snort-inline-users — The goal of this list is to help users debug/use snort_inline

[Snort-inline-users] Issues with iptables and snort_inline

[Tim P. <tpo...@vo...>]

Q1:
I have a system (that happens to have nocat on it) that I am able to ssh
into the box and wget any files I need from any remote host.  When I startup
snort_inline I can no longer get out using wget.  I made some modifications
to allow port 22 (ssh) to come in and that works fine but I can't seem to
figure out how to let wget out (port 80 as far as I know).
 
Q2:
A secondary problem I have is when snort_inline is having traffic routed
through it (as a queue) it seems to corrupt http requests because I get some
very strange errors when loading google (google page is displayed but it
says "bad request") and yahoo gives an url that is not yahoo (it sends me to
http://www.yahoo.akadns.net and complains about "the page you requested is
forbidden).  When I turn off the queuing and just let the user get to the
internet in the "normal" way I don't have this error, just with the queuing.
I can traceroute to both google and yahoo without problems with the queue on
or off with no problems.
 
I am currently running snort_inline 2.2.0a
I realize that maybe I am the first to try this setup and that's ok, any
ideas on how to go about troubleshooting this would be a great help.
 
Here is my firewall script:
#!/bin/sh
##
#
# Custom firewall integrating NoCat and Snort_inline
# Rules that existed in NoCat that reside in this file have been commented
out in initialize.fw
#
##
 
# Enable IP forwarding and rp_filter (to kill IP spoof attempts).
 
    echo "1" > /proc/sys/net/ipv4/ip_forward
    echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
 
# Load the kernel modules we need and some we don't
 
    for module in ip_tables ipt_REDIRECT ipt_MASQUERADE ipt_MARK ipt_REJECT
\
 ipt_TOS ipt_LOG iptable_mangle iptable_filter iptable_nat ip_nat_ftp \
 ip_conntrack ip_conntrack_ftp ip_conntrack_irc ip_queue\
 ip_nat_irc ipt_mac ipt_state ipt_mark; do
 
 modprobe $module
    done
 
echo -n "Starting Standard Chains"
 
######################################### 
# Create, Flush and Append our chains #
#########################################
# -N creates new   #
# -F flushes chain   #
# -P sets default policy on chain #
# -D deletes specified rule in chain #
# -A appends a rule to specified chain #
#########################################
iptables -t filter -N NoCat 2>/dev/null
iptables -t filter -F NoCat
iptables -t filter -D FORWARD -j NoCat 2>/dev/null
iptables -t filter -A FORWARD -j QUEUE
iptables -t filter -A FORWARD -j NoCat
 
iptables -t filter -N NoCat_Ports 2>/dev/null
iptables -t filter -F NoCat_Ports
iptables -t filter -D NoCat -j NoCat_Ports 2>/dev/null
iptables -t filter -A NoCat -j QUEUE
iptables -t filter -A NoCat -j NoCat_Ports
 
iptables -t filter -N NoCat_Inbound 2>/dev/null
iptables -t filter -F NoCat_Inbound
iptables -t filter -D NoCat -j NoCat_Inbound 2>/dev/null
iptables -t filter -A NoCat -j QUEUE
iptables -t filter -A NoCat -j NoCat_Inbound
 
iptables -t nat -N NoCat_Capture 2>/dev/null
iptables -t nat -F NoCat_Capture
iptables -t nat -D PREROUTING -j NoCat_Capture 2>/dev/null
# allow ssh access into the gateway
iptables -t nat -A PREROUTING -p tcp -i br0 --dport 22 -j ACCEPT
iptables -t nat -A PREROUTING -j QUEUE
iptables -t nat -A PREROUTING -j NoCat_Capture
 
iptables -t nat -N NoCat_NAT 2>/dev/null
iptables -t nat -F NoCat_NAT
 
iptables -t mangle -N NoCat 2>/dev/null
iptables -t mangle -F NoCat
iptables -t mangle -D PREROUTING -j NoCat 2>/dev/null
# allow ssh access into the gateway
iptables -t mangle -A PREROUTING -p tcp -i br0 --dport 22 -j ACCEPT
iptables -t mangle -A PREROUTING -j QUEUE
iptables -t mangle -A PREROUTING -j NoCat
 
echo -n "Starting Testing Chains"
##########################
#Rules I am still testing#
##########################
#iptables -N INPUT
iptables -F INPUT
iptables -P INPUT ACCEPT
#iptables -N OUTPUT
iptables -F OUTPUT
iptables -P OUTPUT ACCEPT
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -o br0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -i br0 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -i br0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i br0 --dport 23 -j ACCEPT
iptables -A INPUT -p tcp -i br0 --dport 80 -j ACCEPT
iptables -A OUTPUT -o br0 -p ALL -j ACCEPT
iptables -A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -i br0 --dport 22 -j ACCEPT
#iptables -t mangle -A PREROUTING -p tcp -i br0 --dport 80 -j ACCEPT
 
#####
#END#
#####
 

Thanks, Timmay

Re: [Snort-inline-users] Snort-inline not seeing packets?

[Richard C. <ric...@gm...>]

Thanks William,
That worked like a charm.  One more thing (for now :).  It looks like
every packet that comes across the bridge is showing this message on
my console:
"nf_hook: Verdict = QUEUE."
Any way I can stop this?

Thanks in advance,
Rich Compton


On Tue, 15 Feb 2005 18:08:39 -0600, William Metcalf
<Wil...@kc...> wrote:
>  
> 
> oops, lets try that again.....
>  
> --------------------------------------begin-script---------------------------------------------
>  #!/bin/sh
>  
>  brctl addbr br0
>  ifconfig eth1 0.0.0.0 up -arp
>  ifconfig eth2 0.0.0.0 up -arp
>  brctl addif br0 eth1
>  brctl addif br0 eth2
>  brctl stp br0 off
>  ifconfig br0 0.0.0.0 up
>  
>  modprobe ip_queue
>  modprobe ipt_LOG
>  
>  ### Support for connection tracking of FTP and IRC.
>  modprobe ip_conntrack_ftp
>  modprobe ip_conntrack_irc
>  
>  iptables -A INPUT -i eth0 -j ACCEPT
>  iptables -A INPUT -i lo -j ACCEPT
>  
>  iptables -A FORWARD -j QUEUE
> -----------------------------------------end-script-----------------------------------
>

[Snort-inline-users] Snort-inline not seeing packets?

