Menu
▾
▴
snort-inline-users — The goal of this list is to help users debug/use snort_inline
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(15) |
Jun
(23) |
Jul
(54) |
Aug
(20) |
Sep
(18) |
Oct
(19) |
Nov
(36) |
Dec
(30) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(48) |
Feb
(16) |
Mar
(36) |
Apr
(36) |
May
(45) |
Jun
(47) |
Jul
(93) |
Aug
(29) |
Sep
(28) |
Oct
(42) |
Nov
(45) |
Dec
(53) |
| 2005 |
Jan
(62) |
Feb
(51) |
Mar
(65) |
Apr
(28) |
May
(57) |
Jun
(23) |
Jul
(24) |
Aug
(72) |
Sep
(16) |
Oct
(53) |
Nov
(53) |
Dec
(3) |
| 2006 |
Jan
(56) |
Feb
(6) |
Mar
(15) |
Apr
(14) |
May
(35) |
Jun
(57) |
Jul
(35) |
Aug
(7) |
Sep
(22) |
Oct
(16) |
Nov
(18) |
Dec
(9) |
| 2007 |
Jan
(8) |
Feb
(3) |
Mar
(11) |
Apr
(35) |
May
(6) |
Jun
(10) |
Jul
(26) |
Aug
(4) |
Sep
|
Oct
(29) |
Nov
|
Dec
(7) |
| 2008 |
Jan
(1) |
Feb
(2) |
Mar
(2) |
Apr
(13) |
May
(8) |
Jun
(3) |
Jul
(19) |
Aug
(20) |
Sep
(6) |
Oct
(5) |
Nov
|
Dec
(4) |
| 2009 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(10) |
Jul
(2) |
Aug
(5) |
Sep
|
Oct
(1) |
Nov
|
Dec
(5) |
| 2010 |
Jan
(10) |
Feb
(10) |
Mar
(2) |
Apr
|
May
(7) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2011 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Geffrey V. [MINAG] <gve...@mi...> - 2004-07-01 19:14:54
|
Hi Victor, and what is the difference with this?: 1. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p tcp --dport 25 -j QUEUE 2. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 3. iptables -A FORWARD -p tcp --dport 25 -m state --state NEW -j QUEUE 4. iptables -A FORWARD -p tcp --dport 110 -m state --state NEW -j ACCEP Saludos, Geffrey Velásquez Cel.: 9722-2705 ---------- Original Message ----------- From: Victor Julien <vi...@nk...> To: sno...@li... Sent: Thu, 1 Jul 2004 19:53:28 +0200 Subject: [Snort-inline-users] using snort_inline for selected traffic only (was: help with setting up iptables for use with snort_inline) > Hi list, > > I found the answer to my question (with the kind help of Antony > Stone of the Netfilter list). I'd like share it with you so others > can use it as well. I've written it in the snort_inline faq format, > so if you think it's usefull please include it in you're faq! > > Regards, > Victor > > Question: I want to handle only selected traffic with snort_inline > > Answer: You can the MARK target in iptables for this. Say you want > only stmp traffic to be handled by snort_inline, but not pop3. > > 1. iptables -t mangle -A FORWARD -p tcp --dport 25 -j MARK --set- > mark 0x1 > > 2. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -m mark - > -mark 0x1 -j QUEUE > 3. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > 4. iptables -A FORWARD -p tcp --dport 25 -m state --state NEW -j QUEUE > 5. iptables -A FORWARD -p tcp --dport 110 -m state --state NEW -j ACCEPT > > Pop3 traffic is now first accepted in rule 5, and after that handled > by rule > 3. > > The smtp traffic is now first QUEUE'd by rule 4, after that marked > in rule 1 so it can be picked up by the 2nd rule. > > Question: I can now handle selected traffic, but i'm having troubles > with protocols witch use protocol handlers in iptables, like ftp. > > Answer: for this you need the 'helper' module. Say you want only ftp > traffic to be handled by snort_inline, but not http. > > 1. iptables -t mangle -A FORWARD -p tcp --dport 21 -j MARK --set- > mark 0x1 > 2. iptables -t mangle -A FORWARD -m helper --helper "ftp" -j MARK -- > set-mark 0x1 > > 3. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -m mark - > -mark 0x1 -j QUEUE > 4. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > 5. iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j QUEUE > 6. iptables -A FORWARD -p tcp --dport 80 -m state --state NEW -j ACCEPT > > The difference here is the second rule which makes sure that the > connections that are handled by the ftp conntrack helper are also > send to the queue. > > ------------------------------------------------------- > This SF.Net email sponsored by Black Hat Briefings & Training. > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > digital self defense, top technical experts, no vendor pitches, > unmatched networking opportunities. Visit www.blackhat.com > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users ------- End of Original Message ------- |
|
From: Victor J. <vi...@nk...> - 2004-07-01 19:00:16
|
Hi, I 'm testing snort_inline to filter my outgoing traffic. Http, ftp, pop3 work fine so far, however msn-messenger does not. I'm using Kopete (kde 3.2.2, debian-testing) with msn-plugin. The plugin just dies after some 5 minutes or so. This does not happen when msn works just with iptables. Is there any known problem with msn and snort_inline? Regards, Victor |
