Menu
▾
▴
snort-inline-users — The goal of this list is to help users debug/use snort_inline
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(15) |
Jun
(23) |
Jul
(54) |
Aug
(20) |
Sep
(18) |
Oct
(19) |
Nov
(36) |
Dec
(30) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(48) |
Feb
(16) |
Mar
(36) |
Apr
(36) |
May
(45) |
Jun
(47) |
Jul
(93) |
Aug
(29) |
Sep
(28) |
Oct
(42) |
Nov
(45) |
Dec
(53) |
| 2005 |
Jan
(62) |
Feb
(51) |
Mar
(65) |
Apr
(28) |
May
(57) |
Jun
(23) |
Jul
(24) |
Aug
(72) |
Sep
(16) |
Oct
(53) |
Nov
(53) |
Dec
(3) |
| 2006 |
Jan
(56) |
Feb
(6) |
Mar
(15) |
Apr
(14) |
May
(35) |
Jun
(57) |
Jul
(35) |
Aug
(7) |
Sep
(22) |
Oct
(16) |
Nov
(18) |
Dec
(9) |
| 2007 |
Jan
(8) |
Feb
(3) |
Mar
(11) |
Apr
(35) |
May
(6) |
Jun
(10) |
Jul
(26) |
Aug
(4) |
Sep
|
Oct
(29) |
Nov
|
Dec
(7) |
| 2008 |
Jan
(1) |
Feb
(2) |
Mar
(2) |
Apr
(13) |
May
(8) |
Jun
(3) |
Jul
(19) |
Aug
(20) |
Sep
(6) |
Oct
(5) |
Nov
|
Dec
(4) |
| 2009 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(10) |
Jul
(2) |
Aug
(5) |
Sep
|
Oct
(1) |
Nov
|
Dec
(5) |
| 2010 |
Jan
(10) |
Feb
(10) |
Mar
(2) |
Apr
|
May
(7) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2011 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Dave R. <dav...@gm...> - 2008-07-17 17:38:06
|
vishal_nitr wrote: > Hi All, > whenever I use a "reject" rule I am getting an error "packet recv contents failure: No buffer space available". and snort-inline is hanging with this message and also there are lot of logs dumped in my log directory . > To overcome this problem somewhere in "Inliniac.com" I saw a post that we should change default buffer size to 8388608 and tcp buffer size to 1048576 4194304 16777216. I tried by changing to these values but it's not working. > When I debugged this problem I narrowed down to a function > HandlePacket() which is causing some loop inside and leading for lot of > logs and hanging the snort. > Is there any solution to this ? > I am using snort_inline-2.6.1.5 with NFQUEUE. Try cat /proc/net/netlink and see where the memory is piling up. Logs? Which logs? How are you logging? You may have other problems, such as insufficient processor, rules that are taking too long, etc. You might want to set the mem sizes up: /sbin/sysctl -w net.ipv4.tcp_mem='8388608 8388608 8388608' /sbin/sysctl -w net.ipv4.tcp_wmem='8388608 8388608 8388608' /sbin/sysctl -w net.ipv4.tcp_rmem='8388608 8388608 8388608' /sbin/sysctl -w net.core.rmem_default=8388608 /sbin/sysctl -w net.core.wmem_default=8388608 /sbin/sysctl -w net.core.rmem_max=33554432 /sbin/sysctl -w net.core.wmem_max=16777216 Dave -- "Of course, someone who knows more about this will correct me if I'm wrong, and someone who knows less will correct me if I'm right." David Palmer (pa...@ty...) -- "Of course, someone who knows more about this will correct me if I'm wrong, and someone who knows less will correct me if I'm right." David Palmer (pa...@ty...) |
|
From: vishal_nitr <vis...@re...> - 2008-07-17 11:23:03
|
Hi All, whenever I use a "reject" rule I am getting an error "packet recv contents failure: No buffer space available". and snort-inline is hanging with this message and also there are lot of logs dumped in my log directory . To overcome this problem somewhere in "Inliniac.com" I saw a post that we should change default buffer size to 8388608 and tcp buffer size to 1048576 4194304 16777216. I tried by changing to these values but it's not working. When I debugged this problem I narrowed down to a function HandlePacket() which is causing some loop inside and leading for lot of logs and hanging the snort. Is there any solution to this ? I am using snort_inline-2.6.1.5 with NFQUEUE. Thanks and Regards, Vishal Kotalwar, Software Engineer, Aricent, Chennai-35. 09884074047. |
|
From: Victor J. <li...@in...> - 2008-07-15 10:17:34
|
