
Rich Compton

[Snort-inline-users] rule to test inline and transparent proxy question

[joe z <sec...@ho...>]

i have snort 2.3, compiled with --enable-inline, on a box behind a firewall, 
inline, to scan traffic. two questions.  al ittle history first... when i 
enable transparent proxy (iptables -t nat -A PREROUTING -p tcp --dport 80 -j 
REDIRECT --to-port 8080 ) by itself, it works. just as a router, good. when 
i comment out the tp and uncomment ( iptables -t mangle -A PREROUTING -j 
QUEUE ) -without snort, it doesn't work(i.e no traffic passes); with snort 
running (snort -D -Q -c /etc/snort/rules ) it works but doesn't drop 
anything. ip_queue is loaded.  i need advice on A. a rule to test the inline 
drop functionality and/or advice on proper config.; B.how to run inline and 
tranparent proxy;  i tried:

drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware 180solutions Spyware"; uricontent:"180solutions.com"; nocase; 
classtype:trojan-activity; 
reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; 
flow:to_server,established; sid:2001051; rev:3;)

and browsed to http://180solutions.com from an internal host. obviously 
fruitlously. is that the wrong way to write a drop rule or did i configure 
wrong? either way, a simple test drop rule would be much appreciated...

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

[Snort-inline-users] differences between snort-inline and snort

[Florin A. <fl...@an...>]

I'm new to the project and it's not clear to me what are the differences
between snort and snort-inline.
Am i correct to assume that most features are integrated in snort-2.3.0?
If yes, what are those few features only present in snort-inline? And
how often do you guys plan to sync up with the snort "official"
releases? Thanks,

-- 
Florin Andrei

http://florin.myip.org/

Re: [Snort-inline-users] have problem running snort-inline with clamav on FreeBSD

[Will M. <wil...@gm...>]

Nick any ideas?  The patch is against snort-2.3.0.

Regards,

Will


On Tue, 8 Mar 2005 10:28:24 +0800, alfa <al...@ia...> wrote:
>  
> Hi, 
>   
> I am a newbie, I just installed snort_inline with support of ipfw and clamav
> on FreeBSD 4.10. It seems running well, but when i try to download eicar
> testfile. it pass thru. 
>   
> listed below are my ipfw rules: 
>   
> 00050 298848 156441501 divert 8668 ip from any to any via fxp0
> 00060    376     52493 divert 7500 ip from any to any
> 00100     68      3400 allow ip from any to any via lo0
> 00200      0         0 deny ip from any to 127.0.0.0/8
> 00300      0         0 deny ip from 127.0.0.0/8 to any
> 65000 585828 313867668 allow ip from any to any
> 65535      0         0 allow ip from any to any
>   
> and i then started snort_inline 
> (snort_inline -J 7500 -D -c /etc/snort_inline/etc/snort_inline.conf). 
>   
> attached are my snort_inline config file and startup messages. 
>   
> btw. what does snort_inline-2.3.0-RC1.diff used for? when i patched
> snort_inline with this file i cannot compile. 
>   
> Thanks/Alfa 
>   
>   
>

[Snort-inline-users] still clamAV

[Mohamed B. <mb...@gm...>]

I have to compile snort_inline with the support of clamav and I have
to configure snort_inline.conf as to indicate in the comments but when
I try to download eicar.com snort_inline detecte no virus.  I do not
know if I have to forget something but I have remakes test them
several times.  Greetings.

Re: [Snort-inline-users] stream4 options

[Victor J. <vi...@nk...>]

Hi,

It's an error in the manual: 'inline_state' should be 'enforce_state'.

Hope this helps,
Victor



tut...@pa... wrote:
> Hi,
> 
> I recently upgraded from snort-inline 2.2 to snort 2.3.
> 
> All was working fine with 2.2 and I had the iptablesmark options
> set of stream4 to handle the state.
> 
> When I upgraded, I removed the mark options, and replaced them
> with inline_state, however, whenever I start snort, I get an 
> error that inline_state is an invalid option for stream4.
> 
> Snort seems to be working fine in inline mode, and so far, I've not 
> notice any problems with state. Packets are being dropped successfully
> too.
> 
> So, have I missed something obvious? and will I find myself having
> problems at some stage because stream4 is not(?) tracking state.
> 
> Cheers
> tut.
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> 

[Snort-inline-users] Scripts/Snort_inline/iptables and bridging/Snort Output questions...

[Peter J M. <pm...@co...>]

Ive done tons of reading and research so these questions are not being =
asked blind.

1. I know for inline we have to use the snort_inline.conf.  But why is =
the snort.conf also in the /etc/ directory when you unpack snort_inline? =
 What do we need that for?  Im guessing we can run two instances of =
snort, and reference snort_inline.conf for the blocking ruleset, and =
reference the 2nd instance of snort for alerting or traffic sniffing =
(for honeynet) purposes?  But if this is the case, wouldnt we have to =
install regular snort for the 2nd instance?  Can snort_inline be used =
and act like regular snort if called with snort.conf?

2. I read the Honeynet GenII paper, which talks about how to setup the =
rc.firewall.script.  It is straight forward.  I do not see anything in =
snort_inline.conf that references rc.firewall.script.  I assume you have =
to run the script first, then run snort_inline.  What command do you use =
to envoke rc.firewall.script?

3.  I also would like to use the snort_inline startup script.  What do I =
need to do to use that as well?

4. I am using a 2.6 kernel (Fedora 3).  I read through all of the =
bridging how to docs, and confirm I have the bridging packages installed =
properly in the kernel.  I read about possibly needing some patches to =
allow bridging to work with iptables.  The bridging website did not have =
any patches, and mentioned not worrying if you are using new 2.4 and 2.6 =
kernels.  I just want to doublecheck since Im asking all these questions =
anyway.  Am I correct if I say the 2.6 kernel does not need the a patch =
because bridging and iptables working together is built into the new =
kernels?