|
From: Victor J. <vi...@nk...> - 2004-07-01 17:53:43
|
Hi list, I found the answer to my question (with the kind help of Antony Stone of th= e=20 Netfilter list). I'd like share it with you so others can use it as well.=20 I've written it in the snort_inline faq format, so if you think it's useful= l=20 please include it in you're faq! Regards, Victor Question: I want to handle only selected traffic with snort_inline Answer: You can the MARK target in iptables for this. Say you want only stm= p=20 traffic to be handled by snort_inline, but not pop3. 1. iptables -t mangle -A FORWARD =A0-p tcp --dport 25 -j MARK --set-mark 0x1 2. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -m mark --mark = 0x1=20 =2Dj QUEUE 3. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 4. iptables -A FORWARD -p tcp --dport 25 -m state --state NEW -j QUEUE 5. iptables -A FORWARD -p tcp --dport 110 -m state --state NEW -j ACCEPT Pop3 traffic is now first accepted in rule 5, and after that handled by rul= e=20 3. The smtp traffic is now first QUEUE'd by rule 4, after that marked in rule = 1=20 so it can be picked up by the 2nd rule. Question: I can now handle selected traffic, but i'm having troubles with=20 protocols witch use protocol handlers in iptables, like ftp. Answer: for this you need the 'helper' module. Say you want only ftp traffi= c=20 to be handled by snort_inline, but not http. 1. iptables -t mangle -A FORWARD =A0-p tcp --dport 21 -j MARK --set-mark 0x1 2. iptables -t mangle -A FORWARD =A0-m helper --helper "ftp" -j MARK --set-= mark=20 0x1 3. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -m mark --mark = 0x1=20 =2Dj QUEUE 4. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 5. iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j QUEUE 6. iptables -A FORWARD -p tcp --dport 80 -m state --state NEW -j ACCEPT The difference here is the second rule which makes sure that the connection= s=20 that are handled by the ftp conntrack helper are also send to the queue. |
|
From: buzz <rei...@fh...> - 2004-07-01 15:03:19
|
On Thursday 01 July 2004 16:48, Brian Jameson wrote: > > What distribution would people advise me to move to for easy compiles of > Snort_Inline and Libnet. I would also want to use the system for building a > lfs project that interests me and Openoffice, which I would like to learn > about. > > regards, > Brian > hi brian, maybe you want have a look at CRUX. http://www.crux.nu. it's a small and easy to use distribution. the whole install iso is about 200mb. there is a bsd like init process and a bsd-ports like package system which at least includes libnet. i had no problem getting snort_inline running there. buzz |
|
From: Brian J. <te...@ja...> - 2004-07-01 14:48:44
|
Up until now I've used Redhat 7.3 for building my snort_inline. I'd like to use this box for another purpose and tried migrating snort_inline to a Fedora Core 1 system. I have been unable to get this to compile even after trying the suggestions in http://snort-inline.sourceforge.net/FAQ.html. Also libnet-1.0.2a.tar.gz will not compile on Fedora Core 1 and gives the following message when doing the make:- gcc -O2 -funroll-loops -fomit-frame-pointer -Wall -DHAVE_CONFIG_H -c src/libnet_resolve.c -o src/libnet_resolve.o In file included from src/libnet_resolve.c:36: include/libnet.h:87:8: missing terminating " character include/libnet.h:89:50: missing terminating " character make: *** [src/libnet_resolve.o] Error 1 What distribution would people advise me to move to for easy compiles of Snort_Inline and Libnet. I would also want to use the system for building a lfs project that interests me and Openoffice, which I would like to learn about. regards, Brian |
|
From: Geffrey V. [MINAG] <gve...@mi...> - 2004-07-01 00:06:04
|
Hi friends, I'm new to snort_inline. I downloaded the current binary version of snort_inline, I'm using the configuration files included in the tarball, I converted the alert rules to drop rules using the convert.sh script, and I'm using the default snort_inline.conf I loaded the ip_queue module and configure a simple iptables rule: iptables -A INPUT -j QUEUE In the snort_inline host I have a test web server (apache) and I run a nessus scan against it, the snort logs show the attacks, but it seems not to be dropped becauseare also present in the apache logs. What could be wrong? the rules files were changed by drop instead of alert and all the variables are configured as "any". Another question? I need to configure the host as a bridge? is it neccesary? Regards, Geffrey |
