snort-inline-users — The goal of this list is to help users debug/use snort_inline

[Snort-inline-users] Disappearing packets?

[Peter K. L. <sa...@co...>]

I want to find out whether I'm doing something wrong, or it's just
broken...

Here's the setup:

kernel 2.6.7, iptables 1.2.11, snort_inline 2.1.3b

NOT running in bridge mode.  The box is a NAT router/firewall.

The system has been verified to be functional via the following test:

iptables -t filter -A INPUT -i eth0 -p tcp --dport 1234 -j QUEUE

on the box: 'nc -l -p 1234'

snort_inline running with 1 snort signature set to 'alert' incoming
connection to port 1234.

from external box: 'telnet xxx.xxx.xxx.xxx 1234'

I'm able to communicate with the 'nc server' process on the box and have
it go through iptables, snort_inline, etc. with all the proper logging
details.

HOWEVER, let's say that I change the iptables rule to be this:

iptables -t filter -A INPUT -i eth0 -j QUEUE

where I want ALL input request to go to snort_inline.

if 'external box' makes incoming request, it works fine (as shown
above), but when I'm on the box itself, and I make an outbound
connection (let's say to google), then:

TO PATH looks okay.  Google gets the packet and sends a response.

RETURN PATH is NOT okay.
Google -> my box -> iptables -> INPUT -> QUEUE -> snort_inline -> ???

iptables sees it, snort_inline sees it, and then the requesting
application never receives the packet.  It gets lost somewhere between
snort_inline and the application.


It's completely bizarre.  It also happens when I put the snort_inline
between the FORWARD CHAIN, like this:

iptables -t filter -A FORWARD -i eth1 -o eth0 -j QUEUE

iptables sees it, snort_inline sees it, and then the packet disappears.


Am I doing something wrong?  Where does the packet go after snort_inline
takes a look at the data from the QUEUE???

Thanks,

-Peter

Re: [Snort-inline-users] drop rules

[Victor J. <vi...@nk...>]

Hi Nate,

On Monday 02 August 2004 18:41, Nathaniel Haggard wrote:
> When snort-inline gets a packet that matches a drop rule does it drop
> that packet or does the whole TCP connection drop for a certain amount
> of time.

As far as i know, only the packet. If the dropped packet is a tcp packet with 
the syn flag set (for setting up a connection) the connection will not be 
established.

>
> While trying snort-inline with irssi I noticed that I would appear to
> stay connected while the lag went up to 255+ and then I would rejoin
> all the channels I used to be in.
>
> Where is the code that does this? 

Inside Snort_inline. Snort_inline uses the QUEUE target which allows iptables 
to send packets to user-space programs.

> >What new rules does snort-inline add 
> to iptables? iptables -L -n showed no new rules.

It doesn't add rules. By using an iptables rule with the QUEUE target iptables 
sends the packet to Snort_inline. When Snort_inline thinks the packet should 
be dropped, it will notify iptables of this so iptables will then drop the 
packet.

If you want to drop a connection i suggest you try reject instead of drop.

Hope this helps,

Regards,
Victor

>
> Nate
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by OSTG. Have you noticed the changes on
> Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
> one more big change to announce. We are now OSTG- Open Source Technology
> Group. Come see the changes on the new OSTG site. www.ostg.com
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users

[Snort-inline-users] drop rules

[Nathaniel H. <nat...@gm...>]

When snort-inline gets a packet that matches a drop rule does it drop
that packet or does the whole TCP connection drop for a certain amount
of time.

While trying snort-inline with irssi I noticed that I would appear to
stay connected while the lag went up to 255+ and then I would rejoin
all the channels I used to be in.

Where is the code that does this? What new rules does snort-inline add
to iptables? iptables -L -n showed no new rules.

Nate

Re: [Snort-inline-users] Segmentation fault running 2.1.3b

[Geffrey V. [MINAG] <gve...@mi...>]

The binary version is OK. 
But for RH systems we shuld create a RPM and SRPM.

Hum... maybe in a week I could do an RPM.. too much work for now.

Regards,
Geffrey Velásquez


---------- Original Message -----------
From: Rob McMillen <ro...@ho...>
To: sno...@li...
Sent: Fri, 23 Jul 2004 21:19:46 -0500 (EST)
Subject: Re: [Snort-inline-users] Segmentation fault running 2.1.3b

> My bad.  For the longest time, I was compiling the binary on a 
> RedHat system.  When they decided to stop giving away their product, 
> I had to go after a free OS.  I chose gentoo.  Looks like your 
> system's do not like my static compilation on a gentoo system.
> 
> I'll probably have to stop providing the static binary and document 
> how to compile from source.
> 
> Thoughts?
> 
> Rob
> 
> On Fri, 23 Jul 2004, Geffrey Velasquez [MINAG] wrote:
> 
> > Date: Fri, 23 Jul 2004 11:12:22 -0400
> > From: "Geffrey Velasquez [MINAG]" <gve...@mi...>
> > To: Scotte Zinn <sz...@ro...>, sno...@li...
> > Subject: Re: [Snort-inline-users] Segmentation fault running 2.1.3b
> > 
> > You must recompile from the tarball. The binary version works well in Debian.
> > 
> > Regards,
> > Geffrey Velásquez
> > 
> > 
> > ---------- Original Message -----------
> > From: "Scotte Zinn" <sz...@ro...>
> > To: sno...@li...
> > Sent: Fri, 23 Jul 2004 09:24:50 -0400
> > Subject: [Snort-inline-users] Segmentation fault running 2.1.3b
> > 
> > > I got 2.1.3b (standard version) and when I run it without any 
> > > parameters or with -V, I get a segmentation fault.  I'm using Redhat 
> > > 9 Linux.
> > > 
> > > Any ideas?
> > > 
> > > -- Scotte
> > > 
> > > -------------------------------------------------------
> > > This SF.Net email is sponsored by BEA Weblogic Workshop
> > > FREE Java Enterprise J2EE developer tools!
> > > Get your free copy of BEA WebLogic Workshop 8.1 today.
> > > http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> > > _______________________________________________
> > > Snort-inline-users mailing list
> > > Sno...@li...
> > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> > ------- End of Original Message -------
> > 
> > 
> > 
> > -------------------------------------------------------
> > This SF.Net email is sponsored by BEA Weblogic Workshop
> > FREE Java Enterprise J2EE developer tools!
> > Get your free copy of BEA WebLogic Workshop 8.1 today.
> > http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_idG21&alloc_id040&opÌk
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
------- End of Original Message -------

Re: [Snort-inline-users] Snort Inline dropping everything

[Victor J. <vi...@nk...>]

On Monday 26 July 2004 14:15, William Metcalf wrote:
> http://sourceforge.net/mailarchive/forum.php?thread_id=4033359&forum_id=329
>33
>
> You have to run snort_inline as root, due to the way that it interacts with
> iptables.
>
> Regards,
>
> Will

Hi Rob,

Please apply this little patch. It will prevent this confusion in the future.

