Menu
▾
▴
snort-inline-users — The goal of this list is to help users debug/use snort_inline
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(15) |
Jun
(23) |
Jul
(54) |
Aug
(20) |
Sep
(18) |
Oct
(19) |
Nov
(36) |
Dec
(30) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(48) |
Feb
(16) |
Mar
(36) |
Apr
(36) |
May
(45) |
Jun
(47) |
Jul
(93) |
Aug
(29) |
Sep
(28) |
Oct
(42) |
Nov
(45) |
Dec
(53) |
| 2005 |
Jan
(62) |
Feb
(51) |
Mar
(65) |
Apr
(28) |
May
(57) |
Jun
(23) |
Jul
(24) |
Aug
(72) |
Sep
(16) |
Oct
(53) |
Nov
(53) |
Dec
(3) |
| 2006 |
Jan
(56) |
Feb
(6) |
Mar
(15) |
Apr
(14) |
May
(35) |
Jun
(57) |
Jul
(35) |
Aug
(7) |
Sep
(22) |
Oct
(16) |
Nov
(18) |
Dec
(9) |
| 2007 |
Jan
(8) |
Feb
(3) |
Mar
(11) |
Apr
(35) |
May
(6) |
Jun
(10) |
Jul
(26) |
Aug
(4) |
Sep
|
Oct
(29) |
Nov
|
Dec
(7) |
| 2008 |
Jan
(1) |
Feb
(2) |
Mar
(2) |
Apr
(13) |
May
(8) |
Jun
(3) |
Jul
(19) |
Aug
(20) |
Sep
(6) |
Oct
(5) |
Nov
|
Dec
(4) |
| 2009 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(10) |
Jul
(2) |
Aug
(5) |
Sep
|
Oct
(1) |
Nov
|
Dec
(5) |
| 2010 |
Jan
(10) |
Feb
(10) |
Mar
(2) |
Apr
|
May
(7) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2011 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: die t. <rei...@fh...> - 2004-06-17 15:11:37
|
On Thursday 17 June 2004 16:54, Maetzky, Steffen (Extern) wrote: > Hi, > > I read an installation guide (Snort 2.0 Intrusion Detection, chapter 12)for > RedHat8 (Kernel 2.4.18-14) > which says that it is nessecary to configure and recompile the kernel with > the following options to get snort-inline to work properly: > > Code Maturity Level Options: > -Prompt for Development and/or incomplete code/drivers > > Network Options: > -Network packet filtering (replaces ipchains) > -IP:Netfilter configuration: > -All Options <---------------------------------------- > really all??? > -802.1d Ethernet Bridging > -Netfilter (firewalling) support hi, nope, you dont really need all. the one you need is: networking options -> network packet filtering (replaces ipchains) this option enables a bit more down an oter option: ip netfilter configuration -> there you need all the normal modules, for filtering... and at least for snort_inline you need the user space queueing module. hth buzz |
|
From: Maetzky, S. (Extern) <Ste...@ge...> - 2004-06-17 14:55:13
|
Hi, I read an installation guide (Snort 2.0 Intrusion Detection, chapter 12)for RedHat8 (Kernel 2.4.18-14) which says that it is nessecary to configure and recompile the kernel with the following options to get snort-inline to work properly: Code Maturity Level Options: -Prompt for Development and/or incomplete code/drivers Network Options: -Network packet filtering (replaces ipchains) -IP:Netfilter configuration: -All Options <---------------------------------------- really all??? -802.1d Ethernet Bridging -Netfilter (firewalling) support My problem is that I can't find the option "Netfilter (firewalling) support". Does anyone know if this options is no longer needed for kernel 2.4.20-8 on RedHat9? Do I have to install a special lib or something else to get this option? Thanks, in advance Steffen |
|
From: Rob M. <ro...@ho...> - 2004-06-16 19:16:37
|
Thought about it, but it seems like a very large project. I figured it could be similar to iptables. The rules portion lives on=20 userspace and the functionality lives in kernel space. The user builds=20 the rules which are parsed in user land and this data is passed to the=20 kernel. However, I do all of this part time, and I haven't had much time= =20 as of late to think about this. Many people out there with time to move this to kernel space? I will be integrating and posting Williams patches and upgrades soon. =20 Just got back from traveling and trying to take care of some personal=20 dilemmas I am encountering. Thanks William Rob On Wed, 16 Jun 2004, [ISO-8859-1] C=E9dric BLIN wrote: > Date: 16 Jun 2004 16:47:54 +0200 > From: "[ISO-8859-1] C=E9dric BLIN" <ced...@ev...> > To: sno...@li... > Subject: [snort-inline-users] Kernel space >=20 > Hello, >=20 > I want to know if someone have already though to migrate Snort into the > kernel space ? >=20 > Thanks, > Cedric >=20 > --=20 >=20 >=20 >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference > Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer > Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA > REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users >=20 |