|
From: Cliff M. <cl...@un...> - 2004-06-30 18:23:54
|
Thanks for the tip, When i try -j -QUEUE. I recieve the error no such=20 chain/rule by that name. I can see the module loaded using insmod. Do I=20= need to set up a new rule for this? On Jun 30, 2004, at 11:12 AM, William Metcalf wrote: > Here is an e-mail I sent to the list a while ago regarding using=20 > snort_inline in NAT mode, There is an overabundance of QUEUE=20 > statements, but it will give you some idea of what to do. > > > > It shouldn"t be all that difficult, If you already have a nat=20 > firewall, > just change the target in your rules from -j ACCEPT to -j QUEUE.=20 > =A0Using the > QUEUE target snort-inline will look at the traffic. =A0If it is good = it=20 > will > pass it, if it is bad it will drop it. =A0Or let"s assume that you = have=20 > a > linux box with two interfaces and you want it to be an ips router.=20 > =A0Lets > also assume that eth0 is int of the network you want to protect and=20= > eth1 is > the interface you have plugged into an untrusted network (cable modem > etc.....) =A0Something like the iptables script below should suffice. = =A0I > might have some redundant QUEUE targets, but I wrote and tested this=20= > in > fifteen minutes. =A0It was dropping bad traffic like a champ. =A0I = didn"t > include any icmp statements, so if you want ping you will have to add=20= > it > yourself. > > iptables -F INPUT > iptables -F FORWARD > iptables -F OUTPUT > iptables -t nat -F PREROUTING > iptables -t nat -F POSTROUTING > iptables -P INPUT DROP > iptables -P FORWARD DROP > iptables -P OUTPUT ACCEPT > # Enable IP forwarding > echo "1" > /proc/sys/net/ipv4/ip_forward > echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route > echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects > echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects > echo "1" > /proc/sys/net/ipv4/tcp_syncookies > #INPUT > #Let firewall talk to itself > iptables -A INPUT -i lo -m state --state NEW -j ACCEPT > #Allow traffic initiated from this box back in and check for = nastiness > iptables -A INPUT -m state --state RELATED,ESTABLISHED -j QUEUE > #Set up the FORWARD table for NAT > iptables -A FORWARD -i eth0 -o eth1 -j QUEUE > iptables -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j=20= > QUEUE > #Setup the NAT rule > iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE > > Regards, > > Will > > > <image.tiff>Cliff Massey <cl...@un...> > > > > > Cliff Massey <cl...@un...> > Sent by: sno...@li... > > 06/30/2004 01:04 PM > > <image.tiff> > > To > <image.tiff> > Rob McMillen <ro...@ho...> > > <image.tiff> > > cc > <image.tiff> > sno...@li... > > <image.tiff> > > Subject > <image.tiff> > Re: [Snort-inline-users] Basic Questions > > <image.tiff><image.tiff> > I'm using Fedora Core 2. As far as sending packets to snort_inline, > that I'm not quite sure how to do. I read the README, but it really > doesn't explain the inline part too well.. What is the best way to do > that? With a QUEUE chain? > > =A0Cliff > > On Jun 30, 2004, at 5:18 AM, Rob McMillen wrote: > > > What linux distro are you using? =A0How are you sending packets to > > snort_inline? > > > > Rob > > > > On Wed, 30 Jun 2004, Cliff Massey wrote: > > > >> Date: Wed, 30 Jun 2004 00:35:51 -0700 > >> From: Cliff Massey <cl...@un...> > >> To: sno...@li... > >> Subject: [Snort-inline-users] Basic Questions > >> > >> > >> =A0 Hi, > >> > >> =A0 I was wondering if it is possible to get snort_inline to work=20= > with > >> my > >> current configuration. I'm using the linux 2.6 kernel & iptables=20= > with > >> a > >> basic nat setup between two interfaces. =A0I can pickup alerts = when > >> running it in sniffer mode, although I can't when running in ids=20= > mode. > >> The ip_queue module is loading correctly as I don't receive an=20 > error > >> when using the -Q option. > >> > >> =A0 Any help would be appreciated. > >> > >> =A0 Cliff Massey > >> > >> > >> > >> > >> ------------------------------------------------------- > >> This SF.Net email sponsored by Black Hat Briefings & Training. > >> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > >> digital self defense, top technical experts, no vendor pitches, > >> unmatched networking opportunities. Visit www.blackhat.com > >> _______________________________________________ > >> Snort-inline-users mailing list > >> Sno...@li... > >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users > >> > > > > > > ------------------------------------------------------- > > This SF.Net email sponsored by Black Hat Briefings & Training. > > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > > digital self defense, top technical experts, no vendor pitches, > > unmatched networking opportunities. Visit www.blackhat.com > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > ------------------------------------------------------- > This SF.Net email sponsored by Black Hat Briefings & Training. > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > digital self defense, top technical experts, no vendor pitches, > unmatched networking opportunities. Visit www.blackhat.com > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