Regards,
Victor

Re: [Snort-inline-users] Snort Inline dropping everything

[Isaac C. <ic...@ho...>]

<html><div style='background-color:'><P>I&nbsp;see - I had originally thought that chrooting was broken in snort inline, as that as what I had initially tried to do before trying to have it run unprivileged, and chrooting failed with the exact same problem.</P>
<DIV>
<DIV class=RTE>
<P>Though, upon further investigation, the problem was simply that I had grsecurity's chroot capability restrictions on - so if anyone is having the same problem with snort inline's chrooting and grsecurity, that's probably the problem.</P>
<P>And thanks for the help.</P></DIV></DIV></div><br clear=all><hr> <a href="http://g.msn.com/8HMAENUS/2743??PS=47575">Overwhelmed by debt? Find out how to ‘Dig Yourself Out of Debt’ from MSN Money.</a> </html>

Re: [Snort-inline-users] Snort Inline dropping everything

[William M. <Wil...@kc...>]

http://sourceforge.net/mailarchive/forum.php?thread_id=4033359&forum_id=32933

You have to run snort_inline as root, due to the way that it interacts with
iptables.

Regards,

Will

[Snort-inline-users] Snort Inline dropping everything

[Isaac C. <ic...@ho...>]

<html><div style='background-color:'><DIV class=RTE>
<P>Hello all,</P>
<P>I'm having some problems with getting snort inline to let any packets through.&nbsp; I'm using just on one computer that hooked right to the internet, and am trying to deploy it as an IPS (for that one computer).&nbsp; Anyways, while it is running every packet sent to QUEUE by iptables is just dropped regardless of if it matches a rule or not.&nbsp; The one workaround to this that I found was to stop snort inline from switching from root (removing the -u and -g from the command line when it's run) which causes snort inline to work (mostly) as antisipated.&nbsp; (It still drops some packets without creating log entires, but most things work.)</P>
<P>When I have it run not as root all packets that don't match any rule are dropped (and not logged,) but if a packet does match a rule it is logged (and obviously dropped) so it can't be a problem with the packets getting to snort inline.&nbsp; Also, the firewall couldn't be the problem (if QUEUEs are changed to ACCEPTs everything works fine.)</P>
<P>Anyways, i thought that this was probably a configuration error, and so tried changing everything in&nbsp;my snort.conf file - tried running snort inline with no rules, or just one rule, or all the rules i wanted; tried chaging preprocessors and varibles&nbsp;- same result for everything.&nbsp; Next I tried updating (2.1.1 had been the most recent gentoo ebuild) to 2.1.3b which also had no effect on the problem.</P>
<P>So, my question is, what do i do to get snort inline to work, or is the only option to have snort inline run as root the entire time?&nbsp; If any more information is needed to figure out what's wrong just ask, that's all I could think of.</P>
<P>Thanks</P></DIV></div><br clear=all><hr> <a href="http://g.msn.com/8HMBENUS/2752??PS=47575">Express yourself instantly with MSN Messenger! Download today - it's FREE!</a> </html>

Re: [Snort-inline-users] iptstate for stream4: RELATED mistake?

[Victor J. <vi...@nk...>]

On Saturday 24 July 2004 19:16, Victor Julien wrote:
> Victor Julien wrote:
> > Hi Will, List,
> >
> > I was thinking about the aproach and i think i've made a little mistake.
> > The patch asumes only NEW connection can start a tcp-connection and
> > ESTABLISHED and RELATED don't. However, if i'm not mistaken, RELATED
> > connections can also set up connections. This is because RELATED takes
> > care of the ftp-data connection for example, which is of-course a normal
> > tcp connection. After the setting up of this RELATED connection, it
> > becomes ESTABLISHED (i asume, correct me if i'm wrong). So basicly what
> > i'm saying is that we should mark NEW,RELATED 0x10 and ESTABLISHED 0x11.
> >
> > I will try to test this asap.
>
> Well, my assumption was correct. Stream4 is about tcp connections, and a
> RELATED packet is always a packet to set up a new connection. After this
> RELATED/syn packet, the connection becomes ESTABLISHED in netfilter. So
> basicly, i think we can handle NEW and RELATED exactly in the same way,
> or does anyone think that it would be useful to make a distinction
> between NEW, ESTABLISHED _and_ RELATED?
>
> I'll post the updated patch later today.

As promised, the updated patch.

Have fun.
Victor

>
> Regards,
> Victor
>
> > Regards,
> > Victor
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by BEA Weblogic Workshop
> > FREE Java Enterprise J2EE developer tools!
> > Get your free copy of BEA WebLogic Workshop 8.1 today.
> > http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users

Re: [Snort-inline-users] iptstate for stream4: RELATED mistake?

[Victor J. <vi...@nk...>]

Victor Julien wrote:
> Hi Will, List,
> 
> I was thinking about the aproach and i think i've made a little mistake. 
> The patch asumes only NEW connection can start a tcp-connection and 
> ESTABLISHED and RELATED don't. However, if i'm not mistaken, RELATED 
> connections can also set up connections. This is because RELATED takes 
> care of the ftp-data connection for example, which is of-course a normal 
> tcp connection. After the setting up of this RELATED connection, it 
> becomes ESTABLISHED (i asume, correct me if i'm wrong). So basicly what 
> i'm saying is that we should mark NEW,RELATED 0x10 and ESTABLISHED 0x11.
> 
> I will try to test this asap.
> 

Well, my assumption was correct. Stream4 is about tcp connections, and a 
RELATED packet is always a packet to set up a new connection. After this 
RELATED/syn packet, the connection becomes ESTABLISHED in netfilter. So 
basicly, i think we can handle NEW and RELATED exactly in the same way, 
or does anyone think that it would be useful to make a distinction 
between NEW, ESTABLISHED _and_ RELATED?

