snort-inline-users — The goal of this list is to help users debug/use snort_inline

[Snort-inline-users] limiting the number of packets seen by snort

[Justin A. <JA...@ua...>]

I purposely put snort_inline on an underpowered box to see how well it
would scale to 100mbit (not very well as it turns out:-)).

I was trying to work out ways to reduce the number of packets sent
through snort.  At first I came up with something like:

iptables -A forward -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A forward -j QUEUE

which works to limit the packets going through snort, but will obviously
cause snort to miss any attack that is broken up across many packets, or
any attack that needs to establish a session first(like logging in to an
anonymous ftp server).

In looking at the l7-filter stuff for linux, they have the following
feature:

"""
By default, l7-filter looks at the first 8 packets or 2kB, whichever is
smaller. You can alter the number of packets through
/proc/net/layer7_numpackets. i.e. "echo "12" >
/proc/net/layer7_numpackets". You can alter the maximum data size by
recompiling the kernel with a larger value for "Buffer size for
application layer data" (CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN).
"""

I was wondering if snort_inline could be made to work the same way.  I
think all that is needed is a hacked up ip_queue module, but it might be
more complicated than that.

Does anyone have any thoughts on this idea?

-- 
-- Justin Azoff
-- Network Performance Analyst

[Snort-inline-users] Snort_Inline-2.2.0 slow

[Brian J. <te...@ja...>]

I have recently got around to upgrading my Snort_Inline from 2.0.6a to
2.2.0. I have made minimal changes to the default .conf file supplied with
inline-2.2.0, only changing the HOME_NET and 'config checksum_mode: all log'
(I have tacked on the log bit, hope it's right). The functionality is great,
lots to learn! But it is very slow. Top reports minimal cpu load and loads
of spare memory. As part of this upgrade I moved snort_inline to a more
powerful box. So to check out that the problem was snort_inline-2.2.0 and
not the rest of the system I rebuilt a 2.0.6a version and tried that. It
required the commenting out of http_inspect preprocessor lines in the .conf
file but other than that no changes. The 2.0.6a version runs much much much
faster.

Can someone tell me how to find what in 2.2.0 is causing the chronic
slowdown? Or suggestions on what to disable to try and get some zip back
into the system. I have been running snort-2.2.0 proper as an IDS for some
time and this reports no noticible increase in dropped packets.

All suggestions and help much appreciated.
regards,
Brian

Re: [Snort-inline-users] My question is about snort and snort_inline.

[Lance S. <la...@ho...>]

On Oct 6, 2004, at 16:29, Michael Penland wrote:

> All,
>
> snort and snort_inline.
>
> Should I run both ?
> Is it true that snort catches things that inline doesn't and (vise 
> versa).
> I see the HoneyNet project runs both.

Actually, we run three instances on the Honeywall CDROM :)

- We run snort-inline for the specific purpose of mitigating the risk 
of outbound connections from the honeypots.
- We run snort in IDS mode to alert on all inbound activity.
- We run snort in pcap mode to capture all network traffic.  Snort has 
some additional security features that tcpdump does not have 
(specifically -u and -t).   We did not want to enable IDS functionality 
with Snort for doing pcap, as the preprocessors modify the data you 
collect.

So, snort/snort-inline can do many things, no one is better then the 
other, just depends on what you want to do :)

lance

Re: [Snort-inline-users] My question is about snort and snort_inline.

[Will M. <wil...@gm...>]

Michael,

I wouldn't say that one is better than the other, or that one misses
things that the other doesn't.  snort_inline is essentially just a
patch to mainline snort to allow us to leverage userspace queueing via
iptables to analyze and perform IPS functionality using the snort
detection engine and signature database.  I think Rob said it best

"Think of this as an Intrusion Prevention System (IPS) that uses
existing Intrusion Detection System (IDS) signatures to make decisions
on packets that traverse snort_inline."

BTW snort_inline users, Victor and I are developing a sticky-drop
preprocessor/detection plug in hybrid.  When we are finished you will
be able to use the preproc and the snort rule language to set up
blocks for set periods of time.

An example would be to drop all traffic from an attacker that has
triggered a portscan alert for the next 10 minutes.  Things of that
nature.

If there is anything else you guy's want to see in snort_inline please
let me know.

Regards,

Will


On Wed, 06 Oct 2004 17:29:43 -0400, Michael Penland
<mpe...@ho...> wrote:
> All,
> 
> snort and snort_inline.
> 
> Should I run both ?
> Is it true that snort catches things that inline doesn't and (vise versa).
> I see the HoneyNet project runs both.
> Just wanted to clear the discrepancy.
> 
> Thanks,
> MGP
> 
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today - it's FREE!
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

[Snort-inline-users] My question is about snort and snort_inline.

[Michael P. <mpe...@ho...>]

All,

snort and snort_inline.

Should I run both ?
Is it true that snort catches things that inline doesn't and (vise versa).
I see the HoneyNet project runs both.
Just wanted to clear the discrepancy.

Thanks,
MGP

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

[Snort-inline-users] [Release] snort_inline-2.2.0

[Will M. <wil...@gm...>]

List,

I have posted the final version of snort_inline-2.2.0 in source form. 
The fpdetect patch has been applied, as has a modification to the
default snort_inline.conf file.  We have discovered that clamav must
be initialized after stream4 and before http_inspect.  Is anybody out
there still using the statically compiled binaries?  I've had some
issues with the statically compiled binaries in the past as everything
is statically linked except for the libc libraries which tend to be
different across distributions.  I'll create them if there is still a
demand for them.

Regards,

Will

http://snort-inline.sourceforge.net/download.html

[Snort-inline-users] Threshold bug fix

[Will M. <wil...@gm...>]

List,

Attached below is a diff for the Threshold bug.  We now have the
illusion of thresholding as we are sdroping the alert once it exceeds
the threshold.  This diff should work for snort_inline versions 2.1.0
- 2.2.0-RC1.  Once again thanks to Jeremy Hewlett from sourcefire for
discovering this bug.