|
From: Cliff M. <cl...@un...> - 2004-06-30 18:06:01
|
I'm using Fedora Core 2. As far as sending packets to snort_inline, that I'm not quite sure how to do. I read the README, but it really doesn't explain the inline part too well.. What is the best way to do that? With a QUEUE chain? Cliff On Jun 30, 2004, at 5:18 AM, Rob McMillen wrote: > What linux distro are you using? How are you sending packets to > snort_inline? > > Rob > > On Wed, 30 Jun 2004, Cliff Massey wrote: > >> Date: Wed, 30 Jun 2004 00:35:51 -0700 >> From: Cliff Massey <cl...@un...> >> To: sno...@li... >> Subject: [Snort-inline-users] Basic Questions >> >> >> Hi, >> >> I was wondering if it is possible to get snort_inline to work with >> my >> current configuration. I'm using the linux 2.6 kernel & iptables with >> a >> basic nat setup between two interfaces. I can pickup alerts when >> running it in sniffer mode, although I can't when running in ids mode. >> The ip_queue module is loading correctly as I don't receive an error >> when using the -Q option. >> >> Any help would be appreciated. >> >> Cliff Massey >> >> >> >> >> ------------------------------------------------------- >> This SF.Net email sponsored by Black Hat Briefings & Training. >> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - >> digital self defense, top technical experts, no vendor pitches, >> unmatched networking opportunities. Visit www.blackhat.com >> _______________________________________________ >> Snort-inline-users mailing list >> Sno...@li... >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> > > > ------------------------------------------------------- > This SF.Net email sponsored by Black Hat Briefings & Training. > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > digital self defense, top technical experts, no vendor pitches, > unmatched networking opportunities. Visit www.blackhat.com > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Rob M. <ro...@ho...> - 2004-06-30 11:30:29
|
What linux distro are you using? How are you sending packets to snort_inline? Rob On Wed, 30 Jun 2004, Cliff Massey wrote: > Date: Wed, 30 Jun 2004 00:35:51 -0700 > From: Cliff Massey <cl...@un...> > To: sno...@li... > Subject: [Snort-inline-users] Basic Questions > > > Hi, > > I was wondering if it is possible to get snort_inline to work with my > current configuration. I'm using the linux 2.6 kernel & iptables with a > basic nat setup between two interfaces. I can pickup alerts when > running it in sniffer mode, although I can't when running in ids mode. > The ip_queue module is loading correctly as I don't receive an error > when using the -Q option. > > Any help would be appreciated. > > Cliff Massey > > > > > ------------------------------------------------------- > This SF.Net email sponsored by Black Hat Briefings & Training. > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > digital self defense, top technical experts, no vendor pitches, > unmatched networking opportunities. Visit www.blackhat.com > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Cliff M. <cl...@un...> - 2004-06-30 07:36:14
|
Hi, I was wondering if it is possible to get snort_inline to work with my current configuration. I'm using the linux 2.6 kernel & iptables with a basic nat setup between two interfaces. I can pickup alerts when running it in sniffer mode, although I can't when running in ids mode. The ip_queue module is loading correctly as I don't receive an error when using the -Q option. Any help would be appreciated. Cliff Massey |
|
From: Victor J. <vi...@nk...> - 2004-06-28 20:13:06
|