I'll post the updated patch later today.

Regards,
Victor


> Regards,
> Victor
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> 

Re: [Snort-inline-users] Segmentation fault running 2.1.3b

[Rob M. <ro...@ho...>]

My bad.  For the longest time, I was compiling the binary on a RedHat=20
system.  When they decided to stop giving away their product, I had to go=
=20
after a free OS.  I chose gentoo.  Looks like your system's do not like my=
=20
static compilation on a gentoo system.

I'll probably have to stop providing the static binary and document how to=
=20
compile from source.

Thoughts?

Rob

On Fri, 23 Jul 2004, Geffrey Velasquez [MINAG] wrote:

> Date: Fri, 23 Jul 2004 11:12:22 -0400
> From: "Geffrey Velasquez [MINAG]" <gve...@mi...>
> To: Scotte Zinn <sz...@ro...>, sno...@li...urceforge.=
net
> Subject: Re: [Snort-inline-users] Segmentation fault running 2.1.3b
>=20
> You must recompile from the tarball. The binary version works well in Deb=
ian.
>=20
> Regards,
> Geffrey Vel=E1squez
>=20
>=20
> ---------- Original Message -----------
> From: "Scotte Zinn" <sz...@ro...>
> To: sno...@li...
> Sent: Fri, 23 Jul 2004 09:24:50 -0400
> Subject: [Snort-inline-users] Segmentation fault running 2.1.3b
>=20
> > I got 2.1.3b (standard version) and when I run it without any=20
> > parameters or with -V, I get a segmentation fault.  I'm using Redhat=20
> > 9 Linux.
> >=20
> > Any ideas?
> >=20
> > -- Scotte
> >=20
> > -------------------------------------------------------
> > This SF.Net email is sponsored by BEA Weblogic Workshop
> > FREE Java Enterprise J2EE developer tools!
> > Get your free copy of BEA WebLogic Workshop 8.1 today.
> > http://ads.osdn.com/?ad_id=3D4721&alloc_id=3D10040&op=3Dclick
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> ------- End of Original Message -------
>=20
>=20
>=20
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=3D4721&alloc_id=3D10040&op=3Dclick
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>=20

Re: [Snort-inline-users] Segmentation fault running 2.1.3b

[Rob M. <ro...@ho...>]

Source or static binary?

Rob

On Fri, 23 Jul 2004, Scotte Zinn wrote:

> Date: Fri, 23 Jul 2004 09:24:50 -0400
> From: Scotte Zinn <sz...@ro...>
> To: sno...@li...
> Subject: [Snort-inline-users] Segmentation fault running 2.1.3b
> 
> I got 2.1.3b (standard version) and when I run it without any parameters or with -V, I get a segmentation fault.  I'm using Redhat 9 Linux.
> 
> Any ideas?
> 
> -- Scotte
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> 

Re: [Snort-inline-users] Signature Set question

[Lance S. <la...@ho...>]

> So, I figure that the 'snort_inline.conf' is the one I want, but doing 
> a
> diff with the 'snort.conf' shows that there are some xxx.rules files
> commented out on snort_inline.conf vs. snort.conf and visa versa.
>
> Is there any particular reason for this difference?

Most likely the snort_inline.conf file only includes rulesets that are 
actual attacks (things you want to block).  Informational things, such 
as ICMP, DNS queries, etc you most likely do not want to be modified or 
blocked.
>
> Also, is there a maintained database of snort_inline signature ruleset
> much like the snort signature ruleset database?  Or are they one and 
> the
> same?

One and the same.  The Honeynet Project actually looked at maintaining 
a snort-inline ruleset, but it quickly became obvious that was a 
logistical  nightmare.  Instead, Brian Caswell has developed an 
excellent solution, 'snortconfig'.  It takes a current snort rulebase 
and converts the rules to snortinline, allowing you to convert to a 
'drop/reject/replace'.  This way you can easily keep your snort-inline 
ruleset current.  Learn more at 
http://www.shmoo.com/~bmc/software/snortconfig/.

lance

[Snort-inline-users] Signature Set question

[<sa...@co...>]

Hi, I'm new to Snort-Inline.  I have a system working happily, and wanted
to inquire about the two configuration files in the 'etc' directory of the
snort_inline source tree.

So, I figure that the 'snort_inline.conf' is the one I want, but doing a
diff with the 'snort.conf' shows that there are some xxx.rules files
commented out on snort_inline.conf vs. snort.conf and visa versa.

Is there any particular reason for this difference?

Also, is there a maintained database of snort_inline signature ruleset
much like the snort signature ruleset database?  Or are they one and the
same?

Would setting all references to 'alert' to (drop|sdrop|reject) just do the
trick, or has someone gone through the rules to selectively elect the best
responses when looking at the original snort IDS based action signatures?

Also, it may be just me or by design, but doing 'make install' in the
2.1.3b tree ignored all the configuration related files.

Thanks in advance,

Peter

Re: [Snort-inline-users] Segmentation fault running 2.1.3b

[Geffrey V. [MINAG] <gve...@mi...>]

You must recompile from the tarball. The binary version works well in Debian.

Regards,
Geffrey Velásquez


---------- Original Message -----------
From: "Scotte Zinn" <sz...@ro...>
To: sno...@li...
Sent: Fri, 23 Jul 2004 09:24:50 -0400
Subject: [Snort-inline-users] Segmentation fault running 2.1.3b

> I got 2.1.3b (standard version) and when I run it without any 
> parameters or with -V, I get a segmentation fault.  I'm using Redhat 
> 9 Linux.
> 
> Any ideas?
> 
> -- Scotte
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
------- End of Original Message -------

[Snort-inline-users] Segmentation fault running 2.1.3b

[Scotte Z. <sz...@ro...>]

I got 2.1.3b (standard version) and when I run it without any parameters or with -V, I get a segmentation fault.  I'm using Redhat 9 Linux.

Any ideas?

-- Scotte

[Snort-inline-users] iptstate for stream4: RELATED mistake?