Hmm then my guess is that the "disable_norm_wscale" option is broken too... Anyway, all that code was removed from the 2.8.x branch. Get that from SVN or from SourceForge: https://sourceforge.net/project/showfiles.php?group_id=78497&package_id=283430 Glad you got it working! Cheers, Victor Alain DEGUILLE wrote: > Thx, > > It was my first idea. But i tried "disable_norm_wscale" and it doesn't > change anything. > Now i try "norm_wscale_max 14" like you say a the button of the site, and it > work !! > > I don't understand why disable_norm_wsale don't work ? > > What ever, i would like to thanks you a lot !!! > > thx > -----Message d'origine----- > De : sno...@li... > [mailto:sno...@li...] De la part de > Victor Julien > Envoyé : mardi 15 juillet 2008 09:51 > À : sno...@li... > Objet : Re: [Snort-inline-users] low traffic from debian or ubuntu > throughsnort inline > > I think this issue could be caused by the broken window scaling > normalization code we had in that release. Please see my blog post about it > here: > http://www.inliniac.net/blog/2007/09/04/window-scaling-normalization-in-snor > t_inline-broken-by-design.html > > Regards, > Victor > > Alain DEGUILLE wrote: > >> Hi, >> >> my kernel : 2.6.18-53.1.13.el5PAE >> >> thx >> >> -----Message d'origine----- >> De : Eric Leblond [mailto:er...@in...] Envoyé : samedi 12 juillet 2008 >> 00:56 À : Alain DEGUILLE Cc : sno...@li... >> Objet : Re: [Snort-inline-users] low traffic from debian or ubuntu >> throughsnort inline >> >> Hi, >> >> On Friday, 2008 July 11 at 15:42:52 +0200, Alain DEGUILLE wrote: >> >> >>> Hello, >>> >>> I'm using snort inline (snort_inline-2.6.1.5) on my firewall (Linux >>> Redhat Entreprise 5) with iptable, to secure my web server on dmz. >>> It works very well, except when http client comes from Linux Debian >>> or Ubuntu. There traffic are very slowly. >>> >>> Do you know this problem ? >>> >>> >> Which kernel are you using ? 2.6.22.x with X < 4 has a problem when >> nfqueuing packet with some specific packet size. >> >> Cordialement, >> -- >> Eric Leblond >> INL: http://www.inl.fr/ >> NuFW: http://www.nufw.org/ >> >> ---------------------------------------------------------------------- >> -- >> >> ---------------------------------------------------------------------- >> --- This SF.Net email is sponsored by the Moblin Your Move Developer's >> challenge Build the coolest Linux based applications with Moblin SDK & >> win great prizes Grand prize is a trip for two to an Open Source event >> anywhere in the world >> http://moblin-contest.org/redirect.php?banner_id=100&url=/ >> ---------------------------------------------------------------------- >> -- >> >> _______________________________________________ >> Snort-inline-users mailing list >> Sno...@li... >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> >> > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes Grand prize is a trip for two to an Open Source event anywhere in the > world http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
|
From: Alain D. <ade...@sq...> - 2008-07-15 10:11:51
|
Thx, It was my first idea. But i tried "disable_norm_wscale" and it doesn't change anything. Now i try "norm_wscale_max 14" like you say a the button of the site, and it work !! I don't understand why disable_norm_wsale don't work ? What ever, i would like to thanks you a lot !!! thx -----Message d'origine----- De : sno...@li... [mailto:sno...@li...] De la part de Victor Julien Envoyé : mardi 15 juillet 2008 09:51 À : sno...@li... Objet : Re: [Snort-inline-users] low traffic from debian or ubuntu throughsnort inline I think this issue could be caused by the broken window scaling normalization code we had in that release. Please see my blog post about it here: http://www.inliniac.net/blog/2007/09/04/window-scaling-normalization-in-snor t_inline-broken-by-design.html Regards, Victor Alain DEGUILLE wrote: > Hi, > > my kernel : 2.6.18-53.1.13.el5PAE > > thx > > -----Message d'origine----- > De : Eric Leblond [mailto:er...@in...] Envoyé : samedi 12 juillet 2008 > 00:56 À : Alain DEGUILLE Cc : sno...