5. The output method for snort_inline.conf are:
alert_fast
alert_full
alert_fast gives you limited information, and alert_full slows Snort =
down a lot.  I believe both these plugins ask snort to do some extra =
work to convert from binary to ascii and log it.  Can I just have =
snort_inline use the unified binary output plugin for the fastest speed? =
 Then use Barnyard to gather logs and output to database?  I would like =
to test snort_inline in a gigabit+ environment.

Thanks

Peter

[Snort-inline-users] stream4 options

[<tut...@pa...>]

Hi,

I recently upgraded from snort-inline 2.2 to snort 2.3.

All was working fine with 2.2 and I had the iptablesmark options
set of stream4 to handle the state.

When I upgraded, I removed the mark options, and replaced them
with inline_state, however, whenever I start snort, I get an 
error that inline_state is an invalid option for stream4.

Snort seems to be working fine in inline mode, and so far, I've not 
notice any problems with state. Packets are being dropped successfully
too.

So, have I missed something obvious? and will I find myself having
problems at some stage because stream4 is not(?) tracking state.

Cheers
tut.

Re: [Snort-inline-users] Rules to findout DDOS SYN attack

[Will M. <wil...@gm...>]

 iptables -A FORWARD -p tcp --syn -m limit --limit 1/s --limit-burst 5 -j DROP

should be

 iptables -A FORWARD -p tcp --syn -m limit --limit 1/s --limit-burst 5 -j ACCEPT


On Sun, 6 Mar 2005 08:33:46 -0600, Will Metcalf
<wil...@gm...> wrote:
> About the only way to do that is rate limiting on packets with the syn
> flag set.  An example on how to do this in iptables would be something
> like.
> 
> iptables -A FORWARD -p tcp --syn -m limit --limit 1/s --limit-burst 5 -j DROP
> 
> I think the bleeding snort guy's at one time had some rules to detect
> syn floods but I'm not really sure.  I would stick the the iptables
> rules.
> 
> http://www.bleedingsnort.com
> 
> Regards,
> 
> Will
> 
> 
> On Sun, 06 Mar 2005 07:45:37 +0530, bharathi <bha...@au...> wrote:
> > Hi all,
> >              We have implemented the snort-inline service in our huge
> > network. In that we are frequently getting unwanted DOS/DDOS syn
> > traffic.Hence
> > we need to drop all those DOS SYN packets without any disturbtion on the
> > normal SYN traffic ( Ex: to port 80,22,25,3306 ..). How to do it?
> >
> > Plz give me any suggestions.
> >
> > Thanks and Regards,
> > Bharathi Raja.
> >
> > -------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT Products from real users.
> > Discover which products truly live up to the hype. Start reading now.
> > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >
>

Re: [Snort-inline-users] Rules to findout DDOS SYN attack

[Will M. <wil...@gm...>]

About the only way to do that is rate limiting on packets with the syn
flag set.  An example on how to do this in iptables would be something
like.

iptables -A FORWARD -p tcp --syn -m limit --limit 1/s --limit-burst 5 -j DROP

I think the bleeding snort guy's at one time had some rules to detect
syn floods but I'm not really sure.  I would stick the the iptables
rules.

http://www.bleedingsnort.com

Regards,

Will




On Sun, 06 Mar 2005 07:45:37 +0530, bharathi <bha...@au...> wrote:
> Hi all,
>              We have implemented the snort-inline service in our huge
> network. In that we are frequently getting unwanted DOS/DDOS syn
> traffic.Hence
> we need to drop all those DOS SYN packets without any disturbtion on the
> normal SYN traffic ( Ex: to port 80,22,25,3306 ..). How to do it?
> 
> Plz give me any suggestions.
> 
> Thanks and Regards,
> Bharathi Raja.
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

[Snort-inline-users] Rules to findout DDOS SYN attack

[bharathi <bha...@au...>]

Hi all,
             We have implemented the snort-inline service in our huge 
network. In that we are frequently getting unwanted DOS/DDOS syn 
traffic.Hence
we need to drop all those DOS SYN packets without any disturbtion on the 
normal SYN traffic ( Ex: to port 80,22,25,3306 ..). How to do it?

Plz give me any suggestions.

Thanks and Regards,
Bharathi Raja.

[Snort-inline-users] Clamav problem fixed

[Peter J M. <pm...@co...>]

Sorry to bother you everyone, I got snort inline to compile.  With the =
yum install and rpm install of clam , snort was unable to find clamav.h =
or it just wasnt there cause I couldnt find it myself either.  I =
unistalled clam and reinstalled it from source.  Everything compiled.  I =
appologize for not trying this earlier. =20

Peter

Re: [Snort-inline-users] Re: [Snort-inline-users]Compiling Inline Snort

[Daniel P. <dpu...@ni...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Peter J Manis wrote:
> Thanks Will and Dan for iptables info.  I wiped the disk clean and
> started with a fresh Fedora 3 install and updated and installed
> everything with yum. I did have to install libnet-1.0.2a manually, as
> yum did not find a match. I have everything setup, mysql,
> apache,php,etc... All that is working fine, up to the point of Clamav. 
> I installed clamav through yum. I --enable-clamav in ./configure.   
> However, it does not find clamav.h header.  Now, clam is the only
> program I did not yet go update clamd.conf and freshclam.conf, but I
> figured to give the compile a try to see if I got past the iptables
> part, and I did.  I ran locate clamav.h and did not find anything.  Any
> suggestions?
> 
> Peter
> 
> ----- Original Message ----- From: "Will Metcalf"
> <wil...@gm...>
> To: "Daniel Purcell" <dpu...@ni...>
> Cc: <sno...@li...>
> Sent: Tuesday, March 01, 2005 9:10 PM
> Subject: Re: [Snort-inline-users] Fedora 3 and iptables issues..
> 
> 
>> Yeah, he is going to need the iptables and iptables-devel package.
>>
>> Regards,
>>
>> Will
>>
>>
>>
>>
>> On Tue, 01 Mar 2005 09:32:34 -0700, Daniel Purcell
>> <dpu...@ni...> wrote:
>>
Peter,

I'm not familiar with Fedora Core 3 and what packages are available,
but, perhaps you need to yum the clamav-devel package?  RedHat will
usually create the application-only RPM, and the development RPM for the
package with all the .h and extra libraries and stuff in a different
package.