Hi all, I have a question about setting up iptables so I can send selected traffic to snort_inline. I'm writing a soon to be released (gpl) frontend to iptables. I'm adapting it now to support the QUEUE target for snort_inline. I want to give users the possibility to for example send only http traffic to snort_inline and let iptables handle the other traffic. So normal my rules are like this (simplified): iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT So a connection is accepted by the second rule and after that handled by the first. Still with me? Well now the problem. When i want to send packets to the QUEUE target the above setup does not work. Because i don't want all traffic to go to snort, i cant change the target of the established,related rule to queue. I found a solution which works not entirely as i want. The following example will send http to snort, pop3 will be handled by iptables itself. iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark 0x1 iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -m mark --mark 0x1 -j QUEUE iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j QUEUE iptables -A OUTPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT Well this works... but not for ftp. Iptables has as you know a special helper module for ftp. I don't know how i can make ftp play well in this setup. Because the ftp connection opens other ports i can't use the mark stuff like this. So... any ideas, suggestions? Regards, Victor |
|
From: Victor J. <vi...@nk...> - 2004-06-27 19:00:04
|
On Sunday 27 June 2004 20:49, William Metcalf wrote: > That's odd it compiled ok for me. What version of gcc are you using? > > Regards, > > Will debian:/home/victor# gcc --version gcc (GCC) 3.3.4 (Debian) Copyright (C) 2003 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Regards, Victor |
|
From: William M. <Wil...@kc...> - 2004-06-27 18:49:45
|
That's odd it compiled ok for me. What version of gcc are you using? Regards, Will |
|
From: Victor J. <vi...@nk...> - 2004-06-27 09:27:12
|
Hi Rob, I tried to compile it, but it failed. This is the error message: <snip> gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../src -I../src/sfutil -I/usr/include/pcap -I../src/output-plugins -I../src/detection-plugins -I../src/preprocessors -I../src/preprocessors/flow -I../src/preprocessors/portscan -I../src/preprocessors/flow/int-snort -I../src/preprocessors/HttpInspect/include -I/usr/include/libipq/ -I/usr/include -g -O2 -Wall -DGIDS -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H -DLIBNET_LIL_ENDIAN -c parser.c parser.c:3496:45: missing terminating " character parser.c:3497:4: missing terminating " character parser.c:3517:45: missing terminating " character parser.c:3518:4: missing terminating " character parser.c:3539:45: missing terminating " character parser.c:3540:4: missing terminating " character parser.c:3560:45: missing terminating " character parser.c:3561:4: missing terminating " character parser.c:3581:45: missing terminating " character parser.c:3582:4: missing terminating " character parser.c:4170:1: unterminated argument list invoking macro "DEBUG_WRAP" parser.c: In function `ParseConfig': parser.c:3496: error: `DEBUG_WRAP' undeclared (first use in this function) parser.c:3496: error: (Each undeclared identifier is reported only once parser.c:3496: error: for each function it appears in.) parser.c:3496: error: parse error at end of input make[3]: *** [parser.o] Error 1 make[3]: Leaving directory `/usr/src/snort_inline-2.1.3a/src' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/usr/src/snort_inline-2.1.3a/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/usr/src/snort_inline-2.1.3a' make: *** [all-recursive-am] Error 2 debian:/usr/src/snort_inline-2.1.3a# It was easily fixed. It seems DEBUG_WRAP is not called right. On line 3496 I saw this: DEBUG_WRAP(DebugMessage(DEBUG_INIT, "disabling the drop of tcpopt exprimental alert s\n");); There was a hard newline in the line inside the word 'alerts'. This error is on 6 lines or so. Removing the hard newline fixed the problem. If i'm unclear or you need more info about my setup please let me know... Regards, Victor Julien On Sunday 27 June 2004 05:17, Rob McMillen wrote: > OK. snort_inline-2.1.3a is now available. Good catch. > > Rob > > On Sat, 26 Jun 2004, William Metcalf wrote: > > Date: Sat, 26 Jun 2004 16:39:45 -0500 > > From: William Metcalf <Wil...@kc...> > > To: Rob McMillen <ro...@ho...> > > Cc: sno...@li..., > > sno...@li... > > Subject: Re: [Snort-inline-users] release of snort_inline-2.1.3 > > > > > > > > > > > > > > I'm currently working on getting resets to work with snort_inline via > > physical device rather than a raw socket. The dev will be user specified > > via the snort_inline.conf file. This is probably all that I will be > > doing development wise for the next couple month's due to the fact that > > I'm going for my GCIH cert and I haven't yet started my research paper : > > - ). Is there anything else that you guy's want to see in snort_inline > > that I can work on while I'm messing with InlineReject()? > > > > Regards, > > > > Will > > > > > > > > > > > > Rob McMillen > > <ro...