@li... > Objet : Re: [Snort-inline-users] low traffic from debian or ubuntu > throughsnort inline > > Hi, > > On Friday, 2008 July 11 at 15:42:52 +0200, Alain DEGUILLE wrote: > >> Hello, >> >> I'm using snort inline (snort_inline-2.6.1.5) on my firewall (Linux >> Redhat Entreprise 5) with iptable, to secure my web server on dmz. >> It works very well, except when http client comes from Linux Debian >> or Ubuntu. There traffic are very slowly. >> >> Do you know this problem ? >> > > Which kernel are you using ? 2.6.22.x with X < 4 has a problem when > nfqueuing packet with some specific packet size. > > Cordialement, > -- > Eric Leblond > INL: http://www.inl.fr/ > NuFW: http://www.nufw.org/ > > ---------------------------------------------------------------------- > -- > > ---------------------------------------------------------------------- > --- This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge Build the coolest Linux based applications with Moblin SDK & > win great prizes Grand prize is a trip for two to an Open Source event > anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > ---------------------------------------------------------------------- > -- > > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-inline-users mailing list Sno...@li... https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
|
From: Alain D. <ade...@sq...> - 2008-07-15 08:00:06
|
If i disabled snort, the problem stop. -----Message d'origine----- De : Alain DEGUILLE [mailto:ade...@sq...] Envoyé : mardi 15 juillet 2008 09:45 À : 'Eric Leblond' Cc : 'sno...@li...' Objet : RE: [Snort-inline-users] low traffic from debian or ubuntu throughsnort inline Hi, my kernel : 2.6.18-53.1.13.el5PAE thx -----Message d'origine----- De : Eric Leblond [mailto:er...@in...] Envoyé : samedi 12 juillet 2008 00:56 À : Alain DEGUILLE Cc : sno...@li... Objet : Re: [Snort-inline-users] low traffic from debian or ubuntu throughsnort inline Hi, On Friday, 2008 July 11 at 15:42:52 +0200, Alain DEGUILLE wrote: > Hello, > > I'm using snort inline (snort_inline-2.6.1.5) on my firewall (Linux > Redhat Entreprise 5) with iptable, to secure my web server on dmz. > It works very well, except when http client comes from Linux Debian or > Ubuntu. There traffic are very slowly. > > Do you know this problem ? Which kernel are you using ? 2.6.22.x with X < 4 has a problem when nfqueuing packet with some specific packet size. Cordialement, -- Eric Leblond INL: http://www.inl.fr/ NuFW: http://www.nufw.org/ |
|
From: Victor J. <li...@in...> - 2008-07-15 07:51:05
|
I think this issue could be caused by the broken window scaling normalization code we had in that release. Please see my blog post about it here: http://www.inliniac.net/blog/2007/09/04/window-scaling-normalization-in-snort_inline-broken-by-design.html Regards, Victor Alain DEGUILLE wrote: > Hi, > > my kernel : 2.6.18-53.1.13.el5PAE > > thx > > -----Message d'origine----- > De : Eric Leblond [mailto:er...@in...] > Envoyé : samedi 12 juillet 2008 00:56 > À : Alain DEGUILLE > Cc : sno...@li... > Objet : Re: [Snort-inline-users] low traffic from debian or ubuntu > throughsnort inline > > Hi, > > On Friday, 2008 July 11 at 15:42:52 +0200, Alain DEGUILLE wrote: > >> Hello, >> >> I'm using snort inline (snort_inline-2.6.1.5) on my firewall (Linux >> Redhat Entreprise 5) with iptable, to secure my web server on dmz. >> It works very well, except when http client comes from Linux Debian or >> Ubuntu. There traffic are very slowly. >> >> Do you know this problem ? >> > > Which kernel are you using ? 2.6.22.x with X < 4 has a problem when > nfqueuing packet with some specific packet size. > > Cordialement, > -- > Eric Leblond > INL: http://www.inl.fr/ > NuFW: http://www.nufw.org/ > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > ------------------------------------------------------------------------ > > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Alain D. <ade...@sq...> - 2008-07-15 07:45:52
|