- -Dan

> Peter,
> 
> Instead of trying to compile iptables yourself, have you tried
> installing it from an rpm built for fedora 3?  Usually, redhat will
> package everything nice and if you use their system things seem to go
> together nicely
> 
> Try the command:
> 
> yum iptables
> 
> or search the Fedore 3 CDs for an iptables rpm and install it using the
> rpm -Uvh iptables-(whatever the package is named).rpm command.
> 
> -Dan
> 
> Peter J Manis wrote:
>> I am pulling my hair out trying to get snort inline to compile.  I
>> am using Fedora 3.  The ./configure fails saying it cant find
> libipg.h.
>> I then realized i did not make and make install iptables-1.3.0.  So
> ive
>> spent hours trying to get iptables to make.  I upacked it and when I
>> make, i get:
> 
>> [root@localhost iptables-1.3.0]# make
>> Making dependencies: please wait...
>> Something wrong... deleting dependencies
> 
>>     Please try 'make KERNEL_DIR=path-to-correct-kernel'.
> 
>> make: *** [linux/errno.h] Error 1
> 
> 
>> I have no clue what path to set.  I try /usr/src/ and /usr/src/redhat/
>> and i keep failing.  I even went so far as to try to upgrade the
> kernel
>> to another.  I am just confused and annoyed and would greatly >
> appreciate
>> any help on this.
> 
>> Peter
>>>
- -------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-inline-users mailing list
Sno...@li...
https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>>
>>
>>
>> -------------------------------------------------------
>> SF email is sponsored by - The IT Product Guide
>> Read honest & candid reviews on hundreds of IT Products from real users.
>> Discover which products truly live up to the hype. Start reading now.
>> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
>> _______________________________________________
>> Snort-inline-users mailing list
>> Sno...@li...
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users 

> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCKPRmA3S6iBF0EygRAp5vAJ9ZB3Dpn5er4hsjAynP5wSdTILx3gCfeIIf
bmoErRfbR+ZZ2sUJ8Xy/oa0=
=qugi
-----END PGP SIGNATURE-----

[Snort-inline-users] Re: [Snort-inline-users]Compiling Inline Snort

[Peter J M. <pm...@co...>]

Thanks Will and Dan for iptables info.  I wiped the disk clean and started 
with a fresh Fedora 3 install and updated and installed everything with yum. 
I did have to install libnet-1.0.2a manually, as yum did not find a match. 
I have everything setup, mysql, apache,php,etc... All that is working fine, 
up to the point of Clamav.  I installed clamav through yum. 
 I --enable-clamav in ./configure.    However, it does not find clamav.h 
header.  Now, clam is the only program I did not yet go update clamd.conf 
and freshclam.conf, but I figured to give the compile a try to see if I got 
past the iptables part, and I did.  I ran locate clamav.h and did not find 
anything.  Any suggestions?

Peter

----- Original Message ----- 
From: "Will Metcalf" <wil...@gm...>
To: "Daniel Purcell" <dpu...@ni...>
Cc: <sno...@li...>
Sent: Tuesday, March 01, 2005 9:10 PM
Subject: Re: [Snort-inline-users] Fedora 3 and iptables issues..


> Yeah, he is going to need the iptables and iptables-devel package.
>
> Regards,
>
> Will
>
>
>
>
> On Tue, 01 Mar 2005 09:32:34 -0700, Daniel Purcell
> <dpu...@ni...> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Peter,
>>
>> Instead of trying to compile iptables yourself, have you tried
>> installing it from an rpm built for fedora 3?  Usually, redhat will
>> package everything nice and if you use their system things seem to go
>> together nicely
>>
>> Try the command:
>>
>> yum iptables
>>
>> or search the Fedore 3 CDs for an iptables rpm and install it using the
>> rpm -Uvh iptables-(whatever the package is named).rpm command.
>>
>> - -Dan
>>
>> Peter J Manis wrote:
>> > I am pulling my hair out trying to get snort inline to compile.  I
>> > am using Fedora 3.  The ./configure fails saying it cant find libipg.h.
>> > I then realized i did not make and make install iptables-1.3.0.  So ive
>> > spent hours trying to get iptables to make.  I upacked it and when I
>> > make, i get:
>> >
>> > [root@localhost iptables-1.3.0]# make
>> > Making dependencies: please wait...
>> > Something wrong... deleting dependencies
>> >
>> >     Please try 'make KERNEL_DIR=path-to-correct-kernel'.
>> >
>> > make: *** [linux/errno.h] Error 1
>> >
>> >
>> > I have no clue what path to set.  I try /usr/src/ and /usr/src/redhat/
>> > and i keep failing.  I even went so far as to try to upgrade the kernel
>> > to another.  I am just confused and annoyed and would greatly 
>> > appreciate
>> > any help on this.
>> >
>> > Peter
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.2.4 (GNU/Linux)
>> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>>
>> iD8DBQFCJJkiA3S6iBF0EygRAtkmAKCCcRsh+uAEhsz759BeIMaUzW/DswCfbsJ1
>> jvFHIXEdohuTPZY5ALYv1Dc=
>> =e2c2
>> -----END PGP SIGNATURE-----
>>
>> -------------------------------------------------------
>> SF email is sponsored by - The IT Product Guide
>> Read honest & candid reviews on hundreds of IT Products from real users.
>> Discover which products truly live up to the hype. Start reading now.
>> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
>> _______________________________________________
>> Snort-inline-users mailing list
>> Sno...@li...
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users 

[Snort-inline-users] Need urgently expert assistance (drop not successfully)

[Stefan S. <Ste...@fe...>]

Hello list,

I use the Astaro Firewall last version.

Here is integrates snort_inline version 2.1.1 (Build 24).

There are three NIC.
Internal, external, DMZ

In addition there is 15 virtual NIC on the external NIC.

My problem is not trivial. Look here.

At present the current Astaro_IDS version have problems with packages to
really drop, or violations of rules are not recognized. 