[Richard C. <ric...@gm...>]

Hi guys,
I really hope that you guys can help me out.  I have fedora 3.  I have
snort-inline complied and running.  I have only the test.rules
uncommented in snort.conf.  I have a version of iptables with queue
enabled.  I have the following script to set up the bridge and set up
iptables to pass traffic to the queue (see below).  It looks like the
packets are not being passed to snort to process.  I should see lots
of traffic being logged on my test snort rules but looks like nothing
is being logged.  The log files are being created by the way.

I'd really like to know how I can determine if packets are being
passed into the queue by iptables and over to snort.  Anyone have any
ideas?

--------------------------------------begin-script---------------------------------------------
#!/bin/sh

brctl addbr br0
ifconfig eth1 0.0.0.0 up -arp
ifconfig eth2 0.0.0.0 up -arp
brctl addif br0 eth1
brctl addif br0 eth2
brctl stp br0 off
ifconfig br0 0.0.0.0 up -arp

modprobe ip_queue
modprobe ipt_LOG

### Support for connection tracking of FTP and IRC.
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc

iptables -A INPUT -i eth0 -j ACCEPT

### Enable ip_forward 
echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -A INPUT -i eth1 -j QUEUE
iptables -A INPUT -i eth2 -j QUEUE

-----------------------------------------end-script-----------------------------------

-- 
Thanks,
Rich Compton

Re: [Snort-inline-users] new user - need documents

[Dino D. <dra...@gf...>]

You can find more information in the README* files located in doc =
directory in snort_inline source tarball.=20