[Victor J. <vi...@nk...>]

Hi Will, List,

I was thinking about the aproach and i think i've made a little mistake. 
The patch asumes only NEW connection can start a tcp-connection and 
ESTABLISHED and RELATED don't. However, if i'm not mistaken, RELATED 
connections can also set up connections. This is because RELATED takes 
care of the ftp-data connection for example, which is of-course a normal 
tcp connection. After the setting up of this RELATED connection, it 
becomes ESTABLISHED (i asume, correct me if i'm wrong). So basicly what 
i'm saying is that we should mark NEW,RELATED 0x10 and ESTABLISHED 0x11.

I will try to test this asap.

Regards,
Victor

[Snort-inline-users] Traffic redirect

[Ben J. <be...@ma...>]

Hi all,
Having a hot summer?

I am running a simple inline setup where I need to redirect all incoming port 80 and port 8080 traffic to thirdparty port.

Anyone have experience with this that knows if this is best to do with iptables or snort-inline itself?

I already tried with iptables but it fails to do it on my eth0 and eth1 running br0 that has no ip address.
Cheers
Ben
-- 
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm

RE: [Snort-inline-users] Basic Questions

[Kamal A. <kam...@ya...>]

Hi Snort Gurus,

I would like to know, what tools do you use to test snort, e.g. stick ,
mucus.... etc

Hints welcomed.

-Kamal.

Re: [Snort-inline-users] [PATCH] fix restart function called after a SigHUP

[Victor J. <vi...@nk...>]

Following up on myself again, sorry guys...

Just a few thoughts:
- i would like to make this a option for stream4
- the mark-values would be options in the snort_inline.conf
- should the iptables states 'related' and 'established' be handled in a 
different way?
- the mark-values will be ranges, so you can still use the marks for 
other means:
	e.g	NEW	0x1-0x1000000
		EST/REL	0x1000001-0x2000000

So if you use traffic shaping with marks, you can still use them.

I will work this out further when i return from my holiday, so see you 
guys all in two weeks!