Looks here: 

The following of two examples from yesterday. 

first example: 
Although the rule "WEB-IIS ISAPI .ida attempt" is active (drop) and became
closed according to log file, an additional Snort sensor sees into the DMZ
the same violation of rules. 

second example: 
Although the "WEB-IIS cmd.exe" access is active (drop), this violation of
rules of the IDS was not recognized, however the Snort sensor in the DMZ was
seen this violation of rules. 
I observed this already several times. 

The IDS ASL log files in addition: 

2005:03:03-00:14:55 (none) snort[15134]: [1:485:0] A ICMP Destination
Unreachable Communication Administratively Prohibited [Classification: Misc
activity] [Priority: 3]: <(null)> {PROTO001} 213.200.76.38 -> 217.6.34.2 
2005:03:03-07:48:42 (none) snort[15134]: [119:13:1] (http_inspect) NON-RFC
HTTP DELIMITER <(null)> {PROTO006} 192.168.100.18:45248 -> 207.188.24.150:80

2005:03:03-07:48:43 (none) snort[15134]: [119:12:1] (http_inspect) APACHE
WHITESPACE (TAB) <(null)> {PROTO006} 192.168.100.18:45248 ->
207.188.24.150:80 
2005:03:03-07:50:31 (none) snort[15134]: [1:2925:0] A INFO web bug 0x0 gif
attempt [Classification: Misc activity] [Priority: 3]: <(null)> {PROTO006}
212.172.60.154:80 -> 192.168.100.18:45276 
2005:03:03-07:50:42 (none) snort[15134]: [1:2925:0] A INFO web bug 0x0 gif
attempt [Classification: Misc activity] [Priority: 3]: <(null)> {PROTO006}
193.45.14.169:80 -> 192.168.100.18:45253 
2005:03:03-07:55:59 (none) snort[15134]: [1:1243:0] D WEB-IIS ISAPI .ida
attempt [Classification: Web Application Attack] [Priority: 1]: <(null)>
{PROTO006} 221.7.71.222:3119 -> 192.168.100.25:80 
2005:03:03-07:55:59 (none) snort[15134]: [119:3:1] (http_inspect) U ENCODING
<(null)> {PROTO006} 221.7.71.222:3119 -> 192.168.100.25:80 
2005:03:03-07:55:59 (none) snort[15134]: [119:13:1] (http_inspect) NON-RFC
HTTP DELIMITER <(null)> {PROTO006} 221.7.71.222:3119 -> 192.168.100.25:80 
2005:03:03-07:56:02 (none) snort[15134]: [119:3:1] (http_inspect) U ENCODING
<(null)> {PROTO006} 221.7.71.222:3119 -> 192.168.100.25:80 
2005:03:03-07:56:02 (none) snort[15134]: [119:13:1] (http_inspect) NON-RFC
HTTP DELIMITER <(null)> {PROTO006} 221.7.71.222:3119 -> 192.168.100.25:80 
2005:03:03-07:56:03 (none) snort[15134]: [119:4:1] (http_inspect) BARE BYTE
UNICODE ENCODING <(null)> {PROTO006} 221.7.71.222:3119 -> 192.168.100.25:80 
2005:03:03-07:56:03 (none) snort[15134]: [119:15:1] (http_inspect) OVERSIZE
REQUEST-URI DIRECTORY <(null)> {PROTO006} 221.7.71.222:3119 ->
192.168.100.25:80 
2005:03:03-08:02:58 (none) snort[15134]: [1:2925:0] A INFO web bug 0x0 gif
attempt [Classification: Misc activity] [Priority: 3]: <(null)> {PROTO006}
217.110.202.150:80 -> 192.168.100.18:45919 
2005:03:03-08:03:09 (none) snort[15134]: [1:2925:0] A INFO web bug 0x0 gif
attempt [Classification: Misc activity] [Priority: 3]: <(null)> {PROTO006}
217.110.202.134:80 -> 192.168.100.18:46021 
2005:03:03-08:04:30 (none) snort[15134]: [119:7:1] (http_inspect) IIS
UNICODE CODEPOINT ENCODING <(null)> {PROTO006} 192.168.100.18:46124 ->
63.240.28.62:80 
2005:03:03-08:05:42 (none) snort[15134]: [119:3:1] (http_inspect) U ENCODING
<(null)> {PROTO006} 192.168.100.18:46168 -> 63.240.28.58:80 

That sees the Snort sensor in the DMZ: 

#112-(4-71453)[snort] (http_inspect) NON-RFC DEFINED CHAR 2005-03-03
07:55:39 221.7.71.222:3119 192.168.100.25:80 TCP 
#113-(4-71452)[snort] WEB-IIS cmd.exe access 2005-03-03 07:55:39
221.7.71.222:3119 192.168.100.25:80 TCP 
#114-(4-71451)[snort] (http_inspect) NON-RFC HTTP DELIMITER 2005-03-03
07:55:38 221.7.71.222:3119 192.168.100.25:80 TCP 
#115-(4-71450)[cve][icat][bugtraq][arachNIDS][snort] WEB-IIS ISAPI .ida
access 2005-03-03 07:55:38 221.7.71.222:3119 192.168.100.25:80 TCP 
#116-(4-71449)[cve][icat][bugtraq][arachNIDS][snort] WEB-IIS ISAPI .ida
attempt 2005-03-03 07:55:38 221.7.71.222:3119 192.168.100.25:80 TCP


Does someone have an idea ?

more Informtion in the Threads of Astaro.org

http://www.astaro.org/showflat.php?Cat=&Number=56112&page=0&view=collapsed&s
b=5&o=&fpart=1#56112
<http://www.astaro.org/showflat.php?Cat=&Number=56112&page=0&view=collapsed&
sb=5&o=&fpart=1#56112> 

Thanks for each assistance


Stefan

[Snort-inline-users] SSH failure to connect w/ snort-inline 2.3?