regards,

~~~
Dino Dragovic, system administrator
Gradevinski fakultet Osijek // Faculty of Civil Engineering
dra...@gf...
www.gfos.hr




  Hi=20

  =20

  I have installed snort ( not snort-inline ) on Enterprise Redhat with =
ACID. I can see packets matching rules are getting logged in Mysql =
Database.=20

  But I didn't see any action on those packets. After sending mail to =
snort mailing list I found that I need to use snort in INLINE mode.=20

  I read INLINE mode document on =
http://snort-inline.sourceforge.net/index.html. As per this document =
snort-inline can send a TCP RST packet to drop that session which is =
matching rule. But I am not finding more documents on that. Is there any =
other web site for that, I need to see how snort-inline is different =
than snort ? and how snort-inline takes action ?

  =20

  Cordially,

  LK

[Snort-inline-users] new user - need documents

[<lok...@ac...>]

Hi=20

=20

I have installed snort ( not snort-inline ) on Enterprise Redhat with
ACID. I can see packets matching rules are getting logged in Mysql
Database.=20

But I didn't see any action on those packets. After sending mail to
snort mailing list I found that I need to use snort in INLINE mode.=20

I read INLINE mode document on
http://snort-inline.sourceforge.net/index.html. As per this document
snort-inline can send a TCP RST packet to drop that session which is
matching rule. But I am not finding more documents on that. Is there any
other web site for that, I need to see how snort-inline is different
than snort ? and how snort-inline takes action ?

=20

Cordially,

LK

[Snort-inline-users] [RELEASE] snort_inline-2.3.0-RC1

[William M. <Wil...@kc...>]

Hi list,

I know this release has been a long time coming.  I promise you, all th=
e
nights Victor and I spent hunched over our keyboards listening to Massi=
ve
Attack haven't been in vain.   We've implemented some cool new features=
.
But before we get to all the techno jargon, some administrative stuff.
Victor and I are very busy, so I apologize for taking a long time to ge=
t
back to some of you.  While developing snort_inline truly is my passion=
, it
doesn't pay the bills. My paying job demands more and more of my time, =
and
it doesn't appear to be letting up anytime soon. But I still want to ma=
ke
improvements to snort_inline and fulfill your requests.  Because of tim=
e
constraints, I'll need a generous web developer to take over updating a=
nd
maintaining the website, changelog, feature-set, news, and most importa=
ntly
recognize Rob's and Jed's hard work.  One more piece of administrative
business: Thanks to Lance Spitzner of honeynet.org for his sage advice,=

which has been a great help to Victor and me.

On to the Release:

Dan from SourceFire did a great job integrating the inline code into
snort-2.3.0, but as I said before, we are going to maintain snort_inlin=
e as
a separate project for new features.  We have added two features in thi=
s
release: stream4inline and stickydrop.  We have also applied Nick's Fre=
eBSD
fixes, updated ClamAV to 2.3.0 and included a db-reload time so we don'=
t
have to kill snort_inline to refresh the DB.

http://snort-inline.sourceforge.net/download.html

The text below was taken from doc/README.INLINE. Please consult the
etc/snort_inline.conf in the tarball for more configuration examples.

STREAM4 OPTIONS

stream4inline
    This forces stream4 to do packet reassembly on a sliding window, wh=
at
this means
    is that we are doing reassembly in real-time, and no more of this
postmortem uberpacket
    creation alert but can't drop nonsense.  Be careful though we are
performing
    session drops so this means that this option has to be used in
conjunction with enforce_state
    to be effective otherwise what is the point. We are pretty sure we
break the replace keyword
    with this one, so be careful.

    Stream4inline options:
        truncate: truncates a stream instead of flushing it. Use this f=
or
the sliding window.
        truncate_percentage: set the percentage to cut off of the strea=
m
when we truncate (default 33).
        window_size: size in bytes of the sliding window (default: 7000=
).

STICKYDROP

Basically this preproc/detction-plugin that came from the fact that I'm=

just to lazy to apply snort sam patches
and in addition wanted to be able to drop attacker y for x number of
seconds from a preproc like sfportscan.

STICKYDROP OPTIONS:

max_entries (int)
    Maximum amount of attacker entries allowed to be stored in the
splaytree, yeah I know all the cool kids
    are using hash tables these days. I'll get there someday......

log (optional log file name)
    Victor would yell at me in Dutch if I didn't add this in. It does w=
hat
it say's logs packets dropped by our preproc.

example:
preprocessor stickydrop: max_entries 3000,log

STICKYDROP-TIMEOUTS:

sigh...... someday I will write real parsing code I promise.

clamav (int)
    Time in the number of seconds you want to block the source of a AV
alert generated from the clamav preproc.

portscan2 (int)
    Time in the number of seconds you want to block a portscanner gener=
ated
from the portscan2 preproc.

sfportscan (int)
    Time in the number of seconds you want to block a portscanner gener=
ated
from the sfportscan preproc.

example:
preprocessor stickydrop-timeouts: clamav 3000, portscan2 10000, sfports=
can
100000

STICKYDROP-IGNOREHOSTS:

List of networks not to add to our block tree ever, you probably want t=
o
add your HOME_NET networks here as not to DoS yourself.

example:
preprocessor stickydrop-ignorehosts: 192.168.1.0/24

STICKYDROP KEYWORD:

On to the rule language stuff, this keyword relies on the stickydrop
preprocessor.

sticky-drop:(block time in seconds,direction)

so lets say we have a drop rule

drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
CodeRed v2 boot.exe access"; flow:to_server,established; uricontent:"/b=
o
ot.exe"; nocase; reference:url,www.cert.org/advisories/CA-2001-19.html;=

classtype:web-application-attack; sid:1256; rev:8;)

and lets say that we want to drop all packets with our attackers source=
 ip
for the next 10 minutes. Can you see why it is important to add ourHOME=
_NET
to stickydrop-ignorehosts?

drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
CodeRed v2 boot.exe access"; flow:to_server,established; uricontent:"bo=

ot.exe"; nocase; sticky-drop: 600,src;
reference:url,www.cert.org/advisories/CA-2001-19.html;
classtype:web-application-attack; sid:1256; rev:8;)=

Re: [Snort-inline-users] Some Confuse about iptables

[<tha...@gb...>]

OK. i'm so clear now. Thank you very much.

Regard,
Thanasin

>
>
>
>
>
>
> This all depends, Victor was correct and so was I ;-).  In snort-2.2.0 we
> implemented state tracking via iptables marks to track state.  In which
> case your state tracking is a combination of snort and iptables.  It is
> cleaner than it sounds.  With 2.3.0 Victor and I worked with Dan from
> sourcefire to implement a workaround in the stream4 preproc.  So in 2.3.0
> you can use stream4 and if your sessions time out we now allow picking up
> midstream sessions and  we alert and drop on them.  So in