@ho... > > > > > > > > To > > > > Sent by: > > sno...@li...urceforg snort-inline-user e.net > > s-...@li...u > > cc rceforge.net > > > > Subject [Snort-inline-users] release of 06/26/2004 01:57 > > snort_inline-2.1.3 > > PM > > > > > > Please respond to > > Rob McMillen > > <ro...@ho... > > > > > > > > > > > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > List, > > I have uploaded snort_inline-2.1.3. Thanks to William Metcalf, we > > now have a database output plugin that works in inline mode, a decoder > > that can drop bad packets, and a working stream4 preprocessor. > > It is currently only available in source. I will upload the > > statically > > > > compiled binary and diff later today. > > > > As always, feedback, patches, and comments are welcome. > > > > You can find the source at http://snort-inline.sf.net/download.html > > > > Rob > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.2.4 (GNU/Linux) > > > > iD8DBQFA3ccm+cDJj70ouN0RAn6YAKD8x4We65NtMBWYumbWH7VVbdYzKQCgunux > > H8yY0k+av62dPQlSNijUm0g= > > =Zod4 > > -----END PGP SIGNATURE----- > > > > > > ------------------------------------------------------- > > This SF.Net email sponsored by Black Hat Briefings & Training. > > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > > digital self defense, top technical experts, no vendor pitches, > > unmatched networking opportunities. Visit www.blackhat.com > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > ------------------------------------------------------- > This SF.Net email sponsored by Black Hat Briefings & Training. > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > digital self defense, top technical experts, no vendor pitches, > unmatched networking opportunities. Visit www.blackhat.com > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
|
From: Rob M. <ro...@ho...> - 2004-06-27 02:29:57
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OK. snort_inline-2.1.3a is now available. Good catch. Rob On Sat, 26 Jun 2004, William Metcalf wrote: > Date: Sat, 26 Jun 2004 16:39:45 -0500 > From: William Metcalf <Wil...@kc...> > To: Rob McMillen <ro...@ho...> > Cc: sno...@li..., > sno...@li... > Subject: Re: [Snort-inline-users] release of snort_inline-2.1.3 > > > > > > > I'm currently working on getting resets to work with snort_inline via > physical device rather than a raw socket. The dev will be user specified > via the snort_inline.conf file. This is probably all that I will be doing > development wise for the next couple month's due to the fact that I'm going > for my GCIH cert and I haven't yet started my research paper : - ). Is > there anything else that you guy's want to see in snort_inline that I can > work on while I'm messing with InlineReject()? > > Regards, > > Will > > > > > > Rob McMillen > <ro...@ho... > > To > Sent by: sno...@li...urceforg > snort-inline-user e.net > s-...@li...u cc > rceforge.net > Subject > [Snort-inline-users] release of > 06/26/2004 01:57 snort_inline-2.1.3 > PM > > > Please respond to > Rob McMillen > <ro...@ho... > > > > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > List, > I have uploaded snort_inline-2.1.3. Thanks to William Metcalf, we now > have a database output plugin that works in inline mode, a decoder that > can drop bad packets, and a working stream4 preprocessor. > It is currently only available in source. I will upload the statically > > compiled binary and diff later today. > > As always, feedback, patches, and comments are welcome. > > You can find the source at http://snort-inline.sf.net/download.html > > Rob > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > > iD8DBQFA3ccm+cDJj70ouN0RAn6YAKD8x4We65NtMBWYumbWH7VVbdYzKQCgunux > H8yY0k+av62dPQlSNijUm0g= > =Zod4 > -----END PGP SIGNATURE----- > > > ------------------------------------------------------- > This SF.Net email sponsored by Black Hat Briefings & Training. > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > digital self defense, top technical experts, no vendor pitches, > unmatched networking opportunities. Visit www.blackhat.com > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA3jxk+cDJj70ouN0RAtm2AKDSPvwwtDGFsTNdMzTKhQmPu9T/ggCgs5vE oHTiMMJq26WMVSM+SnKZSx8= =ht32 -----END PGP SIGNATURE----- |
|
From: Rob M. <ro...@ho...> - 2004-06-26 18:09:34
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
List,
I have uploaded snort_inline-2.1.3. Thanks to William Metcalf, we now
have a database output plugin that works in inline mode, a decoder that
can drop bad packets, and a working stream4 preprocessor.