Regards,
Victor

Victor Julien wrote:
> On Friday 09 July 2004 16:14, William Metcalf wrote:
> 
>>Dude if you can get state information to pass from iptables to ipqueue, to
>>snort_inline, to the stream4 preproc go for it.  If you take this route,
>>you will still have to change the way that stream4 deals with mid-stream
>>sessions.  It waits to see both sides of the communication until it marks a
>>stream as established i.e. if we are droping packets and the client is
>>retransmitting the same packet over and over and the session gets nuked due
>>to timeout in stream4 the next packet in will be a retransmission of the
>>attack and will make it through because snort does not look at a yet
>>unestablished streams packets with stream4 enabled.
> 
> 
> Hey Will, other Guys,
> 
> Okay, here goes nothing. Attached are two files: one patch and one script with 
> example rule for iptables (NAT mode). This is proof of concept quality, and 
> needs a lot of work!
> 
> What i do here is the following:
> 
> Before queueing the packets to snort_inline i mark them in iptables:
> 0x10: NEW
> 0x11: ESTABLISHED,RELATED
> 
> I read this in TranslateToPcap() into iv.mark.
> 
> When ReassembleStream4 can't find a session for the packet, it now first 
> checks if packet mark is 0x10. If so, it requires a SYN flag. If this 
> succeeds, a session is created.
> 
> If the mark is 0x10 but there is no SYN, we drop.
> 
> If the 0x10 mark is not set, it checks if 0x11 mark exists. If so it lets the 
> packet continue, and the session will be created up midstream.
> 
> If no mark is set, it falls back to default behaviour.
> 
> Advantage of this approach:
> - timeout can be 30 sec even for ssh-sessions, because iptables takes care of 
> the connection tracking.
> - So we save memory.
> 
> Disadvantages:
> - no idea if this can work in bridge mode
> - is this really secure? i think is, because we can trust iptables?
> - this is where you guys come in.
> 
> 
> Regards,
> Victor
> 
> 
> BTW: with this patch and the sighup patch i send yesterday, you can reload 
> snort_inline, without losing your connections  : - )
> 
> 
>>Regards,
>>
>>Will
>>
>>
>>
>>             Victor Julien
>>             <vi...@nk...>
>>                                                                        To
>>             07/09/2004 05:55          sno...@li...urceforg
>>             AM                        e.net
>>                                                                        cc
>>                                       William Metcalf
>>                                       <Wil...@kc...>
>>                                                                   Subject
>>                                       Re: [Snort-inline-users] [PATCH]
>>                                       fix restart function called after a
>>                                       SigHUP
>>
>>On Friday 09 July 2004 09:45, Victor Julien wrote:
>>
>>>On Friday 09 July 2004 03:04, William Metcalf wrote:
>>>
>>>>>I'm no snort expert, nor a snort_inline expert, nor a expert
>>
>>programmer,
>>
>>
>>>>but
>>>>
>>>>
>>>>>my question is: what would you gain by writing your own preproc? Can
>>
>>you
>>
>>
>>>>>point problems in the current one that are so big they can't be fixed?
>>>>
>>>>The way that stream4 deals with data now is not really ideal for an
>>>>inline device.  We could cut a lot of fat out stream4 with the checks
>>
>>for
>>
>>
>>>>picking up sessions midstream as this shouldn't ever happen except
>>
>>during
>>
>>
>>>>the initialization of the plug-in.  In addition separating out the
>>>>session time-out and storing of packets in memory will be difficult
>>
>>while
>>
>>
>>>>keeping the stream4 preproc working while not in inline mode.    Rob
>>
>>has
>>
>>
>>>>amazingly been able to do this up to this point : -)
>>>
>>>I have several ideas. Since snort_inline is dependant on Netfilter, can't
>>>we in some way use the Netfilter connection-tracking? Maybe with some
>>>extension of conntrack or a modification of libipq? We don't have to
>>>re-invent the wheel, right?
>>
>>Sorry to follow up on myself, but if in iptables you mark NEW connections
>>0x1
>>and ESTABLISHED/RELATED connections 0x2, and manage to in some way
>>communicate this trough the QUEUE target to snort_inline (not sure if this
>>is
>>possible), then you can use the iptables conntrack, right?
>>
>>Then it would be possible to pick up sessions midstream because iptables
>>tells
>>you they are valid (by setting the mark to 0x2)... and then the timeout of
>>30
>>sec to 2 minutes would make sense again, because we can pickup sessions
>>midstream again.
>>
>>Iptables would then send NEW connections with mark 0x1 so in snort_inline
>>we
>>can then inspect the packet. See if it is a synner... this way we can still
>>
>>detect portscans.
>>
>>So a new connection with MARK 0x1 would have have the syn-flag, otherwise
>>its
>>a scan or something. A packet which enters midstream would contain the 0x2
>>
>>mark (set by iptables), so we know it is not a scan, and we can accept it
>>and
>>create a session for it again!
>>
>>How does this sound to you guys?
>>
>>Regards,
>>Victor
>>
>>
>>>Maybe we want (yes we, i would like to help you ;-) the same timeout
>>
>>values
>>
>>
>>>netfilter uses. They make sense in normal use. This would present a
>>>challenge because of the much larger memory use of stream4. But maybe we
>>>can store the data of sessions that are inactive for a few minutes on
>>
>>disk?
>>
>>
>>>Can we  think of something to write the state table to disk so it can
>>>survive a sighup (for applying new settings) or even a program restart
>>>(they seem to be identical right now (see below)). If you are in a
>>>corporate environment, you can't afford to lose sessions of your users if
>>>you apply a new rule or a configuration change.
>>>
>>><snip>
>>>
>>>>Don't quote me on this, as I'm not sure if snort still reacts the same
>>>>way to a kill -HUP, but in the past it didn't just re-read the config
>>>>files, it used exec argv which completely tore down snort and
>>
>>restarted.
>>
>>
>>>You're right, I just didn't look right! I was really tired yesterday (in
>>
>>a
>>
>>
>>>few days i'm going on my holiday, i really deserved it! ;-)
>>>
>>>Regards,
>>>Victor
>>>
>>>
>>>>Regards,
>>>>
>>>>Will
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>             Victor Julien
>>>>             <vi...@nk...>
>>>>
>>>>To 07/08/2004 07:13          William Metcalf
>>>>             PM                        <Wil...@kc...>
>>>>
>>>>cc sno...@li...urceforg e.net,
>>>>
>>>>sno...@li...ur ceforge.net
>>>>
>>>>Subject Re: [Snort-inline-users] [PATCH] fix restart function called
>>>>after a SigHUP
>>>>
>>>>On Friday 09 July 2004 01:59, William Metcalf wrote:
>>>>
>>>>>The more requests that come in, it's getting conceptually harder to
>>>>>meet them modding the stream4 that comes with vanilla snort.  I guess
>>>>>I've
>>>>
>>>>found
>>>>
>>>>
>>>>>my research project for my cert, I'll start rewriting stream4 as a
>>>>
>>>>separate
>>>>
>>>>
>>>>>preproc for snort_inline.   What do you guy's think about this?
>>>>
>>>>I'm no snort expert, nor a snort_inline expert, nor a expert
>>
>>programmer,
>>
>>
>>>>but
>>>>my question is: what would you gain by writing your own preproc? Can
>>
>>you
>>
>>
>>>>point problems in the current one that are so big they can't be fixed?
>>>>
>>>>
>>>>>If this is cool with everyone, just send me what you would like to
>>
>>see.
>>
>>
>>>>As
>>>>
>>>>
>>>>>far as reassembly goes how long do you think we should store packets
>>
>>in
>>
>>
>>>>memory from the stream?  What is a good length to keep state?
>>>>
>>>>I would like to be able to walk away from my ssh session for a few
>>
>>hours,
>>
>>
>>>>and
>>>>still not lose my session (and i really know people that act this way!
>>
>>=)
>>
>>
>>>>But Will, can you explain me something? When snort_inline receives a
>>>>sighup
>>>>
>>>>the Restart() function is called, which in its turn runs through the
>>>>PluginRestartList to execute the restart function of the specific
>>>>preproc, right? If i'm not mistaken, for stream4 this the
>>>>Stream4RestartFunction(). However in that function (starting on line
>>
>>3509
>>
>>
>>>>of spp_stream4.c) i can find
>>>>no reason for the state table to flush... so where is flushed (if at
>>>>all)?
>>>>
>>>>
>>>>>Rob, would you be
>>>>>alright with this?
>>>>>
>>>>>Regards,
>>>>>
>>>>>Will
>>>>
>>>>Regards,
>>>>Victor
>>>>
>>>>PS. what kind of cert is that?
>>>
>>>-------------------------------------------------------
>>>This SF.Net email sponsored by Black Hat Briefings & Training.
>>>Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
>>>digital self defense, top technical experts, no vendor pitches,
>>>unmatched networking opportunities. Visit www.blackhat.com
>>>_______________________________________________
>>>Snort-inline-users mailing list
>>>Sno...@li...
>>>https://lists.sourceforge.net/lists/listinfo/snort-inline-users

Re: [Snort-inline-users] Basic Questions

[Cliff M. <cl...@un...>]

It compiles fine, but when I run snort_inline -Q -c 
/etc/snort_inline.conf and include the mysql statement in the config 
file I receive a segfault.

Cliff

On Jul 9, 2004, at 12:50 AM, William Metcalf wrote:

> I forgot that you are trying to do NAT mode... The error comes out of 
> plugbase.c why it thinks you have yet to specify an interface i'm not 
> sure. Just for grins try changing line 357 in spo_database.c from
>
>  if (InlineMode())
>
>  to
>
>  if((InlineMode()) && (pv.interface = NULL))
>
>  I'm not sure what difference this will make as via the command line 
> switches you sent you are specifying an interface and the original if 
> statement is only called if escapedinterface can't be filled by what 
> you specified on the command line but give it a shot anyway.
>
>  Regards,
>
>  Will

Re: [Snort-inline-users] [PATCH] fix restart function called after a SigHUP

[Victor J. <vi...@nk...>]

On Friday 09 July 2004 16:14, William Metcalf wrote:
> Dude if you can get state information to pass from iptables to ipqueue, to
> snort_inline, to the stream4 preproc go for it.  If you take this route,
> you will still have to change the way that stream4 deals with mid-stream
> sessions.  It waits to see both sides of the communication until it marks a
> stream as established i.e. if we are droping packets and the client is
> retransmitting the same packet over and over and the session gets nuked due
> to timeout in stream4 the next packet in will be a retransmission of the
> attack and will make it through because snort does not look at a yet
> unestablished streams packets with stream4 enabled.