> snort_inline-2.2.0a you need to use ip_conntrack if you want to use
> stream4
> and not have your sessions time out.  If you are using snort-2.3.0 or soon
> to be released snort_inline-2.3.0 you can send all traffic to snort and
> stream4 will handle your connection tracking.  Clear as mud?
>
> Regards,
>
> Will
>
>
>
>              thanasin@gbtech.c
>              o.th
>              Sent by:                                                   To
>              snort-inline-user         sno...@li...urceforg
>              s-...@li...u         e.net
>              rceforge.net                                               cc
>
>                                                                    Subject
>              02/01/2005 12:04          [Snort-inline-users] Some Confuse
>              AM                        about iptables
>
>
>
>
>
>
>
>
>
>
> i've read from archives about using iptables with snort-inline and i've
> some questions to ask.
>
> -- snip --
>
> #
> # Start IPTables Queue :
> #
>
> echo "Start IPTables Queue Mode ..."
> /sbin/modprobe ip_queue
> /sbin/iptables -F
> /sbin/iptables -A INPUT -i lo -j ACCEPT
> /sbin/iptables -A OUTPUT -o lo -j ACCEPT
> /sbin/iptables -A INPUT -i eth0 -j ACCEPT
> /sbin/iptables -A OUTPUT -o eth0 -j ACCEPT
> /sbin/iptables -A INPUT -i eth1 -j ACCEPT
> /sbin/iptables -A OUTPUT -o eth1 -j ACCEPT
> /sbin/iptables -A INPUT -j QUEUE
> /sbin/iptables -A OUTPUT -j QUEUE
> /sbin/iptables -A FORWARD -j QUEUE
> /sbin/iptables -t mangle -A FORWARD -p tcp --syn -m state --state NEW -j
> MARK --set-mark 1
> /sbin/iptables -t mangle -A FORWARD -p tcp -m state --state
> RELATED,ESTABLISHED -j MARK --set-mark 2
> /sbin/iptables -I FORWARD -m mark --mark 1 -j QUEUE
> /sbin/iptables -I FORWARD -m mark --mark 2 -j QUEUE
>
> -- snip --
>
> This is my setting.
>
> first, Victor said on
> https://sourceforge.net/mailarchive/forum.php?thread_id=6461942&forum_id=32933
>
> that
>
> " You can just use:
>
>  iptables -A FORWARD -j QUEUE
>
>  This way you send all forwarded traffic to snort_inline, and you won"t
>  need ip_conntrack. "
>
> Do i have to choose between using ip_contrack or -j QUEUE ?
>
> OR Setting iptables like now is ok ?
>
> because i've a problem when using only "iptables -A FORWARD -j QUEUE" , it
> make my connection session too short when i connect out to internet ( ssh
> , irc )and Will told me to use ip_conntrack. I've set as Will told me like
>
> /sbin/iptables -t mangle -A FORWARD -p tcp --syn -m state --state NEW -j
> MARK --set-mark 1
> /sbin/iptables -t mangle -A FORWARD -p tcp -m state --state
> RELATED,ESTABLISHED -j MARK --set-mark 2
> /sbin/iptables -I FORWARD -m mark --mark 1 -j QUEUE
> /sbin/iptables -I FORWARD -m mark --mark 2 -j QUEUE
>
> and it totally solve my problem.
>
> Regards,
> Thanasin
>
>
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
> Tool for open source databases. Create drag-&-drop reports. Save time
> by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
> Download a FREE copy at http://www.intelliview.com/go/osdn_nl
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

[Snort-inline-users] Some Confuse about iptables

[<tha...@gb...>]

i've read from archives about using iptables with snort-inline and i've
some questions to ask.

-- snip --

#
# Start IPTables Queue :
#

echo "Start IPTables Queue Mode ..."
/sbin/modprobe ip_queue
/sbin/iptables -F
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth1 -j ACCEPT
/sbin/iptables -A INPUT -j QUEUE
/sbin/iptables -A OUTPUT -j QUEUE
/sbin/iptables -A FORWARD -j QUEUE
/sbin/iptables -t mangle -A FORWARD -p tcp --syn -m state --state NEW -j 
MARK --set-mark 1
/sbin/iptables -t mangle -A FORWARD -p tcp -m state --state 
RELATED,ESTABLISHED -j MARK --set-mark 2
/sbin/iptables -I FORWARD -m mark --mark 1 -j QUEUE
/sbin/iptables -I FORWARD -m mark --mark 2 -j QUEUE

-- snip --

This is my setting.

first, Victor said on
https://sourceforge.net/mailarchive/forum.php?thread_id=6461942&forum_id=32933
that

" You can just use:

 iptables -A FORWARD -j QUEUE

 This way you send all forwarded traffic to snort_inline, and you won"t
 need ip_conntrack. "

Do i have to choose between using ip_contrack or -j QUEUE ?

OR Setting iptables like now is ok ?

because i've a problem when using only "iptables -A FORWARD -j QUEUE" , it
make my connection session too short when i connect out to internet ( ssh
, irc )and Will told me to use ip_conntrack. I've set as Will told me like

/sbin/iptables -t mangle -A FORWARD -p tcp --syn -m state --state NEW -j 
MARK --set-mark 1
/sbin/iptables -t mangle -A FORWARD -p tcp -m state --state 
RELATED,ESTABLISHED -j MARK --set-mark 2
/sbin/iptables -I FORWARD -m mark --mark 1 -j QUEUE
/sbin/iptables -I FORWARD -m mark --mark 2 -j QUEUE

and it totally solve my problem.

Regards,
Thanasin

Re: [Snort-inline-users] Spamassasin support in Snort-Inline

[William M. <Wil...@kc...>]

No you should run your favorite smtp server + spamassasin.

Regards,

Will
-----------------
Sent from my BlackBerry Handheld.


----- Original Message -----
From: snort-inline-users-admin
Sent: 01/31/2005 10:19 PM
To: sno...@li...
Subject: [Snort-inline-users] Spamassasin support in Snort-Inline

Hi All,
          Is there anyway snort-inline will work with spamassassin to
identify spam in network mail traffic [For Gateway/Router Content
Protection]?

Thanks,
Bharathi Raja.

--
http://bharthix.tk/





-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-inline-users mailing list
Sno...@li...
https://lists.sourceforge.net/lists/listinfo/snort-inline-users

[Snort-inline-users] Spamassasin support in Snort-Inline

[bharathi <bha...@au...>]

Hi All,
          Is there anyway snort-inline will work with spamassassin to
identify spam in network mail traffic [For Gateway/Router Content
Protection]?

Thanks,
Bharathi Raja.

--
http://bharthix.tk/

Re: [Snort-inline-users] snort-inline with out ip_conntrack

[Victor J. <vi...@nk...>]

Murugavel Thiruvengadam wrote:
> Hi
> 
> My question  is  "Is it necessary to mark packet for snort-inline to process.?"
>  iptables -t mangle -A FORWARD -p tcp -s <xxxxxx> --syn -m state
>  --state NEW -j MARK --set-mark 1
> 
> regards
> murugavel
> 
> 
> 
> On Mon, 31 Jan 2005 09:22:06 +0000, Victor Julien <vi...@nk...> wrote:
> 
>>Murugavel Thiruvengadam wrote:
>>
>>>Hi,
>>>
>>>We have to implement snort-inline without ip_conntrack module.
>>>
>>>Is it possible?
>>>
>>>iptables -t mangle -A FORWARD -p tcp -s <xxxxxx> --syn -m state
>>>--state NEW -j MARK --set-mark 1
>>>iptables -t mangle -A FORWARD -p tcp -s <xxxxxxxxxx>  -m state --state
>>>ESTABLISHED -j MARK --set-mark 2
>>>iptables -A FORWARD -s <xxxxxxx>  -j QUEUE
>>>
>>>
>>>In the above rule ipt_state using ip_conntrack module.
>>>
>>>Is there any other way to modify the rule without ip_conntack?
>>>
>>>
>>>Regards
>>>Murugavel
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>Hi Murugavel,
>>
>>You can just use:
>>
>>iptables -A FORWARD -j QUEUE
>>
>>This way you send all forwarded traffic to snort_inline, and you won't
>>need ip_conntrack.
>>
>>Hope this helps,
>>
>>Regards,
>>Victor
>>
> 
> 
> 
  No it's not. The marking was add as a way to help the stream4 
preprocessor. But it's not needed.