It is currently only available in source. I will upload the statically
compiled binary and diff later today.
As always, feedback, patches, and comments are welcome.
You can find the source at http://snort-inline.sf.net/download.html
Rob
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFA3ccm+cDJj70ouN0RAn6YAKD8x4We65NtMBWYumbWH7VVbdYzKQCgunux
H8yY0k+av62dPQlSNijUm0g=
=Zod4
-----END PGP SIGNATURE-----
|
|
From: Federico P. <pe...@ac...> - 2004-06-26 06:08:21
|
Rob McMillen wrote:
>I will be including Williams patch in 2.1.3 which enables stream4 support.
>
That's great! When 2.1.3 is expected to be released?
Thank again...
--
--
Federico Petronio
pe...@ac...
Linux User #129974
---
There are only 10 types of people in the world:
Those who understand binary and those who don't.
|
|
From: Matthew J. <ma...@in...> - 2004-06-25 23:04:13
|
I'm not really keeping up that closely on the snort-inline side. I'm planning to deploy it in the near future though. It does seem there isn't a ruleset custom built for snort-inline. If anoyne has one, or wants to start one, I'd like to put the resources of www.bleedingsnort.com up for use. If you have a ruleset and want to maintain it there please email me off list and we'll get it setup. Matt Esler, Joel - Contractor wrote: > I did look at it. Seems like too much work when someone could possibly > just zip it up and send it to me... > > We'd like it for an example and to take a look at how the rules are > structured.. > > J > > -----Original Message----- > From: sno...@li... > [mailto:sno...@li...] On Behalf Of Rob > McMillen > Sent: Friday, June 25, 2004 4:12 PM > To: sno...@li... > Subject: Re: [Snort-inline-users] Snort-inline ruleset > > Take a look at snortconfig. This will allow you to modify the current > snort ruleset to work with snort_inline. > > http://www.shmoo.com/~bmc/software/snortconfig/ > > Rob > > On Fri, 25 Jun 2004, Esler, Joel - Contractor wrote: > > >>Date: Fri, 25 Jun 2004 14:15:53 -0400 >>From: "Esler, Joel - Contractor" <joe...@rc...> >>To: sno...@li... >>Subject: [Snort-inline-users] Snort-inline ruleset >> >>Does anyone have a preconfigured Snort-inline ruleset for a honeynet? >>It appears as if the rules included with Snort-inline are the regular >>Snort alerts.. >> >> >> >>J >> >> > > > > ------------------------------------------------------- > This SF.Net email sponsored by Black Hat Briefings & Training. > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > digital self defense, top technical experts, no vendor pitches, > unmatched networking opportunities. Visit www.blackhat.com > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > ------------------------------------------------------- > This SF.Net email sponsored by Black Hat Briefings & Training. > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > digital self defense, top technical experts, no vendor pitches, > unmatched networking opportunities. Visit www.blackhat.com > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users -- -------------------------------------------- Matthew Jonkman, CISSP Senior Security Engineer Infotex 765-429-0398 Direct Anytime 765-448-6847 Office 866-679-5177 24x7 NOC my.infotex.com www.offsitefilter.com -------------------------------------------- NOTICE: The information contained in this email is confidential and intended solely for the intended recipient. Any use, distribution, transmittal or retransmittal of information contained in this email by persons who are not intended recipients may be a violation of law and is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. |
|
From: Esler, J. - C. <joe...@rc...> - 2004-06-25 19:32:15
|