Regards,

Will

Patch can also be downloaded from

http://sourceforge.net/tracker/index.php?func=detail&aid=1032249&group_id=78497&atid=553469

94bd7c0cae6b068bdf3dcdb1ec64d7a3  fpdetectfix.diff

[Snort-inline-users] bug in snort_inline and thresholding/suppression

[Will M. <wil...@gm...>]

List,

There is a bug that exists in all versions of snort_inline with
thresholding/suppression support.  When a rule is configured for
"drop/sdrop" and thresholding/suppression is configured for the same
rule, Once the thresholding/ suppression critera has been meet the
offending packet is no longer dropped. A patch to fix this bug should
be available later today.  Until then disable any
thresholding/suppression you have set up.  In addition, I have yet to
receive any negative feedback about snort_inline-2.2.0-RC1.  Last
chance to send me any complaints/comments/suggestions before I post
the final version later this week.

Thanks to  Jeremy Hewlett of Sourcefire for discovering and reporting this bug.

Regards,

Will

Re: [Snort-inline-users] pf divert sockets and OpenBSD

[Will M. <wil...@gm...>]

Jason,

Sounds good to me, and sounds much more graceful than pflog0.  Let me
know if there is anything I can do to help.

Regards,

Will


On Fri, 17 Sep 2004 15:31:06 -0600, Jason Ish <ja...@co...> wrote:
> 
> 
> On Fri, Sep 17, 2004 at 02:10:41PM -0500, Will Metcalf wrote:
> > List,
> >
> > Any brilliant *BSD pf programmers out there have any bright idea's how
> > we can get pf traffic sent to user space?  The only thing I can find
> > so far that looks somewhat useful is the pflog0 interface.  From what
> > I can see we can block out traffic, grab it from pflog0, rewrite it in
> > user space and re-inject it via pcap or libnet.  This is a really bad
> > solution, and I really don't want to write an interface for
> > snort_inline to use this.  I'm taking suggestions......
> 
> There exists a patch out there that adds a new rule 'pf-ask'.  It
> logged the rule with pflog0 (I believe), you sniffed there and it came
> with an ID.  You then ioctl()'d back on /dev/pf if you wanted to pass
> the packet, or just handle it in userland.
> 
> Latency was really bad..
> 
> I've very slowly been working on a 'pipe' option to 'pipe' out packets
> to userland and not retain the packet in an in-kernel queue.  Not sure
> if this is any more graceful than the pflog option (but you can tell
> whats to be piped and whats just being dropped/logged).  But the idea
> is to be able to pipe the packet back into pf for forwarding so all
> state data is retained.  Not sured if this would be blessed by the
> proper pf people or not.
>

Re: [Snort-inline-users] pf divert sockets and OpenBSD

[Jason I. <ja...@co...>]

On Fri, Sep 17, 2004 at 02:10:41PM -0500, Will Metcalf wrote:
> List,
> 
> Any brilliant *BSD pf programmers out there have any bright idea's how
> we can get pf traffic sent to user space?  The only thing I can find
> so far that looks somewhat useful is the pflog0 interface.  From what
> I can see we can block out traffic, grab it from pflog0, rewrite it in
> user space and re-inject it via pcap or libnet.  This is a really bad
> solution, and I really don't want to write an interface for
> snort_inline to use this.  I'm taking suggestions......

There exists a patch out there that adds a new rule 'pf-ask'.  It
logged the rule with pflog0 (I believe), you sniffed there and it came
with an ID.  You then ioctl()'d back on /dev/pf if you wanted to pass
the packet, or just handle it in userland. 

Latency was really bad..

I've very slowly been working on a 'pipe' option to 'pipe' out packets
to userland and not retain the packet in an in-kernel queue.  Not sure
if this is any more graceful than the pflog option (but you can tell
whats to be piped and whats just being dropped/logged).  But the idea
is to be able to pipe the packet back into pf for forwarding so all
state data is retained.  Not sured if this would be blessed by the
proper pf people or not.

[Snort-inline-users] pf divert sockets and OpenBSD

[Will M. <wil...@gm...>]

List,

Any brilliant *BSD pf programmers out there have any bright idea's how
we can get pf traffic sent to user space?  The only thing I can find
so far that looks somewhat useful is the pflog0 interface.  From what
I can see we can block out traffic, grab it from pflog0, rewrite it in
user space and re-inject it via pcap or libnet.  This is a really bad
solution, and I really don't want to write an interface for
snort_inline to use this.  I'm taking suggestions......

Regards,

Will

Re: [Snort-inline-users] snort_inline on Hp-ux? (was: Re: Snort-inline-users digest, Vol 1 #222 - 1 msg)

[Nick R. <ni...@ro...>]

On Tue, 14 Sep 2004, prabu wrote:

> Hi Nick,

>  Thanks a lot for good explaination.Now,my question is,what should I 
> do,so that I can compile snort-inline on HP-UX?. You have killed even 
> the little hope to compile snort-inline on HPUX.Is there,any other way 
> to do so?

 	Not unless you have a firewall running that supports it, i.e.
 	iptables.  I'm not sure iptables can be run on HP-UX.  It would be
 	nice to get PF+snort_inline working together.  Until then, I think
 	your hosed!  Sorry again :-)



>
>
> ----- Original Message ----- From: "Nick Rogness" <ni...@ro...>
> To: "Victor Julien" <vi...@nk...>
> Cc: <sno...@li...>; "prabu" <pra...@ho...>
> Sent: Sunday, September 12, 2004 7:46 AM
> Subject: Re: [Snort-inline-users] snort_inline on Hp-ux? (was: Re: 
> Snort-inline-users digest, Vol 1 #222 - 1 msg)
>
>
>> On Fri, 3 Sep 2004, Victor Julien wrote:
>> 
>>> Hi Prabu,
>>> 
>>> I don't know if it can work, but a quick search in Google tells me Hp-ux 
>>> is
>>> using IPFW, which Snort_inline supports. So i would say, give it a go 
>>> and
>>> post errors, problems or success stories to the snort_inline-users
>>> mailinglist. We will try to assist you where possible.
>>> 
>>> Be sure to use ./configure --enable-ipfw when building...
>>> 
>>> If someone knows that this can't work for some reason, please correct 
>>> me!
>> 
>>  IPFW support in snort-inline is built specifically for FreeBSD.
>>  The name ipfw is deceiving because it is short for ip firewall,
>>  which is used as a generic name for several firewalls (including
>>  one for HP-UX).
>> 
>>  Specifically, you need divert sockets in conjunction with IPFW for
>>  anything to work right, which is a FreeBSD thing.  The only OS I
>>  know works with IPFW is FreeBSD, although other OSs with divert
>>  socket support could work.  IPFW is just the tool to send packets
>>  to a divert socket (kernel->snort_inline), i.e. it is more
>>  important that you have divert sockets support than IPFW.
>>  In fact, you could write an app that sends packets from the BPF
>>  (or the like) to a divert socket (snort_inline) and bypass IPFW
>>  all together...although it would defeat the purpose ;-)
>> 
>>  So I would take a guess that it won't work.  Sorry.
>> 
>> Nick Rogness <ni...@ro...>
>> -
>>   How many people here have telekenetic powers? Raise my hand.
>>   -Emo Philips
>> 
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.760 / Virus Database: 509 - Release Date: 9/10/2004 
>