[Richard C. <ric...@gm...>]

Hi,
I've got snort_inline v 2.3.0 and when I try to ssh to a host behind
the bridge, I get a timeout.
Here's the results of a tcpdump of ssh to a host behind the IPS:

tcpdump: listening on eth0
21:18:31.776454 24.107.136.185.32802 > 192.168.1.2.ssh: S
693332235:693332235(0) win 5840 <mss 1460,sackOK,timestamp 773605864
0,nop,wscale 2> (DF)
21:18:31.776576 192.168.1.2.ssh > 24.107.136.185.32802: S
3705203370:3705203370(0) ack 693332236 win 5840 <mss 1460> (DF)
21:18:31.776664 192.168.1.2.ssh > 24.107.136.185.32802: S
3705203370:3705203370(0) ack 693332236 win 5840 <mss 1460> (DF)
21:18:31.792173 24.107.136.185.32802 > 192.168.1.2.ssh: . ack 1 win 5840 (DF)
21:18:31.793624 192.168.1.2.ssh > 24.107.136.185.32802: P 1:24(23) ack
1 win 5840 (DF)
21:18:31.793740 192.168.1.2.ssh > 24.107.136.185.32802: P 1:24(23) ack
1 win 5840 (DF)
21:18:31.820035 24.107.136.185.32802 > 192.168.1.2.ssh: . ack 24 win 5840 (DF)

192.168.1.2 is the IP of the device behind the IPS.  It receives the
packets but it looks like something that is being sent to this host is
being modified where the openssh daemon won't respond.  If I remove
the IPS, everything works perfectly.

Here are my iptables rules on the IPS:

iptables -F
#eth0 is for management
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A FORWARD -j QUEUE

Here is my stream4 options in snort.conf
preprocessor stream4: disable_evasion_alerts detect_scans

-- 
Thanks,
Rich Compton

Re: [Snort-inline-users] Fedora 3 and iptables issues..

[Will M. <wil...@gm...>]

Yeah, he is going to need the iptables and iptables-devel package.

Regards,

Will




On Tue, 01 Mar 2005 09:32:34 -0700, Daniel Purcell
<dpu...@ni...> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Peter,
> 
> Instead of trying to compile iptables yourself, have you tried
> installing it from an rpm built for fedora 3?  Usually, redhat will
> package everything nice and if you use their system things seem to go
> together nicely
> 
> Try the command:
> 
> yum iptables
> 
> or search the Fedore 3 CDs for an iptables rpm and install it using the
> rpm -Uvh iptables-(whatever the package is named).rpm command.
> 
> - -Dan
> 
> Peter J Manis wrote:
> > I am pulling my hair out trying to get snort inline to compile.  I
> > am using Fedora 3.  The ./configure fails saying it cant find libipg.h.
> > I then realized i did not make and make install iptables-1.3.0.  So ive
> > spent hours trying to get iptables to make.  I upacked it and when I
> > make, i get:
> >
> > [root@localhost iptables-1.3.0]# make
> > Making dependencies: please wait...
> > Something wrong... deleting dependencies
> >
> >     Please try 'make KERNEL_DIR=path-to-correct-kernel'.
> >
> > make: *** [linux/errno.h] Error 1
> >
> >
> > I have no clue what path to set.  I try /usr/src/ and /usr/src/redhat/
> > and i keep failing.  I even went so far as to try to upgrade the kernel
> > to another.  I am just confused and annoyed and would greatly appreciate
> > any help on this.
> >
> > Peter
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFCJJkiA3S6iBF0EygRAtkmAKCCcRsh+uAEhsz759BeIMaUzW/DswCfbsJ1
> jvFHIXEdohuTPZY5ALYv1Dc=
> =e2c2
> -----END PGP SIGNATURE-----
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

Re: [Snort-inline-users] Fedora 3 and iptables issues..

[Daniel P. <dpu...@ni...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Peter,

Instead of trying to compile iptables yourself, have you tried
installing it from an rpm built for fedora 3?  Usually, redhat will
package everything nice and if you use their system things seem to go
together nicely

Try the command:

yum iptables

or search the Fedore 3 CDs for an iptables rpm and install it using the
rpm -Uvh iptables-(whatever the package is named).rpm command.

- -Dan

Peter J Manis wrote:
> I am pulling my hair out trying to get snort inline to compile.  I
> am using Fedora 3.  The ./configure fails saying it cant find libipg.h. 
> I then realized i did not make and make install iptables-1.3.0.  So ive
> spent hours trying to get iptables to make.  I upacked it and when I
> make, i get:
>  
> [root@localhost iptables-1.3.0]# make
> Making dependencies: please wait...
> Something wrong... deleting dependencies
>  
>     Please try 'make KERNEL_DIR=path-to-correct-kernel'.
>  
> make: *** [linux/errno.h] Error 1
>  
>  
> I have no clue what path to set.  I try /usr/src/ and /usr/src/redhat/
> and i keep failing.  I even went so far as to try to upgrade the kernel
> to another.  I am just confused and annoyed and would greatly appreciate
> any help on this. 
>  
> Peter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCJJkiA3S6iBF0EygRAtkmAKCCcRsh+uAEhsz759BeIMaUzW/DswCfbsJ1
jvFHIXEdohuTPZY5ALYv1Dc=
=e2c2
-----END PGP SIGNATURE-----

[Snort-inline-users] Fedora 3 and iptables issues..

[Peter J M. <pm...@co...>]

I am pulling my hair out trying to get snort inline to compile.  I am =
using Fedora 3.  The ./configure fails saying it cant find libipg.h.  I =
then realized i did not make and make install iptables-1.3.0.  So ive =
spent hours trying to get iptables to make.  I upacked it and when I =
make, i get:

[root@localhost iptables-1.3.0]# make
Making dependencies: please wait...
Something wrong... deleting dependencies

    Please try 'make KERNEL_DIR=3Dpath-to-correct-kernel'.

make: *** [linux/errno.h] Error 1


I have no clue what path to set.  I try /usr/src/ and /usr/src/redhat/ =
and i keep failing.  I even went so far as to try to upgrade the kernel =
to another.  I am just confused and annoyed and would greatly appreciate =
any help on this.=20

Peter

Re: [Snort-inline-users] Clam AV

[zman_shah <zma...@ya...>]

i got same problem when compile clamav in FBSD.
I using csh . "setenv LDFLAGS -pthread" and run
configure and make again. snort_inline work fine after
that.
hope this will help.