Hi, my kernel : 2.6.18-53.1.13.el5PAE thx -----Message d'origine----- De : Eric Leblond [mailto:er...@in...] Envoyé : samedi 12 juillet 2008 00:56 À : Alain DEGUILLE Cc : sno...@li... Objet : Re: [Snort-inline-users] low traffic from debian or ubuntu throughsnort inline Hi, On Friday, 2008 July 11 at 15:42:52 +0200, Alain DEGUILLE wrote: > Hello, > > I'm using snort inline (snort_inline-2.6.1.5) on my firewall (Linux > Redhat Entreprise 5) with iptable, to secure my web server on dmz. > It works very well, except when http client comes from Linux Debian or > Ubuntu. There traffic are very slowly. > > Do you know this problem ? Which kernel are you using ? 2.6.22.x with X < 4 has a problem when nfqueuing packet with some specific packet size. Cordialement, -- Eric Leblond INL: http://www.inl.fr/ NuFW: http://www.nufw.org/ |
|
From: Eric L. <er...@in...> - 2008-07-15 06:18:10
|
hello, On Tuesday, 2008 July 15 at 5:44:46 -0000, vishal_nitr wrote: > Hi All, I want to dynamically block an IP of attacker in snort-inline for certain period of time say 5 minutes. Is there any way to do this ? Is sticky-drop an option for it ? how do we use it for dynamic blocking because we don't know the IP of the attacker ?I will appreciate any kind of health. > This is not a snort_inline feature but you could use ipset (http://ipset.netfilter.org/) which is able to add IP to a list and reove them after some time. BR, -- Eric Leblond INL: http://www.inl.fr/ NuFW: http://www.nufw.org/ |
|
From: vishal_nitr <vis...@re...> - 2008-07-15 05:44:16
|
Hi All, I want to dynamically block an IP of attacker in snort-inline for certain period of time say 5 minutes. Is there any way to do this ? Is sticky-drop an option for it ? how do we use it for dynamic blocking because we don't know the IP of the attacker ?I will appreciate any kind of health. Thanks and Regards, Vishal Kotalwar, Software Engineer, Aricent, Chennai-35. 09884074047. |
|
From: Eric L. <er...@in...> - 2008-07-11 22:56:01
|
Hi, On Friday, 2008 July 11 at 15:42:52 +0200, Alain DEGUILLE wrote: > Hello, > > I'm using snort inline (snort_inline-2.6.1.5) on my firewall (Linux Redhat > Entreprise 5) with iptable, to secure my web server on dmz. > It works very well, except when http client comes from Linux Debian or > Ubuntu. There traffic are very slowly. > > Do you know this problem ? Which kernel are you using ? 2.6.22.x with X < 4 has a problem when nfqueuing packet with some specific packet size. Cordialement, -- Eric Leblond INL: http://www.inl.fr/ NuFW: http://www.nufw.org/ |
|
From: Alain D. <ade...@sq...> - 2008-07-11 13:43:27
|
Hello, I'm using snort inline (snort_inline-2.6.1.5) on my firewall (Linux Redhat Entreprise 5) with iptable, to secure my web server on dmz. It works very well, except when http client comes from Linux Debian or Ubuntu. There traffic are very slowly. Do you know this problem ? |
|
From: Will M. <wil...@gm...> - 2008-07-10 17:52:11
|
did you ./autojunk.sh before configure? Regards, Will On 7/10/08, Nigel Horne <nj...@ba...> wrote: > Using Fedora Core 8, gcc 4.1.2, i386, "configure --enable-clamav; make" I > get: > > ... > sf_dynamic_plugins.c: In function 'InitDynamicPreprocessors': > sf_dynamic_plugins.c:1243: error: 'InlineMode' undeclared (first use in this > function) > sf_dynamic_plugins.c:1243: error: (Each undeclared identifier is reported > only once > sf_dynamic_plugins.c:1243: error: for each function it appears in.) > sf_dynamic_plugins.c: At top level: > sf_dynamic_plugins.c:1289: warning: function declaration isn't a prototype > sf_dynamic_plugins.c:1312: warning: function declaration isn't a prototype > sf_dynamic_plugins.c: In function 'DumpDetectionLibRules': > sf_dynamic_plugins.c:1320: warning: passing argument 2 of 'getSymbol' > discards qualifiers from pointer target type > sf_dynamic_plugins.c:1320: warning: ISO C forbids conversion of object > pointer to function pointer type > sf_dynamic_plugins.c: In function 'LoadDynamicPreprocessor': > sf_dynamic_plugins.c:1356: warning: passing argument 2 of 'getSymbol' > discards qualifiers from pointer target type > sf_dynamic_plugins.c:1356: warning: ISO C