Nick Rogness <ni...@ro...>
-
   How many people here have telekenetic powers? Raise my hand.
   				-Emo Philips

Re: [Snort-inline-users] snort_inline on Hp-ux? (was: Re: Snort-inline-users digest, Vol 1 #222 - 1 msg)

[prabu <pra...@ho...>]

Hi Nick,
   Thanks a lot for good explaination.Now,my question is,what should I do,so 
that I can compile snort-inline on HP-UX?.
You have killed even  the little hope to compile snort-inline on HPUX.Is 
there,any other way to do so?


----- Original Message ----- 
From: "Nick Rogness" <ni...@ro...>
To: "Victor Julien" <vi...@nk...>
Cc: <sno...@li...>; "prabu" 
<pra...@ho...>
Sent: Sunday, September 12, 2004 7:46 AM
Subject: Re: [Snort-inline-users] snort_inline on Hp-ux? (was: Re: 
Snort-inline-users digest, Vol 1 #222 - 1 msg)


> On Fri, 3 Sep 2004, Victor Julien wrote:
>
>> Hi Prabu,
>>
>> I don't know if it can work, but a quick search in Google tells me Hp-ux 
>> is
>> using IPFW, which Snort_inline supports. So i would say, give it a go and
>> post errors, problems or success stories to the snort_inline-users
>> mailinglist. We will try to assist you where possible.
>>
>> Be sure to use ./configure --enable-ipfw when building...
>>
>> If someone knows that this can't work for some reason, please correct me!
>
>  IPFW support in snort-inline is built specifically for FreeBSD.
>  The name ipfw is deceiving because it is short for ip firewall,
>  which is used as a generic name for several firewalls (including
>  one for HP-UX).
>
>  Specifically, you need divert sockets in conjunction with IPFW for
>  anything to work right, which is a FreeBSD thing.  The only OS I
>  know works with IPFW is FreeBSD, although other OSs with divert
>  socket support could work.  IPFW is just the tool to send packets
>  to a divert socket (kernel->snort_inline), i.e. it is more
>  important that you have divert sockets support than IPFW.
>  In fact, you could write an app that sends packets from the BPF
>  (or the like) to a divert socket (snort_inline) and bypass IPFW
>  all together...although it would defeat the purpose ;-)
>
>  So I would take a guess that it won't work.  Sorry.
>
> Nick Rogness <ni...@ro...>
> -
>   How many people here have telekenetic powers? Raise my hand.
>   -Emo Philips
>


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.760 / Virus Database: 509 - Release Date: 9/10/2004 

[Snort-inline-users] Fwd: [Snort-users] Snort 2.3 CVS branch, and new features

[Will M. <wil...@gm...>]

FYI


---------- Forwarded message ----------
From: Jeremy Hewlett <jh...@so...>
Date: Mon, 13 Sep 2004 17:16:59 -0400
Subject: [Snort-users] Snort 2.3 CVS branch, and new features
To: sno...@li...
Cc: sno...@li...


Hello!

The new features planned for Snort-2.3 have been checked into CVS
under the SNORT_2_3 branch. We're pretty excited about the new
features! First on the list is Snort-Inline (woo!). This was a big
accomplishment, and took the efforts of many people. A big thanks to
the following people for their hard work and heading up the
Snort-Inline project -

Jed Haile
Rob McMillen
William Metcalf
Victor Julien

Thanks to these guys and the Snort-Inline community for their
continued efforts in making this into an excellent feature.

Also, thanks Dan Roelker of Sourcefire for integrating Snort-Inline
into the official project and ironing out issues that popped up during
the process.

The inline feature set includes only the core inline functionality.
This means that DROP, SDROP, and REJECT rule-types are supported. A
couple of new features were also added during the integration effort,
which provides inline state and dropping packets with bad checksums.
The Snort-Inline project will continue to develop new inline features,
so for the latest advancements in inline functionality, please
refer to the Snort-Inline project. Further documentation can be found
in doc/README.INLINE and the Snort-Inline website at
http://snort-inline.sf.net.

Next up is a new portscan detection engine - sfPortscan. This engine
was developed to detect TCP/UDP/ICMP/IP protocol scans and sweeps. In
addition to this, it detects decoy and distributed portscans, and can
distinguish between filtered and unfiltered scans. When portscan alerts
are generated, the details of the portscan are logged along with it.
This information gives the analyst details on how many ports were
scanned, ranges, number of ips scanned, ip ranges, and what ports were
open on the target. For more information, please see
doc/README.sfportscan. The design and implementation was headed up
by Dan Roelker, and included Marc Norton and Jeremy Hewlett.

This release also includes various bug fixes, please refer to the
ChangeLog for further information. Also, please remember that this is
not considered to be an official stable release or candidate. Standard
CVS disclaimer applies.  However, for those living on the
bleeding-edge, we encourage you to check it out and give us feedback.

Lastly, we've updated the "Our Team" page at snort.org, check it out
at http://www.snort.org/team.html

Thanks for your time, please let us know what you think!