I did look at it. Seems like too much work when someone could possibly just zip it up and send it to me... We'd like it for an example and to take a look at how the rules are structured.. J -----Original Message----- From: sno...@li... [mailto:sno...@li...] On Behalf Of Rob McMillen Sent: Friday, June 25, 2004 4:12 PM To: sno...@li... Subject: Re: [Snort-inline-users] Snort-inline ruleset Take a look at snortconfig. This will allow you to modify the current=20 snort ruleset to work with snort_inline. http://www.shmoo.com/~bmc/software/snortconfig/ Rob On Fri, 25 Jun 2004, Esler, Joel - Contractor wrote: > Date: Fri, 25 Jun 2004 14:15:53 -0400 > From: "Esler, Joel - Contractor" <joe...@rc...> > To: sno...@li... > Subject: [Snort-inline-users] Snort-inline ruleset >=20 > Does anyone have a preconfigured Snort-inline ruleset for a honeynet? > It appears as if the rules included with Snort-inline are the regular > Snort alerts.. >=20 > =20 >=20 > J=20 >=20 >=20 ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 -=20 digital self defense, top technical experts, no vendor pitches,=20 unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-inline-users mailing list Sno...@li... https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
|
From: Rob M. <ro...@ho...> - 2004-06-25 19:24:00
|
I will be including Williams patch in 2.1.3 which enables stream4 support. Rob On Fri, 25 Jun 2004, Federico Petronio wrote: > Date: Fri, 25 Jun 2004 15:39:20 -0300 > From: Federico Petronio <pe...@ac...> > To: Sno...@li... > Subject: [Snort-inline-users] Stream4 support status > > Hello all... > > I read about some issues in the stream4 preprocessor support in > snort-inline, and I would like to know about the status of stream4 in > current version (2.1.2). Is it supported? Is there any plan to include > it in 2.1.3 or another release? > > Thanks you. > -- > Federico Petronio > pe...@ac... > > > ------------------------------------------------------- > This SF.Net email sponsored by Black Hat Briefings & Training. > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > digital self defense, top technical experts, no vendor pitches, > unmatched networking opportunities. Visit www.blackhat.com > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Rob M. <ro...@ho...> - 2004-06-25 19:23:18
|
Take a look at snortconfig. This will allow you to modify the current snort ruleset to work with snort_inline. http://www.shmoo.com/~bmc/software/snortconfig/ Rob On Fri, 25 Jun 2004, Esler, Joel - Contractor wrote: > Date: Fri, 25 Jun 2004 14:15:53 -0400 > From: "Esler, Joel - Contractor" <joe...@rc...> > To: sno...@li... > Subject: [Snort-inline-users] Snort-inline ruleset > > Does anyone have a preconfigured Snort-inline ruleset for a honeynet? > It appears as if the rules included with Snort-inline are the regular > Snort alerts.. > > > > J > > |
|
From: Federico P. <pe...@ac...> - 2004-06-25 18:39:58
|
Hello all...
I read about some issues in the stream4 preprocessor support in
snort-inline, and I would like to know about the status of stream4 in
current version (2.1.2). Is it supported? Is there any plan to include
it in 2.1.3 or another release?
Thanks you.
--
Federico Petronio
pe...@ac...
|
|
From: Esler, J. - C. <joe...@rc...> - 2004-06-25 18:16:00
|
Does anyone have a preconfigured Snort-inline ruleset for a honeynet? It appears as if the rules included with Snort-inline are the regular Snort alerts.. =20 J=20 |
|
From: William M. <Wil...@kc...> - 2004-06-22 22:03:57
|
I don't know if anyone attended the source fire webinar today titled "Defending your Dissolving Network Perimeter". But Marty stated that t= hey were coming out with a inline IPS product that will be based on snort_inline. He also stated that they were going to develop their own= code base in-house for doing inline IPS that would be integrated into mainline snort. Just thought you guy's would like to know. Regards, Will= |
|
From: Rob M. <ro...@ho...> - 2004-06-19 18:11:33
|
I am finally getting off my butt and merging all of Williams hard work into snort_inline. I plan to merge his diff against snort-2.1.3 and the decoder drop patch. I am going to hold off on stream reassembly for a bit until I get some additional feedback and I get some time to play with it. It may be better to create a new preproc to handle inline stream reassembly. Thoughts? Issues? Concerns? Thanks in advance, Rob |
133 messages has been excluded from this view by a project administrator.