>Excellent information, thank you.

>Using snort_inline-2.2.0a and ClamAV 0.8.3,
>snort_inline crashes 
>immediately on boot with this error:

>rcmdsh: unknown user:
>���$�PjV�s����� F��X
>Bus error (core dumped)
>localhost# Feb 27 18:20:42 localhost /kernel: pid
>86955 (snort_inline), 
>uid 0: exited on signal 10 (core dumped)

>gdb says:
>(gdb) core-file snort_inline.core
>Core was generated by `snort_inline'.
>Program terminated with signal 10, Bus error.
>#0  0x281cb2b0 in ?? ()
>(gdb)

>Any ideas?

>Thanks!

>Chris


		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - Find what you need with new enhanced search.
http://info.mail.yahoo.com/mail_250

Re: [Snort-inline-users] snort_inline & IPFW

[Nick R. <ni...@ro...>]

On Mon, 28 Feb 2005, William Metcalf wrote:

>
>
>
>
>
>
> Nick, can you take a look at this.  Sigh what this project needs is some 
> hardware

 	What do you need?  I have lots of old machines sitting around.

>
> Craig if Nick can find the time to look at this, you might want to look 
> at his well prepared guide to snort-inline and FreeBSD 
> http://freebsd.rogness.net/snort_inline/
>

 	Craig, I will gladly look at what is going on.  In this case, you
 	are trying to run the natd program on DIVERT port 7500.  natd has
 	nothing to do with snort_inline.  In fact, if you need natd
 	to be running in conjunction with snort_inline, they must be
 	listening on different DIVERT ports.  I will write a short summary
 	on the website to run them in conjunction.


> if you run with -v instead of -D what happens?
>
> snort_inline -D -J 7500 -I dc0 -c snort_inline.conf
>
> You are reading from a divert socket so you probably don't need the -I dc0.
> Does your pid file get written?
>
> Regards,
>
> Will
>
>
>
>             "Craig Mueller"
>             <cmueller@alebra.
>             com>                                                       To
>             Sent by:                  sno...@li...urceforg
>             snort-inline-user         e.net
>             s-...@li...u                                          cc
>             rceforge.net
>                                                                   Subject
>                                       [Snort-inline-users] snort_inline &
>             02/28/2005 12:32          IPFW
>             PM
>
>
>
>
>
>
>
>
>
> Hello:
> I've been trying to get snort_inline 2.3.0RC1 running on FreeBSD
> 5.2-RELEASE.
> It seems to start OK according to var/log/messages - yet the process is not
> running, no looging occurs
>
> I have IPDIVERT enabled in kernel,
> rc.conf =
> gateway_enable="YES"
> natd_enable="YES"
> natd_interface="dc0"
> natd_flags="-p 7500"
> firewall_enable="YES"
>
> ipfw divert rules=
> ipfw add 1000 divert 7500 tcp from any to any in via dc0
>
> snort_inline built with --enable-inline --enable-ipfw
>
> When starting snort_inline -D -J 7500 -I dc0 -c snort_inline.conf
> /var/log/messages =
> Feb 28 11:09:39 cm-top snort_inline: Reading from ipfw divert socket
> Feb 28 11:09:39 cm-top snort_inline: IPFW Divert port set to: 7500
> Feb 28 11:09:39 cm-top snort_inline: Initializing daemon mode
> Feb 28 11:09:39 cm-top snort_inline: PID path stat checked out ok, PID path
> set to /var/run/
> Feb 28 11:09:39 cm-top snort_inline: Writing PID "33552" to file
> "/var/run//snort_inline.pid"
> Feb 28 11:09:39 cm-top snort_inline: Parsing Rules file
> /usr/local/snort_inline-2.3.0/etc/snort_inline.conf
> Feb 28 11:09:39 cm-top snort_inline: ,-----------[Flow
> Config]----------------------
> Feb 28 11:09:39 cm-top snort_inline: | Stats Interval:  0
> Feb 28 11:09:39 cm-top snort_inline: | Hash Method:     2
> Feb 28 11:09:39 cm-top snort_inline: | Memcap:          10485760
> Feb 28 11:09:39 cm-top snort_inline: | Rows  :          4099
> Feb 28 11:09:39 cm-top snort_inline: | Overhead Bytes:  16400(%0.16)
> Feb 28 11:09:39 cm-top snort_inline:
> `----------------------------------------------
> Feb 28 11:09:39 cm-top snort_inline: HttpInspect Config:
> Feb 28 11:09:39 cm-top snort_inline:     GLOBAL CONFIG
> Feb 28 11:09:39 cm-top snort_inline:       Max Pipeline Requests:    0
> Feb 28 11:09:39 cm-top snort_inline:       Inspection Type:
> STATELESS