Cheers,
The Snort Team

-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Sno...@li...
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

RE: [Snort-inline-users] Trouble compiling snort_inline-2.2.0-RC1

[Gould, S. <sg...@go...>]

Will, you beat me to it.  Thanks again for all your help.

FYI, my source for the libnet source code unfortunately slips my mind.
If I think of it I will post.

Scott Gould

Gynecologic Oncology Group=20

Statistical & Data Center

716-845-5702


-----Original Message-----
From: sno...@li...
[mailto:sno...@li...] On Behalf Of
Will Metcalf
Sent: Monday, September 13, 2004 4:18 PM
To: sno...@li...
Subject: Re: [Snort-inline-users] Trouble compiling
snort_inline-2.2.0-RC1

This turned out not to be a problem with snort_inline and the code in
inline.c but rather Scott's libnet installation.  It is working now,
It compiled fine with RHES3.

Regards,

Will
On Fri, 10 Sep 2004 22:47:04 -0400, Gould, Scott <sg...@go...>
wrote:
> =20
> =20
>=20
> Trouble with compiling on a OS RHEL Update 1.  Kernel 2.4.21 smp
w/ebtables brnf patch=20
>=20
>  =20
>=20
> Anyone else seeing this:=20
>=20
>  =20
>=20
>  =20
>=20
> gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../src -I../src/sfutil
-I/usr/include/pcap -I../src/output-plugins -I../src/detection-plugins
-I../src/preprocessors -I../src/preprocessors/flow
-I../src/preprocessors/portscan  -I../src/preprocessors/flow/int-snort
-I../src/preprocessors/HttpInspect/include  -I/usr/local/include
-DENABLE_RESPONSE -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD
-DLIBNET_LIL_ENDIAN -I/usr/local/include -I/sw/include  -g -O2 -Wall
-DUSE_SF_STATS -DLINUX_SMP -DGIDS -D_BSD_SOURCE -D__BSD_SOURCE
-D__FAVOR_BSD -DLIBNET_LIL_ENDIAN -c `test -f 'inline.c' || echo
'./'`inline.c=20
>=20
> inline.c: In function `RejectLayer2':=20
>=20
> inline.c:554: dereferencing pointer to incomplete type=20
>=20
> make[3]: *** [inline.o] Error 1=20
>=20
> make[3]: Leaving directory `/downloads/snort_inline-2.2.0-RC1/src'=20
>=20
> make[2]: *** [all-recursive] Error 1=20
>=20
> make[2]: Leaving directory `/downloads/snort_inline-2.2.0-RC1/src'=20
>=20
> make[1]: *** [all-recursive] Error 1=20
>=20
> make[1]: Leaving directory `/downloads/snort_inline-2.2.0-RC1'=20
>=20
> make: *** [all] Error 2=20
>=20
>  =20
>=20
>  =20
>=20
> Not be much of a coder, so I wouldn't really know what to be looking
for in inline.c,  I think I remember getting the same error when
compiling from a source of snort_2.2.0 with the inline patches, if I
included the latest patch that added the reset functionality=20
>=20
>  =20
>=20
> Any help is much appreciated=20
>=20
>  =20
>=20
> Scott Gould=20
>=20
> Gynecologic Oncology Group =20
>=20
> Statistical & Data Center=20
>=20
> 716-845-5702=20
>=20
>


-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.=20
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-inline-users mailing list
Sno...@li...
https://lists.sourceforge.net/lists/listinfo/snort-inline-users

Re: [Snort-inline-users] Trouble compiling snort_inline-2.2.0-RC1

[Will M. <wil...@gm...>]

This turned out not to be a problem with snort_inline and the code in
inline.c but rather Scott's libnet installation.  It is working now,
It compiled fine with RHES3.

Regards,

Will
On Fri, 10 Sep 2004 22:47:04 -0400, Gould, Scott <sg...@go...> wrote:
>  
>  
> 
> Trouble with compiling on a OS RHEL Update 1.  Kernel 2.4.21 smp w/ebtables brnf patch 
> 
>   
> 
> Anyone else seeing this: 
> 
>   
> 
>   
> 
> gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../src -I../src/sfutil -I/usr/include/pcap -I../src/output-plugins -I../src/detection-plugins -I../src/preprocessors -I../src/preprocessors/flow -I../src/preprocessors/portscan  -I../src/preprocessors/flow/int-snort  -I../src/preprocessors/HttpInspect/include  -I/usr/local/include -DENABLE_RESPONSE -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD -DLIBNET_LIL_ENDIAN -I/usr/local/include -I/sw/include  -g -O2 -Wall -DUSE_SF_STATS -DLINUX_SMP -DGIDS -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD -DLIBNET_LIL_ENDIAN -c `test -f 'inline.c' || echo './'`inline.c 
> 
> inline.c: In function `RejectLayer2': 
> 
> inline.c:554: dereferencing pointer to incomplete type 
> 
> make[3]: *** [inline.o] Error 1 
> 
> make[3]: Leaving directory `/downloads/snort_inline-2.2.0-RC1/src' 
> 
> make[2]: *** [all-recursive] Error 1 
> 
> make[2]: Leaving directory `/downloads/snort_inline-2.2.0-RC1/src' 
> 
> make[1]: *** [all-recursive] Error 1 
> 
> make[1]: Leaving directory `/downloads/snort_inline-2.2.0-RC1' 
> 
> make: *** [all] Error 2 
> 
>   
> 
>   
> 
> Not be much of a coder, so I wouldn't really know what to be looking for in inline.c,  I think I remember getting the same error when compiling from a source of snort_2.2.0 with the inline patches, if I included the latest patch that added the reset functionality 
> 
>   
> 
> Any help is much appreciated 
> 
>   
> 
> Scott Gould 
> 
> Gynecologic Oncology Group  
> 
> Statistical & Data Center 
> 
> 716-845-5702 
> 
>

Re: [Snort-inline-users] IPS not bridging traffic + other questions

[Will M. <wil...@gm...>]

I develop snort_inline on debian linux, If I remember correctly there
is a problem with the QUEUE target in RH 7.3 that was fixed with an
iptables p-o-m.  As far as a simple bridging script you might be able
to use something like this.