Hey Will, other Guys,

Okay, here goes nothing. Attached are two files: one patch and one script with 
example rule for iptables (NAT mode). This is proof of concept quality, and 
needs a lot of work!

What i do here is the following:

Before queueing the packets to snort_inline i mark them in iptables:
0x10: NEW
0x11: ESTABLISHED,RELATED

I read this in TranslateToPcap() into iv.mark.

When ReassembleStream4 can't find a session for the packet, it now first 
checks if packet mark is 0x10. If so, it requires a SYN flag. If this 
succeeds, a session is created.

If the mark is 0x10 but there is no SYN, we drop.

If the 0x10 mark is not set, it checks if 0x11 mark exists. If so it lets the 
packet continue, and the session will be created up midstream.

If no mark is set, it falls back to default behaviour.

Advantage of this approach:
- timeout can be 30 sec even for ssh-sessions, because iptables takes care of 
the connection tracking.
- So we save memory.

Disadvantages:
- no idea if this can work in bridge mode
- is this really secure? i think is, because we can trust iptables?
- this is where you guys come in.


Regards,
Victor


BTW: with this patch and the sighup patch i send yesterday, you can reload 
snort_inline, without losing your connections  : - )

>
> Regards,
>
> Will
>
>
>
>              Victor Julien
>              <vi...@nk...>
>                                                                         To
>              07/09/2004 05:55          sno...@li...urceforg
>              AM                        e.net
>                                                                         cc
>                                        William Metcalf
>                                        <Wil...@kc...>
>                                                                    Subject
>                                        Re: [Snort-inline-users] [PATCH]
>                                        fix restart function called after a
>                                        SigHUP
>
> On Friday 09 July 2004 09:45, Victor Julien wrote:
> > On Friday 09 July 2004 03:04, William Metcalf wrote:
> > > >I'm no snort expert, nor a snort_inline expert, nor a expert
>
> programmer,
>
> > > but
> > >
> > > >my question is: what would you gain by writing your own preproc? Can
>
> you
>
> > > >point problems in the current one that are so big they can't be fixed?
> > >
> > > The way that stream4 deals with data now is not really ideal for an
> > > inline device.  We could cut a lot of fat out stream4 with the checks
>
> for
>
> > > picking up sessions midstream as this shouldn't ever happen except
>
> during
>
> > > the initialization of the plug-in.  In addition separating out the
> > > session time-out and storing of packets in memory will be difficult
>
> while
>
> > > keeping the stream4 preproc working while not in inline mode.    Rob
>
> has
>
> > > amazingly been able to do this up to this point : -)
> >
> > I have several ideas. Since snort_inline is dependant on Netfilter, can't
> > we in some way use the Netfilter connection-tracking? Maybe with some
> > extension of conntrack or a modification of libipq? We don't have to
> > re-invent the wheel, right?
>
> Sorry to follow up on myself, but if in iptables you mark NEW connections
> 0x1
> and ESTABLISHED/RELATED connections 0x2, and manage to in some way
> communicate this trough the QUEUE target to snort_inline (not sure if this
> is
> possible), then you can use the iptables conntrack, right?
>
> Then it would be possible to pick up sessions midstream because iptables
> tells
> you they are valid (by setting the mark to 0x2)... and then the timeout of
> 30
> sec to 2 minutes would make sense again, because we can pickup sessions
> midstream again.
>
> Iptables would then send NEW connections with mark 0x1 so in snort_inline
> we
> can then inspect the packet. See if it is a synner... this way we can still
>
> detect portscans.
>
> So a new connection with MARK 0x1 would have have the syn-flag, otherwise
> its
> a scan or something. A packet which enters midstream would contain the 0x2
>
> mark (set by iptables), so we know it is not a scan, and we can accept it
> and
> create a session for it again!
>
> How does this sound to you guys?
>
> Regards,
> Victor
>
> > Maybe we want (yes we, i would like to help you ;-) the same timeout
>
> values
>
> > netfilter uses. They make sense in normal use. This would present a
> > challenge because of the much larger memory use of stream4. But maybe we
> > can store the data of sessions that are inactive for a few minutes on
>
> disk?
>
> > Can we  think of something to write the state table to disk so it can
> > survive a sighup (for applying new settings) or even a program restart
> > (they seem to be identical right now (see below)). If you are in a
> > corporate environment, you can't afford to lose sessions of your users if
> > you apply a new rule or a configuration change.
> >
> > <snip>
> >
> > > Don't quote me on this, as I'm not sure if snort still reacts the same
> > > way to a kill -HUP, but in the past it didn't just re-read the config
> > > files, it used exec argv which completely tore down snort and
>
> restarted.
>
> > You're right, I just didn't look right! I was really tired yesterday (in
>
> a
>
> > few days i'm going on my holiday, i really deserved it! ;-)
> >
> > Regards,
> > Victor
> >
> > > Regards,
> > >
> > > Will
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >              Victor Julien
> > >              <vi...@nk...>
> > >
> > > To 07/08/2004 07:13          William Metcalf
> > >              PM                        <Wil...@kc...>
> > >
> > > cc sno...@li...urceforg e.net,
> > >
> > > sno...@li...ur ceforge.net
> > >
> > > Subject Re: [Snort-inline-users] [PATCH] fix restart function called
> > > after a SigHUP
> > >
> > > On Friday 09 July 2004 01:59, William Metcalf wrote:
> > > > The more requests that come in, it's getting conceptually harder to
> > > > meet them modding the stream4 that comes with vanilla snort.  I guess
> > > > I've
> > >
> > > found
> > >
> > > > my research project for my cert, I'll start rewriting stream4 as a
> > >
> > > separate
> > >
> > > > preproc for snort_inline.   What do you guy's think about this?
> > >
> > > I'm no snort expert, nor a snort_inline expert, nor a expert
>
> programmer,
>
> > > but
> > > my question is: what would you gain by writing your own preproc? Can
>
> you
>
> > > point problems in the current one that are so big they can't be fixed?
> > >
> > > > If this is cool with everyone, just send me what you would like to
>
> see.
>
> > > As
> > >
> > > > far as reassembly goes how long do you think we should store packets
>
> in
>
> > > memory from the stream?  What is a good length to keep state?
> > >
> > > I would like to be able to walk away from my ssh session for a few
>
> hours,
>
> > > and
> > > still not lose my session (and i really know people that act this way!
>
> =)
>
> > > But Will, can you explain me something? When snort_inline receives a
> > > sighup
> > >
> > > the Restart() function is called, which in its turn runs through the
> > > PluginRestartList to execute the restart function of the specific
> > > preproc, right? If i'm not mistaken, for stream4 this the
> > > Stream4RestartFunction(). However in that function (starting on line
>
> 3509
>
> > > of spp_stream4.c) i can find
> > > no reason for the state table to flush... so where is flushed (if at
> > > all)?
> > >
> > > > Rob, would you be
> > > > alright with this?
> > > >
> > > > Regards,
> > > >
> > > > Will
> > >
> > > Regards,
> > > Victor
> > >
> > > PS. what kind of cert is that?
> >
> > -------------------------------------------------------
> > This SF.Net email sponsored by Black Hat Briefings & Training.
> > Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> > digital self defense, top technical experts, no vendor pitches,
> > unmatched networking opportunities. Visit www.blackhat.com
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users