BTW: 2.3 won't even have this function anymore...

Regards,
Victor

Re: [Snort-inline-users] snort-inline with out ip_conntrack

[Murugavel T. <tmu...@gm...>]

Hi

My question  is  "Is it necessary to mark packet for snort-inline to process.?"
 iptables -t mangle -A FORWARD -p tcp -s <xxxxxx> --syn -m state
 --state NEW -j MARK --set-mark 1

regards
murugavel



On Mon, 31 Jan 2005 09:22:06 +0000, Victor Julien <vi...@nk...> wrote:
> Murugavel Thiruvengadam wrote:
> > Hi,
> >
> > We have to implement snort-inline without ip_conntrack module.
> >
> > Is it possible?
> >
> > iptables -t mangle -A FORWARD -p tcp -s <xxxxxx> --syn -m state
> > --state NEW -j MARK --set-mark 1
> > iptables -t mangle -A FORWARD -p tcp -s <xxxxxxxxxx>  -m state --state
> > ESTABLISHED -j MARK --set-mark 2
> > iptables -A FORWARD -s <xxxxxxx>  -j QUEUE
> >
> >
> > In the above rule ipt_state using ip_conntrack module.
> >
> > Is there any other way to modify the rule without ip_conntack?
> >
> >
> > Regards
> > Murugavel
> >
> >
> >
> >
> >
> > 
> Hi Murugavel,
> 
> You can just use:
> 
> iptables -A FORWARD -j QUEUE
> 
> This way you send all forwarded traffic to snort_inline, and you won't
> need ip_conntrack.
> 
> Hope this helps,
> 
> Regards,
> Victor
> 


-- 

Regards
Muruga>>----le>
 "Success comes to the person who does today"

Re: [Snort-inline-users] snort-inline with out ip_conntrack

[Victor J. <vi...@nk...>]

Murugavel Thiruvengadam wrote:
> Hi,
> 
> We have to implement snort-inline without ip_conntrack module.
> 
> Is it possible?
> 
> iptables -t mangle -A FORWARD -p tcp -s <xxxxxx> --syn -m state
> --state NEW -j MARK --set-mark 1
> iptables -t mangle -A FORWARD -p tcp -s <xxxxxxxxxx>  -m state --state
> ESTABLISHED -j MARK --set-mark 2
> iptables -A FORWARD -s <xxxxxxx>  -j QUEUE
> 
> 
> In the above rule ipt_state using ip_conntrack module. 
> 
> Is there any other way to modify the rule without ip_conntack?
> 
> 
> Regards
> Murugavel
> 
> 
> 
> 
> 
> 
Hi Murugavel,

You can just use:

iptables -A FORWARD -j QUEUE

This way you send all forwarded traffic to snort_inline, and you won't 
need ip_conntrack.

Hope this helps,

Regards,
Victor

[Snort-inline-users] snort-inline with out ip_conntrack

[Murugavel T. <tmu...@gm...>]

Hi,

We have to implement snort-inline without ip_conntrack module.

Is it possible?

iptables -t mangle -A FORWARD -p tcp -s <xxxxxx> --syn -m state
--state NEW -j MARK --set-mark 1
iptables -t mangle -A FORWARD -p tcp -s <xxxxxxxxxx>  -m state --state
ESTABLISHED -j MARK --set-mark 2
iptables -A FORWARD -s <xxxxxxx>  -j QUEUE


In the above rule ipt_state using ip_conntrack module. 

Is there any other way to modify the rule without ip_conntack?


Regards
Murugavel






-- 

Regards
Muruga>>----le>
 "Success comes to the person who does today"

Re: [Snort-inline-users] Freebsd and IPFW and IP header checksums

[Nick R. <ni...@ro...>]

On Sun, 30 Jan 2005, William Metcalf wrote:

> Nick,
>
> Thanks for the patches, we will get them included into snort_inline-2.3.0.
> I'll look into the segfault and get back to you.

 	The patches fix the segfault too.


Nick

Re: [Snort-inline-users] Freebsd and IPFW and IP header checksums

[Nick R. <ni...@ro...>]

On Thu, 30 Dec 2004, Christopher Black wrote:

> Well, I've included patches I've generated so far.  The snort.h patch is
> required to compile, decode.c is required for it to not drop every
> packet, and inline.c adds a (commented out) ugly fix for the segfault,
> and two debug statements demonstrating the problem.  All patches were
> created outside the top-level snort_inline-2.2.0a directory.
>
> A rule triggering a "reject" will segfault the program.  I have traced
> it to inline.c, roughly line 398 (400 after my patch).  Printing the
> value once returns the same value as printing it anywhere prior in the
> execution chain.  Printing it again returns 0 and a segfault.  My C
> skills aren't up to par I guess, because I'm stumped here.
>
> [root@mobilebeast1 blackchr]# gdb /usr/local/bin/snort_inline
> snort_inline.core
> GNU gdb 6.1.1 [FreeBSD]
> Copyright 2004 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you
> are
> welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for
> details.
> This GDB was configured as "i386-marcel-freebsd"...
> Core was generated by `snort_inline'.
> Program terminated with signal 11, Segmentation fault.
> Reading symbols from /usr/local/lib/libpcre.so.0...done.
> Loaded symbols for /usr/local/lib/libpcre.so.0
> Reading symbols from /usr/lib/libpcap.so.3...done.
> Loaded symbols for /usr/lib/libpcap.so.3
> Reading symbols from /lib/libm.so.3...done.
> Loaded symbols for /lib/libm.so.3
> Reading symbols from /lib/libc.so.5...done.
> Loaded symbols for /lib/libc.so.5
> Reading symbols from /libexec/ld-elf.so.1...done.
> Loaded symbols for /libexec/ld-elf.so.1
> #0  0x0806224d in HandlePacket () at inline.c:400
> 400         iph->ip_src.s_addr = tmpP->iph->ip_dst.s_addr;
> (gdb)
>
> Is there any more info I can provide?
>

 	I have included all of the patches that are need to run
 	snort_inline on FreeBSD 4.X and 5.X.  The patches are against
 	snort_inline-2.2.0a.tar.gz file, from outside the top level.

 	It turned out that all of the bugs were do to misplaced #ifdef's.

 	Also, I have written someone online documentation for FreeBSD and
 	snort_inline.  It can be found at:

 		http://freebsd.rogness.net/snort_inline/

 	I will be submitting a FreeBSD port for snort_inline to the
 	FreeBSD ports tree this week.

Nick Rogness <ni...@ro...>
-
   How many people here have telekenetic powers? Raise my hand.
   				-Emo Philips

Re: [Snort-inline-users] correcting snort_inline blocking ?

[Victor J. <vi...@nk...>]

tha...@gb... wrote:
> here is my preprocessor clamav
> 
> preprocessor clamav: ports 21 25 80 81 110 119 139 445 143, toclientonly,
> action-drop, dbdir /usr/local/share/clamav
> 
> is my config is ok ?

Yeah it looks good.

> 
> so do you mean snort_inline 2.2 can only detect virus using clamav support
> but can't block them and snort_inline will have capability to block virus
> in nearly version ( snort_inline 2.3 ) right ?

No, snort_inline 2.2 can stop the virusses as well.

There is however one limitation in snort_inline 2.2. If you use stream4 
and stream4_reassemble not only the normal packets are scanned, but also 
a packet that contains the data for multiple packets: this way we can 
detect attacks that are spread out over multiple packets. There is in 
the current version no way to block those reassembled packets. Normal 
packets can be blocked just fine. Snort_inline 2.3 will be able to block 
attacks that are detected in the reassembled packets.

Regards,
Victor

Re: [Snort-inline-users] correcting snort_inline blocking ?

[<tha...@gb...>]

here is my preprocessor clamav

preprocessor clamav: ports 21 25 80 81 110 119 139 445 143, toclientonly,
action-drop, dbdir /usr/local/share/clamav

is my config is ok ?

so do you mean snort_inline 2.2 can only detect virus using clamav support
but can't block them and snort_inline will have capability to block virus
in nearly version ( snort_inline 2.3 ) right ?

Regards,
Thanasin


> Hi Thanasin,