forbids conversion of object > pointer to function pointer type > sf_dynamic_plugins.c: At top level: > sf_dynamic_plugins.c:1379: warning: function declaration isn't a prototype > distcc[15693] ERROR: compile sf_dynamic_plugins.c on localhost failed > make[4]: *** [sf_dynamic_plugins.o] Error 1 > make[4]: Leaving directory > `/home/njh/src/snort-inline/trunk/src/dynamic-plugins' > make[3]: *** [all-recursive] Error 1 > make[3]: Leaving directory > `/home/njh/src/snort-inline/trunk/src/dynamic-plugins' > make[2]: *** [all-recursive] Error 1 > make[2]: Leaving directory > `/home/njh/src/snort-inline/trunk/src' > make[1]: *** [all-recursive] Error 1 > make[1]: Leaving directory > `/home/njh/src/snort-inline/trunk' > make: *** [all] Error 2 > [njh@njh trunk]$ > > Any clues? > > -Nigel > > ------------------------------------------------------------------------- > Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! > Studies have shown that voting for your favorite open source project, > along with a healthy diet, reduces your potential for chronic lameness > and boredom. Vote Now at > http://www.sourceforge.net/community/cca08 > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > |
|
From: Nigel H. <nj...@ba...> - 2008-07-10 16:58:33
|
When maxratio was dropped by clamav spp_clamav.c wasn't updated to use its replacement maxscansize.
The fix against SVN is:
Index: spp_clamav.c
===================================================================
--- spp_clamav.c (revision 87)
+++ spp_clamav.c (working copy)
@@ -543,6 +543,7 @@
clam_limits.maxreclevel = 5;
/* maximal compression ratio */
/* clam_limits.maxratio = 200;*/
+ clam_limits.maxscansize = 31457280; /* 30 MB */
/* disable memory limit for bzip2 scanner */
clam_limits.archivememlim = 0;
-Nigel
--
Come to Las Vegas to see the latest in Sourcefire and open source innovation.
Register at www.bossconference.com by September 30th to save $200!
|
|
From: Nigel H. <nj...@ba...> - 2008-07-10 16:05:51
|
Line 349 of src/preprocessors/flow/portscan/server_stats.c reads, fd = open(filename, O_CREAT|O_TRUNC|O_SYNC|O_WRONLY); When using O_CREAT you *must* specify a mode such as: fd = open(filename, O_CREAT|O_TRUNC|O_SYNC|O_WRONLY, 0644); -Nigel -- Come to Las Vegas to see the latest in Sourcefire and open source innovation. Register at www.bossconference.com by September 30th to save $200! |
|
From: Nigel H. <nj...@ba...> - 2008-07-10 15:07:54
|
Using Fedora Core 8, gcc 4.1.2, i386, "configure --enable-clamav; make" I get: ... sf_dynamic_plugins.c: In function ‘InitDynamicPreprocessors’: sf_dynamic_plugins.c:1243: error: ‘InlineMode’ undeclared (first use in this function) sf_dynamic_plugins.c:1243: error: (Each undeclared identifier is reported only once sf_dynamic_plugins.c:1243: error: for each function it appears in.) sf_dynamic_plugins.c: At top level: sf_dynamic_plugins.c:1289: warning: function declaration isn’t a prototype sf_dynamic_plugins.c:1312: warning: function declaration isn’t a prototype sf_dynamic_plugins.c: In function ‘DumpDetectionLibRules’: sf_dynamic_plugins.c:1320: warning: passing argument 2 of ‘getSymbol’ discards qualifiers from pointer target type sf_dynamic_plugins.c:1320: warning: ISO C forbids conversion of object pointer to function pointer type sf_dynamic_plugins.c: In function ‘LoadDynamicPreprocessor’: sf_dynamic_plugins.c:1356: warning: passing argument 2 of ‘getSymbol’ discards qualifiers from pointer target type sf_dynamic_plugins.c:1356: warning: ISO C forbids conversion of object pointer to function pointer type sf_dynamic_plugins.c: At top level: sf_dynamic_plugins.c:1379: warning: function declaration isn’t a prototype distcc[15693] ERROR: compile sf_dynamic_plugins.c on localhost failed make[4]: *** [sf_dynamic_plugins.o] Error 1 make[4]: Leaving directory `/home/njh/src/snort-inline/trunk/src/dynamic-plugins' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/home/njh/src/snort-inline/trunk/src/dynamic-plugins' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/home/njh/src/snort-inline/trunk/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/njh/src/snort-inline/trunk' make: *** [all] Error 2 [njh@njh trunk]$ Any clues? -Nigel |