case "$1" in
  start)
        echo -n "starting bridge"
        #BRIDGE SETUP
        echo setting up bridge
        /usr/local/sbin/brctl addbr br0
        /usr/local/sbin/brctl addif br0 eth0
        /usr/local/sbin/brctl addif br0 eth1
        /usr/local/sbin/brctl stp br0 off
        /sbin/ifconfig -a br0 192.168.1.10 netmask 255.255.255.0
broadcast 192.168.1.255
        /sbin/route add default gw 192.168.1.1
        #stealth bridge uncomment line below
        #ifconfig br0 0.0.0.0
        ifconfig br0 up
        sleep 10
         #SETUP IPTABLES RULES
         /usr/local/sbin/iptables -F FORWARD
         /usr/local/sbin/iptables -P FORWARD DROP  
         /usr/local/sbin/iptables -A FORWARD -j QUEUE       
        sleep 3
        echo
        ;;
   stop)
        echo -n "Stopping IPS STUFF: ("
        /usr/local/sbin/brctl delif br0 eth0
        /usr/local/sbin/brctl delif br0 eth1
        /sbin/ifconfig br0 down
        /usr/local/sbin/brctl delbr br0
        /usr/local/sbin/iptables -F FORWARD
        /usr/local/sbin/iptables -P FORWARD ACCEPT
         echo
        ;;
restart)
        $0 stop
        $0 start
        ;;
 status)
        status bridge
        ;;
   *)
        echo "Usage: $0 {start|stop|restart|status}"
        exit 1
esac

exit 0



On Mon, 13 Sep 2004 11:16:56 -0500, Eric Hines
<eri...@ap...> wrote:
> List:
> 
> I have several questions regarding Snort-Inline and hope someone may be
> able to answer a few, if not all:
> 
> 1) Does anyone know of any newer operating system distros that have the
> ebtables/bridging firewall patch implemented into the default kernel
> other than Redhat 7.3 (e.g. Fedora or other Linux distros) that would
> not require additional patching of the kernel.
> 
> 2) We are troubleshooting connectivity issues with a Redhat 7.3
> installation of the latest 2.1.3 Snort-Inline release. Can anyone
> provide a list of troubleshooting steps they take when connectivity
> becomes an issue? I'm using the RC.FIREWALL script provided on
> honeynet.org. If anyone can look at the below and let me know if they
> see anything I've missed, that would be great!:
> 
>   a) Ive made sure ipqueue is loaded with lsmod
>   b) Ive made sure the rc.firewall script started with no errors
>   c) Ive made sure snort_inline was running with -Q
>   d) Ive made sure the 2 interfaces have been bridged and the right
>      cat5 cables are plugged in to the appropriate NIC.
>   e) Ive modified the rc.firewall script to make everything that has
>      DROP set, set to ALLOW.
> 
> 3) In both customer and internal deployments of Snort-Inline, we
> continue to use the rc.firewall script from Honeynet even though all
> deployments have not been for honeynets, rather, just a perimeter IPS.
> The rc.firewall script is geared towards honeynet deployments. Does
> anyone know of a different rc script that has been made for non-honeynet
> deployments that is geared more towards just setting up a bridged
> snort-inline box that does not do any firewalling and simply passes the
> traffic straight through the IPS -- none of the fancy ipfilter rules,
> just ALLOW all rules. For the interim, an ugly hack we've done is to
> simply do a search/replace on the DROP keyword in the rc.firewall script
> to ALLOW. Im sure there has got to be someone on this list that has done
> an Enterprise deployment of Snort-Inline and relied on their already
> deployed firewalls to handle firewalling and wanted the snort-inline
> bridge to simply pass all traffic in/out.
> 
> Someone please advise on any one of these item #s.
> 
> --
> Best Regards,
> 
> Eric Hines, GCIA, CISSP
> CEO, President
> Applied Watch Technologies, Inc.
> 1134 N. Main St.
> Algonquin, IL 60102
> Direct: (877) 262-7593 x327
> http://www.appliedwatch.com
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
> Project Admins to receive an Apple iPod Mini FREE for your judgement on
> who ports your project to Linux PPC the best. Sponsored by IBM.
> Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

[Snort-inline-users] IPS not bridging traffic + other questions

[Eric H. <eri...@ap...>]

List:

I have several questions regarding Snort-Inline and hope someone may be
able to answer a few, if not all:

1) Does anyone know of any newer operating system distros that have the
ebtables/bridging firewall patch implemented into the default kernel
other than Redhat 7.3 (e.g. Fedora or other Linux distros) that would
not require additional patching of the kernel.

2) We are troubleshooting connectivity issues with a Redhat 7.3
installation of the latest 2.1.3 Snort-Inline release. Can anyone
provide a list of troubleshooting steps they take when connectivity
becomes an issue? I'm using the RC.FIREWALL script provided on
honeynet.org. If anyone can look at the below and let me know if they
see anything I've missed, that would be great!:

  a) Ive made sure ipqueue is loaded with lsmod
  b) Ive made sure the rc.firewall script started with no errors
  c) Ive made sure snort_inline was running with -Q
  d) Ive made sure the 2 interfaces have been bridged and the right
     cat5 cables are plugged in to the appropriate NIC.
  e) Ive modified the rc.firewall script to make everything that has
     DROP set, set to ALLOW.


3) In both customer and internal deployments of Snort-Inline, we
continue to use the rc.firewall script from Honeynet even though all
deployments have not been for honeynets, rather, just a perimeter IPS.
The rc.firewall script is geared towards honeynet deployments. Does
anyone know of a different rc script that has been made for non-honeynet
deployments that is geared more towards just setting up a bridged
snort-inline box that does not do any firewalling and simply passes the
traffic straight through the IPS -- none of the fancy ipfilter rules,
just ALLOW all rules. For the interim, an ugly hack we've done is to
simply do a search/replace on the DROP keyword in the rc.firewall script
to ALLOW. Im sure there has got to be someone on this list that has done
an Enterprise deployment of Snort-Inline and relied on their already
deployed firewalls to handle firewalling and wanted the snort-inline
bridge to simply pass all traffic in/out. 


Someone please advise on any one of these item #s.