> Feb 28 11:09:39 cm-top snort_inline:       Detect Proxy Usage:       NO
> Feb 28 11:09:39 cm-top snort_inline:       IIS Unicode Map Filename:
> /usr/local/snort_inline-2.3.0/etc/unicode.map
> Feb 28 11:09:39 cm-top snort_inline:       IIS Unicode Map Codepage: 1252
> Feb 28 11:09:39 cm-top snort_inline:     DEFAULT SERVER CONFIG:
> Feb 28 11:09:39 cm-top snort_inline:       Ports: 80 8080 8180
> Feb 28 11:09:39 cm-top snort_inline:       Flow Depth: 300
> Feb 28 11:09:39 cm-top snort_inline:       Max Chunk Length: 500000
> Feb 28 11:09:39 cm-top snort_inline:       Inspect Pipeline Requests: YES
> Feb 28 11:09:39 cm-top snort_inline:       URI Discovery Strict Mode: NO
> Feb 28 11:09:39 cm-top snort_inline:       Allow Proxy Usage: NO
> Feb 28 11:09:39 cm-top snort_inline:       Disable Alerting: NO
> Feb 28 11:09:39 cm-top snort_inline:       Oversize Dir Length: 500
> Feb 28 11:09:39 cm-top snort_inline:       Only inspect URI: NO
> Feb 28 11:09:39 cm-top snort_inline:       Ascii: YES alert: NO
> Feb 28 11:09:39 cm-top snort_inline:       Double Decoding: YES alert: YES
> Feb 28 11:09:39 cm-top snort_inline:       %U Encoding: YES alert: YES
> Feb 28 11:09:39 cm-top snort_inline:       Bare Byte: YES alert: YES
> Feb 28 11:09:39 cm-top snort_inline:       Base36: OFF
> Feb 28 11:09:39 cm-top snort_inline:       UTF 8: OFF
> Feb 28 11:09:39 cm-top snort_inline:       IIS Unicode: YES alert: YES
> Feb 28 11:09:39 cm-top snort_inline:       Multiple Slash: YES alert: NO
> Feb 28 11:09:39 cm-top snort_inline:       IIS Backslash: YES alert: NO
> Feb 28 11:09:39 cm-top snort_inline:       Directory Traversal: YES alert:
> NO
> Feb 28 11:09:39 cm-top snort_inline:       Web Root Traversal: YES alert:
> YES
> Feb 28 11:09:39 cm-top snort_inline:       Apache WhiteSpace: YES alert: NO
>
> Feb 28 11:09:39 cm-top snort_inline:       IIS Delimiter: YES alert: NO
> Feb 28 11:09:39 cm-top snort_inline:       IIS Unicode Map: GLOBAL IIS
> UNICODE MAP CONFIG
> Feb 28 11:09:39 cm-top snort_inline:       Non-RFC Compliant Characters:
> NONE
> Feb 28 11:09:39 cm-top snort_inline: rpc_decode arguments:
> Feb 28 11:09:39 cm-top snort_inline:     Ports to decode RPC on: 111 32771
>
> Feb 28 11:09:39 cm-top snort_inline:     alert_fragments: INACTIVE
> Feb 28 11:09:39 cm-top snort_inline:     alert_large_fragments: ACTIVE
> Feb 28 11:09:39 cm-top snort_inline:     alert_incomplete: ACTIVE
> Feb 28 11:09:39 cm-top snort_inline: Warning: flowbits key
> 'realplayer.playlist' is checked but not ever set.
> Feb 28 11:09:39 cm-top snort_inline:
> Feb 28 11:09:39 cm-top snort_inline:
> +-----------------------[thresholding-config]----------------------------------
>
> Feb 28 11:09:39 cm-top snort_inline: | memory-cap : 1048576 bytes
> Feb 28 11:09:39 cm-top snort_inline:
> +-----------------------[thresholding-global]----------------------------------
>
> Feb 28 11:09:39 cm-top snort_inline: | none
> Feb 28 11:09:39 cm-top snort_inline:
> +-----------------------[thresholding-local]-----------------------------------
>
> Feb 28 11:09:39 cm-top snort_inline: | gen-id=1      sig-id=2523
> type=Both      tracking=dst count=10  seconds=10
> Feb 28 11:09:39 cm-top snort_inline: | gen-id=1      sig-id=2495
> type=Both      tracking=dst count=20  seconds=60
> Feb 28 11:09:39 cm-top snort_inline: | gen-id=1      sig-id=2923
> type=Threshold tracking=dst count=10  seconds=60
> Feb 28 11:09:39 cm-top snort_inline: | gen-id=1      sig-id=2275
> type=Threshold tracking=dst count=5   seconds=60
> Feb 28 11:09:39 cm-top snort_inline: | gen-id=1      sig-id=2494
> type=Both      tracking=dst count=20  seconds=60
> Feb 28 11:09:39 cm-top snort_inline: | gen-id=1      sig-id=2496
> type=Both      tracking=dst count=20  seconds=60
> Feb 28 11:09:39 cm-top snort_inline: | gen-id=1      sig-id=2924
> type=Threshold tracking=dst count=10  seconds=60
> Feb 28 11:09:39 cm-top snort_inline: | none
> Feb 28 11:09:40 cm-top snort_inline: Snort initialization completed
> successfully (pid=33552)
>
> **** yet snort_inline is not running, a PS -auxw shows no PID for
> snort_inline.
> No core dumps.
>
> Any suggestions would be greatly appreciated...
> --
> Craig Mueller CISSP
>
>