|
From: vishal_nitr <vis...@re...> - 2008-06-26 14:53:13
|
Hi Joel, Thanks for the reply but when I opened voip.rules or bleeding-voip.rules all I could see was rules casted against port no 5060 which is the port used by SIP protocol and these rules may block the SIP based voip traffic. But there are some other voip applications which use H.323 or like cisco applications which their own propriatry protocol and again there is this famous skype application which uses their own protocols for VoIP. How can we block these applications at packet level ?On Thu, 26 Jun 2008 09:16:47 -0400 Joel Esler wroteThere is a whole set of rules for VOIP. voip.rules distributed from snort.orgJOn Jun 26, 2008, at 4:09 AM, vishal_nitr wrote:Hi ALL, Can snort IPS detect VOIP traffic and block it? is there any rule available for it ?Thanks and Regards,Vishal Kotalwar,Software Engineer,Aricent,Chennai-35.09884074047.-------------------------------------------------------------------------Check out the new SourceForge.net Marketplace.It's the best place to buy or sell services forjust about anything Open Source.http://sourceforge.net/services/buy/index.php_______________________________________________Snort-inline-users mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/snort-inline-users--Joel Esler joe...@ma... http://blog.joelesler.net[m] Thanks and Regards, Vishal Kotalwar, Software Engineer, Aricent, Chennai-35. 09884074047. |
|
From: vishal_nitr <vis...@re...> - 2008-06-26 08:08:45
|
Hi ALL, Can snort IPS detect VOIP traffic and block it? is there any rule available for it ? Thanks and Regards, Vishal Kotalwar, Software Engineer, Aricent, Chennai-35. 09884074047. |
|
From: Scott M. <mil...@ch...> - 2008-06-12 10:50:13
|
Hi I was wondering if it was at all possible to code the ability to have a different length content when using replace, possibly by having snort look at the size of the replace string and then modify the packet size by changing the TCP length values?? Assuming that the current reason it doesn't work is because the TCP length wouldn't match... scott |
|
From: Will M. <wil...@gm...> - 2008-05-21 06:04:19
|
is this the only rule you have in your rule set?
On Wed, May 21, 2008 at 12:45 AM, vishal_nitr
<vis...@re...> wrote:
> yeh sure...
>
> my iptable rules are
>
> iptables -p tcp -A OUTPUT --sport 80 -j NFQUEUE --queue-num 100
> iptables -p tcp -A INPUT --dport 80 -j NFQUEUE --queue-num 100
>
> snort rule is
>
> pass tcp any any <> 172.30.11.120/32 80
>
> stream4 settings are
>
> preprocessor stream4: disable_evasion_alerts,
> stream4inline,
> enforce_state pass,
> memcap 100000000,
> timeout 3600,
> truncate,
> window_size 3000
>
> preprocessor stream4_reassemble: both, ports "default", favor_new
>
> my HTTP configs are
>
> preprocessor http_inspect: global
> iis_unicode_map unicode.map 1252
>
> preprocessor http_inspect_server: server default
> profile all ports { 80 8080 8180 } oversize_dir_length 500
>
> Actually I tried disabling all stream4 configs and HTTP configs but it
> wasn't working.
>
>
> On Tue, 20 May 2008 12:26:20 +0200 Victor Julien wrote
>
> I suspect there is some state issue here. Could you show us the iptables
> rules, relevant snort rules and your stream4/5 settings?
>
> Regards,
> Victor
>
> vishal_nitr wrote:
>> Hi ALL,
>> I am running snort in inline mode on a HTTP server by using
>> NFQUEUE. I have two queues for HTTP traffic destined to this server
>> one for incoming requests and another for responses given by this
>> server to client.
>> when I am sending HTTP request from a client with both the queues
>> present; TCP connection is getting established, GET request is coming
>> to server and acknowledgement is also reaching to client but 200 OK
>> packets are not reaching to client. Packets are dropped by snort as
>> it's a pass rule.