-- 
Best Regards,

Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, Inc.
1134 N. Main St.
Algonquin, IL 60102
Direct: (877) 262-7593 x327
http://www.appliedwatch.com

Re: [Snort-inline-users] Filtering peer to peer traffic

[Victor J. <vi...@nk...>]

Hello Luis,

On Monday 13 September 2004 15:02, Luis Hern=E1n Otegui wrote:
> Heelo, people, I've been brought here by a suggestion somebody at the
> mailing list of snort game me.
> First of all, I must say that I'm a complete newbie at snort and any
> of its sons (such as this one). My approach to snort was motivated
> because I want to block peer to peer traffic coming in and out of the
> network I'm managing.
> So, to put it simple, I need some documentation (the one I couldn't
> find anywere in the snort-inline site) about how to do this, working
> together with my existing iptables firewall.

The snort_inline part of snort basicly comes down to making sure snort_inli=
ne=20
sees the traffic. This can be done by using the QUEUE target in iptables. F=
or=20
more information on how to pass the traffic to snort_inline see the=20
documentation in the snort_inline distribution, in the map 'doc', esp.=20
README.INLINE.

I suggest you read the snort manual (http://www.snort.org/docs/snort_manual=
/)=20
and just load snort_inline with the rules set to alert so you can see what=
=20
happens...

> I've been reading the snort users and installation guides, my
> router-firewall came with snort 2.0.6 pre-installed (I'm using Ututo-R
> as a router-firewall), and I have three NICs, one that connects it
> with the internet gateway, and the other two that serve as gateways to
> two class B networks. This are the ones in which I would like to block
> pper to peer traffic.
> Thanks in advance,
>
> Luis

=46or blocking p2p you can also look at the layer7 filter project for iptab=
les=20
(http://l7-filter.sourceforge.net/) and Ipp2p=20
(http://rnvs.informatik.uni-leipzig.de/ipp2p/docu_en.html).

Hope this helps,
Victor

[Snort-inline-users] Filtering peer to peer traffic

[<lui...@gm...>]

Heelo, people, I've been brought here by a suggestion somebody at the
mailing list of snort game me.
First of all, I must say that I'm a complete newbie at snort and any
of its sons (such as this one). My approach to snort was motivated
because I want to block peer to peer traffic coming in and out of the
network I'm managing.
So, to put it simple, I need some documentation (the one I couldn't
find anywere in the snort-inline site) about how to do this, working
together with my existing iptables firewall.
I've been reading the snort users and installation guides, my
router-firewall came with snort 2.0.6 pre-installed (I'm using Ututo-R
as a router-firewall), and I have three NICs, one that connects it
with the internet gateway, and the other two that serve as gateways to
two class B networks. This are the ones in which I would like to block
pper to peer traffic.
Thanks in advance,

Luis
-- 
-------------------------------------------------
GNU-GPL: "May The Source Be With You...
-------------------------------------------------

Re: [Snort-inline-users] snort inline 2.20rc1 clamav does not work

[Victor J. <vi...@nk...>]

You also can try to put the clamav preprocessor directly after the 
stream4_reassemble preproc in your config. Detecting viruses didn't work for 
me if i didn't...

Hope this helps,
Victor

On Sunday 12 September 2004 06:27, Will Metcalf wrote:
> Just to test, try to download the eicar test file from eicar.com
>
> http://www.eicar.org/download/eicar.com
>
> Let me know what the results are.  Sorry if it takes me a little while
> to get back to you all this weekend.  I'm swamped with work stuff.
>
> Regards,
>
> Will
>
> On Sun, 12 Sep 2004 06:06:06 +0200, Markus Koetter <mko...@gm...> 
wrote:
> > Hi,
> >
> > im running snort-inline 2.20rc1 on a debian unstable box,
> > box is uptodate
> >
> > i installed clamav from apt
> > dpkg -l | grep clam
> > ii  clamav         0.75.1-4       Antivirus scanner for Unix
> > ii  clamav-base    0.75.1-4       Base package for clamav, an anti-virus
> > utili ii  clamav-freshcl 0.75.1-4       Downloads clamav virus databases
> > from the In ii  libclamav1     0.75.1-4       Virus scanner library
> > ii  libclamav1-dev 0.75.1-4       Clam Antivirus library development
> > files
> >
> > and ran
> > ./configure --prefix=/opt/snort-inline/
> > --with-libipq-includes=/usr/include/libipq --enable-linux-smp-stats
> > --enable-flexresp --enable-inline --enable-clamav
> >
> > everything went fine
> >
> > i setup the config, etc etc etc
> > and wanted to use clamav
> >
> > preprocessor stream4_reassemble: both, ports default
> > preprocessor clamav: ports all, action-reset
> >
> > i mark packets
> > via
> >
> > iptables -t mangle -A OUTPUT -p tcp --syn -m state --state NEW --dport
> > 80 -j MARK --set-mark 1
> > iptables -t mangle -A INPUT -p tcp -m state --state ESTABLISHED
> > --sport 80 -j MARK --set-mark 2
> >
> > iptables -A OUTPUT -m mark --mark 1 -j QUEUE
> > iptables -A INTPUT -m mark --mark 2 -j QUEUE
> >
> > now i download a malicious file i scratched from my mothers harddisk
> >
> > clamscan bad.exe
> > bad.exe: Exploit.DCOM.Gen FOUND
> >
> > ----------- SCAN SUMMARY -----------
> > Known viruses: 23865
> > Scanned directories: 0
> > Scanned files: 1
> > Infected files: 1
> > Data scanned: 0.31 MB
> > I/O buffer size: 131072 bytes
> > Time: 0.943 sec (0 m 0 s)
> >
> > i download it via http and expect something to happen
> > nothing happens, the file just gets down
> >
> > i tried wget and mozila
> >
> > i start snort-inline
> > ./snort_inline  -Qvdc ../etc/snort-inline/snort_inline.conf
> >
> > i can see
> > ....
> > ClamAV config:
> >    Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ...
> >    Virus found action: RESET
> >    Virus definitions dir: '/var/lib/clamav/'
> > ....
> >
> > and i can see the stream
> > and the file is in the stream
> > ...........
> > 00 00 00 00 00 00 00 00 4E 42 31 30 00 00 00 00  ........NB10....
> > 9C 0C A0 40 36 00 00 00 43 3A 5C 44 6F 63 75 6D  ...@6...C:\Docum
> > 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67  ents and Setting
> > 73 5C 41 6C 6A 61 9E 5C 44 65 73 6B 74 6F 70 5C  s\Alja.\Desktop\
> > 50 72 65 6E 6F 73 69 5C 4D 65 54 61 4C 2D 53 63  Prenosi\MeTaL-Sc
> > 52 69 50 74 5C 72 78 62 30 37 37 53 61 73 73 5C  RiPt\rxb077Sass\
> > 72 78 42 6F 74 20 76 30 2E 37 2E 37 20 53 61 73  rxBot v0.7.7 Sas
> > 73 5C 44 65 62 75 67 5C 72 42 6F 74 2E 70 64 62  s\Debug\rBot.pdb
> > 00
> > .............
> >
> > i tried some other malicious files, nothing ever happend ...
> > to check my config i enabled the chat rules, joined a irc network, and
> > this event got logged.
> >
> > im really helpless, would be great if someone could give me a hint.
> >
> > Markus
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
> > Project Admins to receive an Apple iPod Mini FREE for your judgement on
> > who ports your project to Linux PPC the best. Sponsored by IBM.
> > Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
> Project Admins to receive an Apple iPod Mini FREE for your judgement on
> who ports your project to Linux PPC the best. Sponsored by IBM.
> Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users