>
> Can you show the line from your snort_inline.conf that starts with:
> preprocessor clamav:?
>
> If the virus is alerted but not stopped it might be that it is detected
> in the reassembled stream. In that case snort_inline 2.2 will not be
> able to stop it. Snort_inline 2.3 will be able to do that, however it's
> not released yet (expect a beta release in a few weeks (note that snort
> 2.3 won't have this functionality, only inline :-)).
>
> Regards,
> Victor
>
> tha...@gb... wrote:
>> i set iptables like this
>>
>> #
>> # Start IPTables Queue :
>> #
>>
>> echo "Start IPTables Queue Mode ..."
>> /sbin/modprobe ip_queue
>> /sbin/iptables -F
>> /sbin/iptables -A INPUT -i lo -j ACCEPT
>> /sbin/iptables -A OUTPUT -o lo -j ACCEPT
>> /sbin/iptables -A INPUT -i eth0 -j ACCEPT
>> /sbin/iptables -A OUTPUT -o eth0 -j ACCEPT
>> /sbin/iptables -A INPUT -i eth1 -j ACCEPT
>> /sbin/iptables -A OUTPUT -o eth1 -j ACCEPT
>> /sbin/iptables -A INPUT -j QUEUE
>> /sbin/iptables -A OUTPUT -j QUEUE
>> #/sbin/iptables -A FORWARD -j QUEUE
>> /sbin/iptables -t mangle -A FORWARD -p tcp --syn -m state --state NEW -j
>> MARK --set-mark 1
>> /sbin/iptables -t mangle -A FORWARD -p tcp -m state --state
>> RELATED,ESTABLISHED -j MARK --set-mark 2
>> /sbin/iptables -I FORWARD -m mark --mark 1 -j QUEUE
>> /sbin/iptables -I FORWARD -m mark --mark 2 -j QUEUE
>>
>> do i have to enable /sbin/iptables -A FORWARD -j QUEUE
>>
>> because Will told me like this from
>> https://sourceforge.net/mailarchive/message.php?msg_id=10422612
>>
>> -- snip --
>>
>> iptables rules......
>>
>>  iptables -t mangle -A FORWARD -p tcp --syn -m state --state NEW -j
>>  MARK --set-mark 1
>>  iptables -t mangle -A FORWARD -p tcp -m state --state
>>  RELATED,ESTABLISHED -j MARK --set-mark 2
>>  iptables -I FORWARD -m mark --mark 1 -j QUEUE
>>  iptables -I FORWARD -m mark --mark 2 -j QUEUE
>>
>>  tell stream4 about state tracking via snort.conf iptablesnewmark
>>  defaults to 1, iptablesestmark defaults to 2...........
>>
>>  preprocessor stream4: disable_evasion_alerts, iptablesnewmark,
>>  iptablesestmark, forceiptstate
>>
>>  Regards,
>>
>>  Will
>>
>> -- snip --
>>
>> is there any files relate else ?
>>
>> sorry for my english.
>>
>> Regards,
>> Thanasin
>>
>>
>>
>>>
>>>>my snort_inline box is working by capture every anomally traffic ex.
>>>>virus, exploit ... etc.
>>>>
>>>>but when i was try to download virus from outside, it alert only but
>>>> not
>>>>block that virus. so where should i check or have a look in order to
>>>> let
>>>>my snort_inline box block all virus traffics ?
>>>>
>>>>Regards,
>>>>Thanasin
>>>>
>>>>
>>>>
>>>>-------------------------------------------------------
>>>>The SF.Net email is sponsored by: Beat the post-holiday blues
>>>>Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
>>>>It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
>>>>_______________________________________________
>>>>Snort-inline-users mailing list
>>>>Sno...@li...
>>>>https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>>>
>>>
>>>
>>>
>>
>>
>>
>>
>> -------------------------------------------------------
>> The SF.Net email is sponsored by: Beat the post-holiday blues
>> Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
>> It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
>> _______________________________________________
>> Snort-inline-users mailing list
>> Sno...@li...
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>
>

Re: [Snort-inline-users] correcting snort_inline blocking ?

[Victor J. <vi...@nk...>]

Hi Thanasin,

Can you show the line from your snort_inline.conf that starts with: 
preprocessor clamav:?

If the virus is alerted but not stopped it might be that it is detected 
in the reassembled stream. In that case snort_inline 2.2 will not be 
able to stop it. Snort_inline 2.3 will be able to do that, however it's 
not released yet (expect a beta release in a few weeks (note that snort 
2.3 won't have this functionality, only inline :-)).

Regards,
Victor

tha...@gb... wrote:
> i set iptables like this
> 
> #
> # Start IPTables Queue :
> #
> 
> echo "Start IPTables Queue Mode ..."
> /sbin/modprobe ip_queue
> /sbin/iptables -F
> /sbin/iptables -A INPUT -i lo -j ACCEPT
> /sbin/iptables -A OUTPUT -o lo -j ACCEPT
> /sbin/iptables -A INPUT -i eth0 -j ACCEPT
> /sbin/iptables -A OUTPUT -o eth0 -j ACCEPT
> /sbin/iptables -A INPUT -i eth1 -j ACCEPT
> /sbin/iptables -A OUTPUT -o eth1 -j ACCEPT
> /sbin/iptables -A INPUT -j QUEUE
> /sbin/iptables -A OUTPUT -j QUEUE
> #/sbin/iptables -A FORWARD -j QUEUE
> /sbin/iptables -t mangle -A FORWARD -p tcp --syn -m state --state NEW -j
> MARK --set-mark 1
> /sbin/iptables -t mangle -A FORWARD -p tcp -m state --state
> RELATED,ESTABLISHED -j MARK --set-mark 2
> /sbin/iptables -I FORWARD -m mark --mark 1 -j QUEUE
> /sbin/iptables -I FORWARD -m mark --mark 2 -j QUEUE
> 
> do i have to enable /sbin/iptables -A FORWARD -j QUEUE
> 
> because Will told me like this from
> https://sourceforge.net/mailarchive/message.php?msg_id=10422612
> 
> -- snip --
> 
> iptables rules......
> 
>  iptables -t mangle -A FORWARD -p tcp --syn -m state --state NEW -j
>  MARK --set-mark 1
>  iptables -t mangle -A FORWARD -p tcp -m state --state
>  RELATED,ESTABLISHED -j MARK --set-mark 2
>  iptables -I FORWARD -m mark --mark 1 -j QUEUE
>  iptables -I FORWARD -m mark --mark 2 -j QUEUE
> 
>  tell stream4 about state tracking via snort.conf iptablesnewmark
>  defaults to 1, iptablesestmark defaults to 2...........
> 
>  preprocessor stream4: disable_evasion_alerts, iptablesnewmark,
>  iptablesestmark, forceiptstate
> 
>  Regards,
> 
>  Will
> 
> -- snip --
> 
> is there any files relate else ?
> 
> sorry for my english.
> 
> Regards,
> Thanasin
> 
> 
> 
>>
>>>my snort_inline box is working by capture every anomally traffic ex.
>>>virus, exploit ... etc.
>>>
>>>but when i was try to download virus from outside, it alert only but not
>>>block that virus. so where should i check or have a look in order to let
>>>my snort_inline box block all virus traffics ?
>>>
>>>Regards,
>>>Thanasin
>>>
>>>
>>>
>>>-------------------------------------------------------
>>>The SF.Net email is sponsored by: Beat the post-holiday blues
>>>Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
>>>It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
>>>_______________________________________________
>>>Snort-inline-users mailing list
>>>Sno...@li...
>>>https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>>
>>
>>
>>
> 
> 
> 
> 
> -------------------------------------------------------
> The SF.Net email is sponsored by: Beat the post-holiday blues
> Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
> It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> 

Re: [Snort-inline-users] correcting snort_inline blocking ?

[Dino D. <dra...@gf...>]

You have to configure clamav preprocessor in your config. Default action is
writing to alert file. To block virus traffic you have to use action-drop or
action-reset.
preprocessor clamav: ports all !443 !22, action-reset


Regards,
~~~
Dino Dragovic, system administrator
Gradevinski fakultet Osijek // Faculty of Civil Engineering
dra...@gf...
www.gfos.hr