Re: [Snort-inline-users] Basic Questions

[Cliff M. <cl...@un...>]

I FINALLY got it to work!

I ended up setting the FORWARD rule to the alias IP instead of eth0.

  However, there is a trade off, by specifying the interface when=20
starting snort (-i eth0 -I), it doesn't log incoming packets :(

I'm going to try changing plugbase.c and see what happens.

On Jul 9, 2004, at 11:30 AM, William Metcalf wrote:

> oops! your right, it was 2:30 in the morning and well...... : - ).=20
> Have yet to hear from cliff today, I made a couple of other suggestion=20=

> over irc.
>
>  Regards,
>
>  Will
> <image.tiff>Earl <uno...@ya...>
>
>
>
>
> Earl <uno...@ya...>
> Sent by: sno...@li...
>
> 07/09/2004 01:22 PM
>
> <image.tiff>
>
> To
> <image.tiff>
> Victor Julien <vi...@nk...>, William Metcalf=20
> <Wil...@kc...>
>
> <image.tiff>
>
> cc
> <image.tiff>
> Cliff Massey <cl...@un...>, sno...@li...
>
> <image.tiff>
>
> Subject
> <image.tiff>
> Re: [Snort-inline-users] Basic Questions
>
> <image.tiff><image.tiff>
> Isn't "=3D" for assignemnt and "=3D=3D" for comparison?
>
>  If so then (pv.interface =3D NULL) is true for all
>  non-zero values of "NULL", right?
>
>  Earl
>
>  PS: I didnt actually see "=3D" being used as a
>  comparison operator in the actual code...
>
>
>  --- Victor Julien <vi...@nk...> wrote:
>  > On Friday 09 July 2004 15:30, William Metcalf wrote:
>  > > Yep that's how i wrote it : - ).
>  >
>  > Okay, but what is the difference between:
>  >
>  > if (InlineMode())
>  >
>  > and
>  >
>  > =A0if((InlineMode()) && (pv.interface =3D NULL))
>  >
>  > if you are already sure pv.interface is NULL??
>  >
>  > Please enlighten me : - )
>  >
>  > Victor
>  >
>  > >
>  > > Regards,
>  > >
>  > > Will
>  > >
>  > >
>  > >
>  > > =A0 =A0 =A0 =A0 =A0 =A0 =A0Victor Julien
>  > > =A0 =A0 =A0 =A0 =A0 =A0 =A0<vi...@nk...>
>  > > =A0 =A0 =A0 =A0 =A0 =A0 =A0Sent by: =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
 =A0 =A0 =A0 =A0 =A0 =A0
>  > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0To
>  > > =A0 =A0 =A0 =A0 =A0 =A0 =A0snort-inline-user =A0 =A0 =A0 =A0
>  > sno...@li...urceforg
>  > > =A0 =A0 =A0 =A0 =A0 =A0 =A0s...@li...u =A0 =A0 =A0 =A0 =
e.net
>  > > =A0 =A0 =A0 =A0 =A0 =A0 =A0rceforge.net =A0 =A0 =A0 =A0 =A0 =A0 =A0=
 =A0 =A0 =A0 =A0 =A0
>  > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0cc
>  > > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
 =A0 =A0 =A0William
>  > Metcalf
>  > > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
 =A0 =A0
>  > <Wil...@kc...>, Cliff
>  > > =A0 =A0 =A0 =A0 =A0 =A0 =A007/09/2004 03:54 =A0 =A0 =A0 =A0 =
=A0Massey
>  > <cl...@un...>
>  > > =A0 =A0 =A0 =A0 =A0 =A0 =A0AM =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0
>  > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Subject
>  > > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
 =A0 =A0 =A0Re:
>  > [Snort-inline-users] Basic
>  > > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
 =A0 =A0 =A0Questions
>  > >
>  > >
>  > >
>  > >
>  > >
>  > >
>  > >
>  > >
>  > >
>  > >
>  > > If i see it correct, the code on line 357 can only
>  > be reached if
>  > > pv.interface
>  > > is already NULL...
>  > >
>  > > On Friday 09 July 2004 09:50, William Metcalf
>  > wrote:
>  > > > I forgot that you are trying to do NAT mode...
>  > The error comes out of
>  > > > plugbase.c why it thinks you have yet to specify
>  > an interface i'm not
>  > >
>  > > sure.
>  > >
>  > > > Just for grins try changing line 357 in
>  > spo_database.c from
>  > > >
>  > > > if (InlineMode())
>  > > >
>  > > > to
>  > > >
>  > > > if((InlineMode()) && (pv.interface =3D NULL))
>  > > >
>  > > > I'm not sure what difference this will make as
>  > via the command line
>  > > > switches you sent you are specifying an
>  > interface and the original if
>  > > > statement is only called if escapedinterface
>  > can't be filled by what you
>  > > > specified on the command line but give it a shot
>  > anyway.
>  > > >
>  > > > Regards,
>  > > >
>  > > > Will
>  > >
>  > >
>  >
>  -------------------------------------------------------
>  > > This SF.Net email sponsored by Black Hat Briefings
>  > & Training.
>  > > Attend Black Hat Briefings & Training, Las Vegas
>  > July 24-29 -
>  > > digital self defense, top technical experts, no
>  > vendor pitches,
>  > > unmatched networking opportunities. Visit
>  > www.blackhat.com
>  > > _______________________________________________
>  > > Snort-inline-users mailing list
>  > > Sno...@li...
>  > >
>  >
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>  >
>  >
>  >
>  -------------------------------------------------------
>  > This SF.Net email sponsored by Black Hat Briefings &
>  > Training.
>  > Attend Black Hat Briefings & Training, Las Vegas
>  > July 24-29 -
>  > digital self defense, top technical experts, no
>  > vendor pitches,
>  > unmatched networking opportunities. Visit
>  > www.blackhat.com
>  > _______________________________________________
>  > Snort-inline-users mailing list
>  > Sno...@li...
>  >
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>  >
>
>
>
>
>
>  __________________________________
>  Do you Yahoo!?
>  Yahoo! Mail - 50x more storage than other providers!
> http://promotions.yahoo.com/new_mail
>
>
>  -------------------------------------------------------
>  This SF.Net email sponsored by Black Hat Briefings & Training.
>  Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
>  digital self defense, top technical experts, no vendor pitches,
>  unmatched networking opportunities. Visit www.blackhat.com
>  _______________________________________________
>  Snort-inline-users mailing list
>  Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>