Re: [Snort-inline-users] snort inline 2.20rc1 clamav does not work

[Will M. <wil...@gm...>]

Just to test, try to download the eicar test file from eicar.com

http://www.eicar.org/download/eicar.com

Let me know what the results are.  Sorry if it takes me a little while
to get back to you all this weekend.  I'm swamped with work stuff.

Regards,

Will

On Sun, 12 Sep 2004 06:06:06 +0200, Markus Koetter <mko...@gm...> wrote:
> Hi,
> 
> im running snort-inline 2.20rc1 on a debian unstable box,
> box is uptodate
> 
> i installed clamav from apt
> dpkg -l | grep clam
> ii  clamav         0.75.1-4       Antivirus scanner for Unix
> ii  clamav-base    0.75.1-4       Base package for clamav, an anti-virus utili
> ii  clamav-freshcl 0.75.1-4       Downloads clamav virus databases from the In
> ii  libclamav1     0.75.1-4       Virus scanner library
> ii  libclamav1-dev 0.75.1-4       Clam Antivirus library development files
> 
> and ran
> ./configure --prefix=/opt/snort-inline/
> --with-libipq-includes=/usr/include/libipq --enable-linux-smp-stats
> --enable-flexresp --enable-inline --enable-clamav
> 
> everything went fine
> 
> i setup the config, etc etc etc
> and wanted to use clamav
> 
> preprocessor stream4_reassemble: both, ports default
> preprocessor clamav: ports all, action-reset
> 
> i mark packets
> via
> 
> iptables -t mangle -A OUTPUT -p tcp --syn -m state --state NEW --dport
> 80 -j MARK --set-mark 1
> iptables -t mangle -A INPUT -p tcp -m state --state ESTABLISHED
> --sport 80 -j MARK --set-mark 2
> 
> iptables -A OUTPUT -m mark --mark 1 -j QUEUE
> iptables -A INTPUT -m mark --mark 2 -j QUEUE
> 
> now i download a malicious file i scratched from my mothers harddisk
> 
> clamscan bad.exe
> bad.exe: Exploit.DCOM.Gen FOUND
> 
> ----------- SCAN SUMMARY -----------
> Known viruses: 23865
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 0.31 MB
> I/O buffer size: 131072 bytes
> Time: 0.943 sec (0 m 0 s)
> 
> i download it via http and expect something to happen
> nothing happens, the file just gets down
> 
> i tried wget and mozila
> 
> i start snort-inline
> ./snort_inline  -Qvdc ../etc/snort-inline/snort_inline.conf
> 
> i can see
> ....
> ClamAV config:
>    Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ...
>    Virus found action: RESET
>    Virus definitions dir: '/var/lib/clamav/'
> ....
> 
> and i can see the stream
> and the file is in the stream
> ...........
> 00 00 00 00 00 00 00 00 4E 42 31 30 00 00 00 00  ........NB10....
> 9C 0C A0 40 36 00 00 00 43 3A 5C 44 6F 63 75 6D  ...@6...C:\Docum
> 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67  ents and Setting
> 73 5C 41 6C 6A 61 9E 5C 44 65 73 6B 74 6F 70 5C  s\Alja.\Desktop\
> 50 72 65 6E 6F 73 69 5C 4D 65 54 61 4C 2D 53 63  Prenosi\MeTaL-Sc
> 52 69 50 74 5C 72 78 62 30 37 37 53 61 73 73 5C  RiPt\rxb077Sass\
> 72 78 42 6F 74 20 76 30 2E 37 2E 37 20 53 61 73  rxBot v0.7.7 Sas
> 73 5C 44 65 62 75 67 5C 72 42 6F 74 2E 70 64 62  s\Debug\rBot.pdb
> 00
> .............
> 
> i tried some other malicious files, nothing ever happend ...
> to check my config i enabled the chat rules, joined a irc network, and
> this event got logged.
> 
> im really helpless, would be great if someone could give me a hint.
> 
> Markus
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
> Project Admins to receive an Apple iPod Mini FREE for your judgement on
> who ports your project to Linux PPC the best. Sponsored by IBM.
> Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

[Snort-inline-users] snort inline 2.20rc1 clamav does not work

[Markus K. <mko...@gm...>]