----- Original Message ----- 
From: <tha...@gb...>
To: <sno...@li...>
Sent: Wednesday, January 19, 2005 7:55 AM
Subject: [Snort-inline-users] correcting snort_inline blocking ?


> my snort_inline box is working by capture every anomally traffic ex.
> virus, exploit ... etc.
>
> but when i was try to download virus from outside, it alert only but not
> block that virus. so where should i check or have a look in order to let
> my snort_inline box block all virus traffics ?
>
> Regards,
> Thanasin
>
>
>
> -------------------------------------------------------
> The SF.Net email is sponsored by: Beat the post-holiday blues
> Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
> It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users

Re: [Snort-inline-users] correcting snort_inline blocking ?

[<tha...@gb...>]

i set iptables like this

#
# Start IPTables Queue :
#

echo "Start IPTables Queue Mode ..."
/sbin/modprobe ip_queue
/sbin/iptables -F
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth1 -j ACCEPT
/sbin/iptables -A INPUT -j QUEUE
/sbin/iptables -A OUTPUT -j QUEUE
#/sbin/iptables -A FORWARD -j QUEUE
/sbin/iptables -t mangle -A FORWARD -p tcp --syn -m state --state NEW -j
MARK --set-mark 1
/sbin/iptables -t mangle -A FORWARD -p tcp -m state --state
RELATED,ESTABLISHED -j MARK --set-mark 2
/sbin/iptables -I FORWARD -m mark --mark 1 -j QUEUE
/sbin/iptables -I FORWARD -m mark --mark 2 -j QUEUE

do i have to enable /sbin/iptables -A FORWARD -j QUEUE

because Will told me like this from
https://sourceforge.net/mailarchive/message.php?msg_id=10422612

-- snip --

iptables rules......

 iptables -t mangle -A FORWARD -p tcp --syn -m state --state NEW -j
 MARK --set-mark 1
 iptables -t mangle -A FORWARD -p tcp -m state --state
 RELATED,ESTABLISHED -j MARK --set-mark 2
 iptables -I FORWARD -m mark --mark 1 -j QUEUE
 iptables -I FORWARD -m mark --mark 2 -j QUEUE

 tell stream4 about state tracking via snort.conf iptablesnewmark
 defaults to 1, iptablesestmark defaults to 2...........

 preprocessor stream4: disable_evasion_alerts, iptablesnewmark,
 iptablesestmark, forceiptstate

 Regards,

 Will

-- snip --

is there any files relate else ?

sorry for my english.