Re: [Snort-inline-users] Basic Questions

[Earl <uno...@ya...>]

Isn't "=" for assignemnt and "==" for comparison?

If so then (pv.interface = NULL) is true for all
non-zero values of "NULL", right?

Earl

PS: I didnt actually see "=" being used as a
comparison operator in the actual code...


--- Victor Julien <vi...@nk...> wrote:
> On Friday 09 July 2004 15:30, William Metcalf wrote:
> > Yep that's how i wrote it : - ).
> 
> Okay, but what is the difference between:
> 
> if (InlineMode())
> 
> and
> 
>  if((InlineMode()) && (pv.interface = NULL))
> 
> if you are already sure pv.interface is NULL??
> 
> Please enlighten me : - )
> 
> Victor
> 
> >
> > Regards,
> >
> > Will
> >
> >
> >
> >              Victor Julien
> >              <vi...@nk...>
> >              Sent by:                             
>                      To
> >              snort-inline-user        
> sno...@li...urceforg
> >              s-...@li...u         e.net
> >              rceforge.net                         
>                      cc
> >                                        William
> Metcalf
> >                                       
> <Wil...@kc...>, Cliff
> >              07/09/2004 03:54          Massey
> <cl...@un...>
> >              AM                                   
>                 Subject
> >                                        Re:
> [Snort-inline-users] Basic
> >                                        Questions
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > If i see it correct, the code on line 357 can only
> be reached if
> > pv.interface
> > is already NULL...
> >
> > On Friday 09 July 2004 09:50, William Metcalf
> wrote:
> > > I forgot that you are trying to do NAT mode... 
> The error comes out of
> > > plugbase.c why it thinks you have yet to specify
> an interface i'm not
> >
> > sure.
> >
> > > Just for grins try changing line 357 in
> spo_database.c from
> > >
> > > if (InlineMode())
> > >
> > > to
> > >
> > > if((InlineMode()) && (pv.interface = NULL))
> > >
> > > I'm not sure what difference this will make as
> via the command line
> > > switches you sent you are specifying an
> interface and the original if
> > > statement is only called if escapedinterface
> can't be filled by what you
> > > specified on the command line but give it a shot
> anyway.
> > >
> > > Regards,
> > >
> > > Will
> >
> >
>
-------------------------------------------------------
> > This SF.Net email sponsored by Black Hat Briefings
> & Training.
> > Attend Black Hat Briefings & Training, Las Vegas
> July 24-29 -
> > digital self defense, top technical experts, no
> vendor pitches,
> > unmatched networking opportunities. Visit
> www.blackhat.com
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> >
>
https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> 
> 
>
-------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings &
> Training.
> Attend Black Hat Briefings & Training, Las Vegas
> July 24-29 - 
> digital self defense, top technical experts, no
> vendor pitches, 
> unmatched networking opportunities. Visit
> www.blackhat.com
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
>
https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> 




		
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail

Re: [Snort-inline-users] Basic Questions

[Victor J. <vi...@nk...>]

On Friday 09 July 2004 15:30, William Metcalf wrote:
> Yep that's how i wrote it : - ).

Okay, but what is the difference between:

if (InlineMode())

and

 if((InlineMode()) && (pv.interface = NULL))

if you are already sure pv.interface is NULL??

Please enlighten me : - )

Victor

>
> Regards,
>
> Will
>
>
>
>              Victor Julien
>              <vi...@nk...>
>              Sent by:                                                   To
>              snort-inline-user         sno...@li...urceforg
>              s-...@li...u         e.net
>              rceforge.net                                               cc
>                                        William Metcalf
>                                        <Wil...@kc...>, Cliff
>              07/09/2004 03:54          Massey <cl...@un...>
>              AM                                                    Subject
>                                        Re: [Snort-inline-users] Basic
>                                        Questions
>
>
>
>
>
>
>
>
>
>
> If i see it correct, the code on line 357 can only be reached if
> pv.interface
> is already NULL...
>
> On Friday 09 July 2004 09:50, William Metcalf wrote:
> > I forgot that you are trying to do NAT mode...  The error comes out of
> > plugbase.c why it thinks you have yet to specify an interface i'm not
>
> sure.
>
> > Just for grins try changing line 357 in spo_database.c from
> >
> > if (InlineMode())
> >
> > to
> >
> > if((InlineMode()) && (pv.interface = NULL))
> >
> > I'm not sure what difference this will make as via the command line
> > switches you sent you are specifying an interface and the original if
> > statement is only called if escapedinterface can't be filled by what you
> > specified on the command line but give it a shot anyway.
> >
> > Regards,
> >
> > Will
>
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> digital self defense, top technical experts, no vendor pitches,
> unmatched networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users