Hi,

im running snort-inline 2.20rc1 on a debian unstable box,
box is uptodate

i installed clamav from apt
dpkg -l | grep clam
ii  clamav         0.75.1-4       Antivirus scanner for Unix
ii  clamav-base    0.75.1-4       Base package for clamav, an anti-virus utili
ii  clamav-freshcl 0.75.1-4       Downloads clamav virus databases from the In
ii  libclamav1     0.75.1-4       Virus scanner library
ii  libclamav1-dev 0.75.1-4       Clam Antivirus library development files


and ran
./configure --prefix=/opt/snort-inline/
--with-libipq-includes=/usr/include/libipq --enable-linux-smp-stats
--enable-flexresp --enable-inline --enable-clamav

everything went fine

i setup the config, etc etc etc
and wanted to use clamav

preprocessor stream4_reassemble: both, ports default
preprocessor clamav: ports all, action-reset


i mark packets 
via

iptables -t mangle -A OUTPUT -p tcp --syn -m state --state NEW --dport
80 -j MARK --set-mark 1
iptables -t mangle -A INPUT -p tcp -m state --state ESTABLISHED
--sport 80 -j MARK --set-mark 2


iptables -A OUTPUT -m mark --mark 1 -j QUEUE
iptables -A INTPUT -m mark --mark 2 -j QUEUE


now i download a malicious file i scratched from my mothers harddisk

clamscan bad.exe
bad.exe: Exploit.DCOM.Gen FOUND

----------- SCAN SUMMARY -----------
Known viruses: 23865
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.31 MB
I/O buffer size: 131072 bytes
Time: 0.943 sec (0 m 0 s)


i download it via http and expect something to happen
nothing happens, the file just gets down

i tried wget and mozila

i start snort-inline
./snort_inline  -Qvdc ../etc/snort-inline/snort_inline.conf

i can see
....
ClamAV config:
    Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ...
    Virus found action: RESET
    Virus definitions dir: '/var/lib/clamav/'
....


and i can see the stream
and the file is in the stream
...........
00 00 00 00 00 00 00 00 4E 42 31 30 00 00 00 00  ........NB10....
9C 0C A0 40 36 00 00 00 43 3A 5C 44 6F 63 75 6D  ...@6...C:\Docum
65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67  ents and Setting
73 5C 41 6C 6A 61 9E 5C 44 65 73 6B 74 6F 70 5C  s\Alja.\Desktop\
50 72 65 6E 6F 73 69 5C 4D 65 54 61 4C 2D 53 63  Prenosi\MeTaL-Sc
52 69 50 74 5C 72 78 62 30 37 37 53 61 73 73 5C  RiPt\rxb077Sass\
72 78 42 6F 74 20 76 30 2E 37 2E 37 20 53 61 73  rxBot v0.7.7 Sas
73 5C 44 65 62 75 67 5C 72 42 6F 74 2E 70 64 62  s\Debug\rBot.pdb
00 
.............

i tried some other malicious files, nothing ever happend ...
to check my config i enabled the chat rules, joined a irc network, and
this event got logged.

im really helpless, would be great if someone could give me a hint.


Markus

Re: [Snort-inline-users] snort_inline on Hp-ux? (was: Re: Snort-inline-users digest, Vol 1 #222 - 1 msg)

[Nick R. <ni...@ro...>]

On Fri, 3 Sep 2004, Victor Julien wrote:

> Hi Prabu,
>
> I don't know if it can work, but a quick search in Google tells me Hp-ux is
> using IPFW, which Snort_inline supports. So i would say, give it a go and
> post errors, problems or success stories to the snort_inline-users
> mailinglist. We will try to assist you where possible.
>
> Be sure to use ./configure --enable-ipfw when building...
>
> If someone knows that this can't work for some reason, please correct me!

 	IPFW support in snort-inline is built specifically for FreeBSD.
 	The name ipfw is deceiving because it is short for ip firewall,
 	which is used as a generic name for several firewalls (including
 	one for HP-UX).

 	Specifically, you need divert sockets in conjunction with IPFW for
 	anything to work right, which is a FreeBSD thing.  The only OS I
 	know works with IPFW is FreeBSD, although other OSs with divert
 	socket support could work.  IPFW is just the tool to send packets
 	to a divert socket (kernel->snort_inline), i.e. it is more
 	important that you have divert sockets support than IPFW.
 	In fact, you could write an app that sends packets from the BPF
 	(or the like) to a divert socket (snort_inline) and bypass IPFW
 	all together...although it would defeat the purpose ;-)

 	So I would take a guess that it won't work.  Sorry.

Nick Rogness <ni...@ro...>
-
   How many people here have telekenetic powers? Raise my hand.
   				-Emo Philips

[Snort-inline-users] Trouble compiling snort_inline-2.2.0-RC1

[Gould, S. <sg...@go...>]

Trouble with compiling on a OS RHEL Update 1.  Kernel 2.4.21 smp
w/ebtables brnf patch

=20

Anyone else seeing this:

=20

=20

gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../src -I../src/sfutil
-I/usr/include/pcap -I../src/output-plugins -I../src/detection-plugins
-I../src/preprocessors -I../src/preprocessors/flow
-I../src/preprocessors/portscan  -I../src/preprocessors/flow/int-snort
-I../src/preprocessors/HttpInspect/include  -I/usr/local/include
-DENABLE_RESPONSE -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD
-DLIBNET_LIL_ENDIAN -I/usr/local/include -I/sw/include  -g -O2 -Wall
-DUSE_SF_STATS -DLINUX_SMP -DGIDS -D_BSD_SOURCE -D__BSD_SOURCE
-D__FAVOR_BSD -DLIBNET_LIL_ENDIAN -c `test -f 'inline.c' || echo
'./'`inline.c

inline.c: In function `RejectLayer2':

inline.c:554: dereferencing pointer to incomplete type

make[3]: *** [inline.o] Error 1

make[3]: Leaving directory `/downloads/snort_inline-2.2.0-RC1/src'

make[2]: *** [all-recursive] Error 1

make[2]: Leaving directory `/downloads/snort_inline-2.2.0-RC1/src'

make[1]: *** [all-recursive] Error 1

make[1]: Leaving directory `/downloads/snort_inline-2.2.0-RC1'

make: *** [all] Error 2

=20

=20

Not be much of a coder, so I wouldn't really know what to be looking for
in inline.c,  I think I remember getting the same error when compiling
from a source of snort_2.2.0 with the inline patches, if I included the
latest patch that added the reset functionality

=20

Any help is much appreciated

=20

Scott Gould

Gynecologic Oncology Group=20

Statistical & Data Center

716-845-5702

=20