Regards,
Thanasin


>
>
>> my snort_inline box is working by capture every anomally traffic ex.
>> virus, exploit ... etc.
>>
>> but when i was try to download virus from outside, it alert only but not
>> block that virus. so where should i check or have a look in order to let
>> my snort_inline box block all virus traffics ?
>>
>> Regards,
>> Thanasin
>>
>>
>>
>> -------------------------------------------------------
>> The SF.Net email is sponsored by: Beat the post-holiday blues
>> Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
>> It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
>> _______________________________________________
>> Snort-inline-users mailing list
>> Sno...@li...
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>
>
>

[Snort-inline-users] correcting snort_inline blocking ?

[<tha...@gb...>]

my snort_inline box is working by capture every anomally traffic ex.
virus, exploit ... etc.

but when i was try to download virus from outside, it alert only but not
block that virus. so where should i check or have a look in order to let
my snort_inline box block all virus traffics ?

Regards,
Thanasin

Re: [Snort-inline-users] snort-inline on Fedora Core 2

[Nick R. <ni...@ro...>]

On Tue, 18 Jan 2005, Will Metcalf wrote:

> This should take care of your problem.
>
> http://snort-inline.sourceforge.net/FAQ.html
>
> In regards to running multiple instances of snort_inline with differing 
> versions of the snort.conf, You still face the problem of only a single 
> instance being able to connect to ip_queue.  Victor and I have been 
> discussing modifying ip_queue to do what you want, but at this point it 
> is still all theoretical.

 	This is, however, a feature that should work with
 	FreeBSD+snort_inline (at least theoretically).  I'm working on
 	fixing a few bugs with the code, testing, and writing
 	documentation that will illustrate the setup.


Nick Rogness <ni...@ro...>
-
   How many people here have telekenetic powers? Raise my hand.
   				-Emo Philips

Re: [Snort-inline-users] snort-inline on Fedora Core 2

[Will M. <wil...@gm...>]

This should take care of your problem.

http://snort-inline.sourceforge.net/FAQ.html

In regards to running multiple instances of snort_inline with
differing versions of the snort.conf, You still face the problem of
only a single instance being able to connect to ip_queue.  Victor and
I have been discussing modifying ip_queue to do what you want, but at
this point it is still all theoretical.

Regards,

Will

On Tue, 18 Jan 2005 11:30:42 +0530, Murugavel Thiruvengadam
<tmu...@gm...> wrote:
> Hi
> 
> We are trying to install snor-inline 2.2.0a on Fedora Core2
> 
> Anybody implemented snort-inline on Fedora Core2
> 
> We are getting following error.
> 
> Any suggestion welcome.
> 
> Regards
> T.Murugavel
> -- In file included from /usr/include/linux/netfilter_ipv4/ip_queue.h:10,
>                 from /usr/local/include/libipq.h:37,
>                 from ../../src/inline.h:8,
>                 from ../../src/snort.h:38,
>                 from spo_alert_fast.c:51:
> /usr/include/linux/if.h:59: error: redefinition of `struct ifmap'
> /usr/include/linux/if.h:77: error: redefinition of `struct ifreq'
> /usr/include/linux/if.h:126: error: redefinition of `struct ifconf'
> make[3]: *** [spo_alert_fast.o] Error 1
> make[3]: Leaving directory
> `/usr/local/src/snort_inline-2.2.0a/src/output-plugins'
> make[2]: *** [all-recursive] Error 1
> make[2]: Leaving directory `/usr/local/src/snort_inline-2.2.0a/src'
> make[1]: *** [all-recursive] Error 1
> make[1]: Leaving directory `/usr/local/src/snort_inline-2.2.0a'
> make: *** [all] Error 2
> 
> Regards
> Muruga>>----le>
> "Success comes to the person who does today"
> 
> -------------------------------------------------------
> The SF.Net email is sponsored by: Beat the post-holiday blues
> Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
> It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

[Snort-inline-users] snort-inline on Fedora Core 2

[Murugavel T. <tmu...@gm...>]

Hi

We are trying to install snor-inline 2.2.0a on Fedora Core2

Anybody implemented snort-inline on Fedora Core2

We are getting following error. 

Any suggestion welcome.

Regards
T.Murugavel
-- In file included from /usr/include/linux/netfilter_ipv4/ip_queue.h:10,
                 from /usr/local/include/libipq.h:37,
                 from ../../src/inline.h:8,
                 from ../../src/snort.h:38,
                 from spo_alert_fast.c:51:
/usr/include/linux/if.h:59: error: redefinition of `struct ifmap'
/usr/include/linux/if.h:77: error: redefinition of `struct ifreq'
/usr/include/linux/if.h:126: error: redefinition of `struct ifconf'
make[3]: *** [spo_alert_fast.o] Error 1
make[3]: Leaving directory
`/usr/local/src/snort_inline-2.2.0a/src/output-plugins'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/usr/local/src/snort_inline-2.2.0a/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/usr/local/src/snort_inline-2.2.0a'
make: *** [all] Error 2


Regards
Muruga>>----le>
 "Success comes to the person who does today"