>>
>> I suspect it as a some configuration issue.
>>
>> Please help me resolve this issue.
>>
>> Thanks
>> vishal
>>
>> Thanks and Regards,
>> Vishal Kotalwar,
>> Software Engineer,
>> Aricent,
>> Chennai-35.
>> 09884074047.
>> IPL
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Microsoft
>> Defy all challenges. Microsoft(R) Visual Studio 2008.
>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Snort-inline-users mailing list
>> Sno...@li...
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
> Thanks and Regards,
> Vishal Kotalwar,
> Software Engineer,
> Aricent,
> Chennai-35.
> 09884074047.
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
|
|
From: vishal_nitr <vis...@re...> - 2008-05-21 05:44:18
|
yeh sure...my iptable rules areiptables -p tcp -A OUTPUT --sport 80 -j NFQUEUE --queue-num 100iptables -p tcp -A INPUT --dport 80 -j NFQUEUE --queue-num 100snort rule ispass tcp any any <> 172.30.11.120/32 80stream4 settings arepreprocessor stream4: disable_evasion_alerts, \ stream4inline, \ enforce_state pass, \ memcap 100000000, \ timeout 3600, \ truncate, \ window_size 3000preprocessor stream4_reassemble: both, ports "default", favor_newmy HTTP configs arepreprocessor http_inspect: global \ iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500Actually I tried disabling all stream4 configs and HTTP configs but it wasn't working.On Tue, 20 May 2008 12:26:20 +0200 Victor Julien wroteI suspect there is some state issue here. Could you show us the iptablesrules, relevant snort rules and your stream4/5 settings?Regards,Victorvishal_nitr wrote:> Hi ALL,> I am running snort in inline mode on a HTTP server by using> NFQUEUE. I have two queues for HTTP traffic destined to this server> one for incoming requests and another for responses given by this> server to client.> when I am sending HTTP request from a client with both the queues> present; TCP connection is getting established, GET request is coming> to server and acknowledgement is also reaching to client but 200 OK> packets are not reaching to client. Packets are dropped by snort as> it's a pass rule.>> I suspect it as a some configuration issue.>> Please help me resolve this issue.>> Thanks> vishal>> Thanks and Regards,> Vishal Kotalwar,> Software Engineer,> Aricent,> Chennai-35.> 09884074047.> IPL> >>> ------------------------------------------------------------------------>> -------------------------------------------------------------------------> This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/> ------------------------------------------------------------------------>> _______________________________________________> Snort-inline-users mailing list> Sno...@li...> https://lists.sourceforge.net/lists/listinfo/snort-inline-users> -------------------------------------------------------------------------This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________Snort-inline-users mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/snort-inline-users
Thanks and Regards,
Vishal Kotalwar,
Software Engineer,
Aricent,
Chennai-35.
09884074047. |
|
From: Victor J. <li...@in...> - 2008-05-20 10:26:48
|
I suspect there is some state issue here. Could you show us the iptables rules, relevant snort rules and your stream4/5 settings? Regards, Victor vishal_nitr wrote: > Hi ALL, > I am running snort in inline mode on a HTTP server by using > NFQUEUE. I have two queues for HTTP traffic destined to this server > one for incoming requests and another for responses given by this > server to client. > when I am sending HTTP request from a client with both the queues > present; TCP connection is getting established, GET request is coming > to server and acknowledgement is also reaching to client but 200 OK > packets are not reaching to client. Packets are dropped by snort as > it's a pass rule. > > I suspect it as a some configuration issue. > > Please help me resolve this issue. > > Thanks > vishal > > Thanks and Regards, > Vishal Kotalwar, > Software Engineer, > Aricent, > Chennai-35. > 09884074047. > IPL > <http://adworks.rediff.com/cgi-bin/AdWorks/click.cgi/www.rediff.com/signature-home.htm/1050715198@Middle5/2092210_2084731/2092364/1?PARTNER=3&OAS_QUERY=null> > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > ------------------------------------------------------------------------ > > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: vishal_nitr <vis...@re...> - 2008-05-20 07:18:08
|