Nick Rogness <ni...@ro...>
-
   How many people here have telekenetic powers? Raise my hand.
   				-Emo Philips

[Snort-inline-users] snort_inline & IPFW

[Craig M. <cmu...@al...>]

Hello:
I've been trying to get snort_inline 2.3.0RC1 running on FreeBSD 
5.2-RELEASE.
It seems to start OK according to var/log/messages - yet the process is 
not running, no looging occurs

I have IPDIVERT enabled in kernel,
rc.conf =
gateway_enable="YES"
natd_enable="YES"
natd_interface="dc0"
natd_flags="-p 7500"
firewall_enable="YES"

ipfw divert rules=
ipfw add 1000 divert 7500 tcp from any to any in via dc0

snort_inline built with --enable-inline --enable-ipfw

When starting snort_inline -D -J 7500 -I dc0 -c snort_inline.conf
/var/log/messages =
Feb 28 11:09:39 cm-top snort_inline: Reading from ipfw divert socket
Feb 28 11:09:39 cm-top snort_inline: IPFW Divert port set to: 7500
Feb 28 11:09:39 cm-top snort_inline: Initializing daemon mode
Feb 28 11:09:39 cm-top snort_inline: PID path stat checked out ok, PID 
path set to /var/run/
Feb 28 11:09:39 cm-top snort_inline: Writing PID "33552" to file 
"/var/run//snort_inline.pid"
Feb 28 11:09:39 cm-top snort_inline: Parsing Rules file 
/usr/local/snort_inline-2.3.0/etc/snort_inline.conf
Feb 28 11:09:39 cm-top snort_inline: ,-----------[Flow 
Config]----------------------
Feb 28 11:09:39 cm-top snort_inline: | Stats Interval:  0
Feb 28 11:09:39 cm-top snort_inline: | Hash Method:     2
Feb 28 11:09:39 cm-top snort_inline: | Memcap:          10485760
Feb 28 11:09:39 cm-top snort_inline: | Rows  :          4099
Feb 28 11:09:39 cm-top snort_inline: | Overhead Bytes:  16400(%0.16)
Feb 28 11:09:39 cm-top snort_inline: 
`----------------------------------------------
Feb 28 11:09:39 cm-top snort_inline: HttpInspect Config:
Feb 28 11:09:39 cm-top snort_inline:     GLOBAL CONFIG
Feb 28 11:09:39 cm-top snort_inline:       Max Pipeline Requests:    0
Feb 28 11:09:39 cm-top snort_inline:       Inspection Type:          
STATELESS
Feb 28 11:09:39 cm-top snort_inline:       Detect Proxy Usage:       NO
Feb 28 11:09:39 cm-top snort_inline:       IIS Unicode Map Filename: 
/usr/local/snort_inline-2.3.0/etc/unicode.map
Feb 28 11:09:39 cm-top snort_inline:       IIS Unicode Map Codepage: 1252
Feb 28 11:09:39 cm-top snort_inline:     DEFAULT SERVER CONFIG:
Feb 28 11:09:39 cm-top snort_inline:       Ports: 80 8080 8180 
Feb 28 11:09:39 cm-top snort_inline:       Flow Depth: 300
Feb 28 11:09:39 cm-top snort_inline:       Max Chunk Length: 500000
Feb 28 11:09:39 cm-top snort_inline:       Inspect Pipeline Requests: YES
Feb 28 11:09:39 cm-top snort_inline:       URI Discovery Strict Mode: NO
Feb 28 11:09:39 cm-top snort_inline:       Allow Proxy Usage: NO
Feb 28 11:09:39 cm-top snort_inline:       Disable Alerting: NO
Feb 28 11:09:39 cm-top snort_inline:       Oversize Dir Length: 500
Feb 28 11:09:39 cm-top snort_inline:       Only inspect URI: NO
Feb 28 11:09:39 cm-top snort_inline:       Ascii: YES alert: NO
Feb 28 11:09:39 cm-top snort_inline:       Double Decoding: YES alert: YES
Feb 28 11:09:39 cm-top snort_inline:       %U Encoding: YES alert: YES
Feb 28 11:09:39 cm-top snort_inline:       Bare Byte: YES alert: YES
Feb 28 11:09:39 cm-top snort_inline:       Base36: OFF
Feb 28 11:09:39 cm-top snort_inline:       UTF 8: OFF
Feb 28 11:09:39 cm-top snort_inline:       IIS Unicode: YES alert: YES
Feb 28 11:09:39 cm-top snort_inline:       Multiple Slash: YES alert: NO
Feb 28 11:09:39 cm-top snort_inline:       IIS Backslash: YES alert: NO
Feb 28 11:09:39 cm-top snort_inline:       Directory Traversal: YES 
alert: NO
Feb 28 11:09:39 cm-top snort_inline:       Web Root Traversal: YES 
alert: YES
Feb 28 11:09:39 cm-top snort_inline:       Apache WhiteSpace: YES alert: NO
Feb 28 11:09:39 cm-top snort_inline:       IIS Delimiter: YES alert: NO
Feb 28 11:09:39 cm-top snort_inline:       IIS Unicode Map: GLOBAL IIS 
UNICODE MAP CONFIG
Feb 28 11:09:39 cm-top snort_inline:       Non-RFC Compliant Characters: 
NONE
Feb 28 11:09:39 cm-top snort_inline: rpc_decode arguments:
Feb 28 11:09:39 cm-top snort_inline:     Ports to decode RPC on: 111 32771 
Feb 28 11:09:39 cm-top snort_inline:     alert_fragments: INACTIVE
Feb 28 11:09:39 cm-top snort_inline:     alert_large_fragments: ACTIVE
Feb 28 11:09:39 cm-top snort_inline:     alert_incomplete: ACTIVE
Feb 28 11:09:39 cm-top snort_inline: Warning: flowbits key 
'realplayer.playlist' is checked but not ever set.
Feb 28 11:09:39 cm-top snort_inline: 
Feb 28 11:09:39 cm-top snort_inline: 
+-----------------------[thresholding-config]---------------------------------- 

Feb 28 11:09:39 cm-top snort_inline: | memory-cap : 1048576 bytes
Feb 28 11:09:39 cm-top snort_inline: 
+-----------------------[thresholding-global]---------------------------------- 

Feb 28 11:09:39 cm-top snort_inline: | none
Feb 28 11:09:39 cm-top snort_inline: 
+-----------------------[thresholding-local]----------------------------------- 

Feb 28 11:09:39 cm-top snort_inline: | gen-id=1      sig-id=2523       
type=Both      tracking=dst count=10  seconds=10 
Feb 28 11:09:39 cm-top snort_inline: | gen-id=1      sig-id=2495       
type=Both      tracking=dst count=20  seconds=60 
Feb 28 11:09:39 cm-top snort_inline: | gen-id=1      sig-id=2923       
type=Threshold tracking=dst count=10  seconds=60 
Feb 28 11:09:39 cm-top snort_inline: | gen-id=1      sig-id=2275       
type=Threshold tracking=dst count=5   seconds=60 
Feb 28 11:09:39 cm-top snort_inline: | gen-id=1      sig-id=2494       
type=Both      tracking=dst count=20  seconds=60 
Feb 28 11:09:39 cm-top snort_inline: | gen-id=1      sig-id=2496       
type=Both      tracking=dst count=20  seconds=60 
Feb 28 11:09:39 cm-top snort_inline: | gen-id=1      sig-id=2924       
type=Threshold tracking=dst count=10  seconds=60 
Feb 28 11:09:39 cm-top snort_inline: | none
Feb 28 11:09:40 cm-top snort_inline: Snort initialization completed 
successfully (pid=33552)

**** yet snort_inline is not running, a PS -auxw shows no PID for 
snort_inline.
No core dumps.

Any suggestions would be greatly appreciated...

-- 
Craig Mueller CISSP