Hi ALL, I am running snort in inline mode on a HTTP server by using NFQUEUE. I have two queues for HTTP traffic destined to this server one for incoming requests and another for responses given by this server to client. when I am sending HTTP request from a client with both the queues present; TCP connection is getting established, GET request is coming to server and acknowledgement is also reaching to client but 200 OK packets are not reaching to client. Packets are dropped by snort as it's a pass rule.I suspect it as a some configuration issue.Please help me resolve this issue.Thanks vishal Thanks and Regards, Vishal Kotalwar, Software Engineer, Aricent, Chennai-35. 09884074047. |
|
From: mehdi g. <meh...@ya...> - 2008-05-13 11:22:18
|
<table cellspacing='0' cellpadding='0' border='0' ><tr><td style='font: inherit;'><span style="color: rgb(0, 0, 255);">Hi All,</span><br style="color: rgb(0, 0, 255);"><span style="color: rgb(0, 0, 255);">I have searched in net many times but I could not solve this issues:</span><br style="color: rgb(0, 0, 255);"><br style="color: rgb(0, 0, 255);"><span style="color: rgb(0, 0, 255);">->snort_inline (+ press enter)</span><br style="color: rgb(0, 0, 255);"><span style="color: rgb(0, 0, 255);">"<span style="font-weight: bold;">error while loading shared libraries: libdnet.1: cannot open shared object file: No such file or directory</span>"<br><br>Please note I have intsalled<br>Iptable install-devel<br>Lib net<br>Libdnet in usaul directory<br>Pcre <br>and etc...<br>and make and make install snort_inline without errors.<br>I have libdnet.h and libdnet.1 in my os(suse 10.2)<br><br>Also I have tried via this cinfigure snort_inline:<br><span
style="font-weight: bold;">./configure --with-dnet-libraries=/usr/lib --with-dnet-includes=/usr/local/include/</span><br><br>but it did not work, what should I do?<br>Thanks<br>Mehdi<br><br></span><br></td></tr></table><br>
|
|
From: Matt J. <jo...@jo...> - 2008-05-12 12:25:20
|
BTW: We (at emergingthreats.net) have considered some specific inline modified rulesets. We've tried to make these, but it always comes doen to the fact that what to block, how long to block are just too personal or organizationally specific. These are not decisions anyone can make for you. Not even on a very general level unfortunately. Matt Will Metcalf wrote: > There is not a specific set of snort_inline rules that I am aware of. > You can use the VRT, community, and emergingthreats.net rules and > modify them to use inline specific actions such as drop or reject etc. > If you want to make mass rule changes oinkmaster can help you > accomplish this. http://oinkmaster.sourceforge.net/ > > Regards, > > Will > > On Mon, May 12, 2008 at 5:28 AM, vishal_nitr <vis...@re...> wrote: >> Hi ALL, >> I am a new comer in the snort_inline community and want to use >> snort_inline as an IPS. I searched for the rules but I got only snort rules >> not the snort_inline rules. >> can any body help me in getting snort_inline rules and how to use them ? >> >> Thank You. >> >> Thanks and Regards, >> Vishal Kotalwar, >> Software Engineer, >> Aricent, >> Chennai-35. >> 09884074047. >> >> ------------------------------------------------------------------------- >> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference >> Don't miss this year's exciting event. There's still time to save $100. >> Use priority code J8TL2D2. >> >> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone >> _______________________________________________ >> Snort-inline-users mailing list >> Sno...@li... >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> >> > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don't miss this year's exciting event. There's still time to save $100. > Use priority code J8TL2D2. > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc |
|
From: Will M. <wil...@gm...> - 2008-05-12 11:58:16
|
There is not a specific set of snort_inline rules that I am aware of. You can use the VRT, community, and emergingthreats.net rules and modify them to use inline specific actions such as drop or reject etc. If you want to make mass rule changes oinkmaster can help you accomplish this. http://oinkmaster.sourceforge.net/ Regards, Will On Mon, May 12, 2008 at 5:28 AM, vishal_nitr <vis...@re...> wrote: > Hi ALL, > I am a new comer in the snort_inline community and want to use > snort_inline as an IPS. I searched for the rules but I got only snort rules > not the snort_inline rules. > can any body help me in getting snort_inline rules and how to use them ? > > Thank You. > > Thanks and Regards, > Vishal Kotalwar, > Software Engineer, > Aricent, > Chennai-35. > 09884074047. > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don't miss this year's exciting event. There's still time to save $100. > Use priority code J8TL2D2. > > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
133 messages has been excluded from this view by a project administrator.