|
From: B. <ced...@ev...> - 2004-06-16 14:46:45
|
Hello, I want to know if someone have already though to migrate Snort into the kernel space ? Thanks, Cedric -- |
|
From: Josh B. <jos...@li...> - 2004-06-16 13:25:19
|
The problem is fixed if you use -N and don't log data to different directories. This also helps with performance and obviously conserves disk space. If snort_inline is logging elsewhere (Syslog, DB, etc), what is the usefulness of creating these logging folders? > > > > > > Yeah, we could used unified logging, the only problem is that you need > something to deal with binary unified logging format such as barnyard. > Let > me also clarify something, this is a limitation of host operating system > not with snort_inline. The exact same thing would happen with regular > snort, the only difference is that if snort (not inline) dies we miss > logging malicious traffic. If snort_inline dies and it is are gateway to > another network, we are no longer able to access anything on the other > side > of the bridge. > Regards, > > Will > > > > "Roland Turner > (SourceForge)" > <raz.fs.arg@count To > ersnipe.com> <sno...@li...urcefor > Sent by: ge.net> > snort-inline-user cc > s-...@li...u > rceforge.net Subject > Re: [Snort-inline-users] DoS > possible with stick attack > 06/15/2004 02:30 > AM > > > > > > > > > Will wrote: > >> the attack originates from, with -sH stick generates random ip's. At >> least on my box when I hit 32000 directories snort_inline dies, all >> traffic being passed to queue space isn't ever inspected, and never >> traverses the bridge i.e DoS. what do you guy's think about taring and >> gziping everything within /var/log/snort when we hit x number of > > Do you actually want your log data chopped up into hundreds (thousands) of > files like that anyway? Surely unified is a more useful approach? > - Raz > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference > Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer > Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA > REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > Thanks, Josh Berry, CISSP CTO, VP of Product Development LinkNet-Solutions 469-831-8543 jos...@li... |
|
From: Roland T. (SourceForge) <raz...@co...> - 2004-06-16 09:03:14
|
Will wrote: > Yeah, we could used unified logging, the only problem is that you need > something to deal with binary unified logging format such as barnyard. Well, yes, but you need "something" to deal with 32000 files. Are you really monitoring your inline's activities purely by reading text log files? Presumably once you get into the tens/hundreds of thousands of alerts created by an adversary, just reading the text files is pointless anyway. What, exactly, do you want plaintext logs for? - Raz |
|
From: Ekblad, E. M <Ek...@bp...> - 2004-06-15 19:16:45
|
I am sorry to bug anyone with a newbie question.... =20 Does anyone have a complete doc on how to install basic Snort inline on RHEL 3.0+ (the new ver past 9.0)? =20 I have hit multiple emails, some saying combine with a snort install, others saying as complete snort install is with snort-inline.tar.... =20 Also, if anyone recommends buying the new book, has anyone actually complied it verbatim from the book instructions? =20 Thanks and again, my apologies. =20 e |
|
From: B. <ced...@ev...> - 2004-06-15 15:39:49
|
hello,
I compile snort_inline like this :
cd snort_inline;\
rm aclocal.m4 configure config.h.in autom4te.cache/requests;\
find . -name "Makefile.in" -exec \rm {} \;;\
aclocal;\
autoheader;\
autoconf;\
automake -a;\
./configure --enable-inline;\
make
I have the WARNING too but it works fine ! ;)
Cedric
Le mar 15/06/2004 =C3=A0 11:32, Steffen Maetzky (extern) a =C3=A9crit :
> Hi,
>=20
> I had like to try out snort-inline on a RedHat 9 system.
> But if I try to run make it fails.
>=20
> Can anyone help me out?
>=20
> I have already installed a snort sensor on it (nearly the same
> configuration described by Patrick Harper).
>=20
> I have added:
>=20
> libipq=20
> bridge-patch=20
> bridge-utils
>=20
> Actually, I try to install snort-inline with:
>=20
> ./configure --enable-inline (works)=09
> or ./configure --prefix=3D/DifferentFromInstalledSensor --enable-inline
> make (fails)
> make install=20
>=20
>=20
> I get the following output of make:
>=20
> cd . && autoheader
> WARNING: Using auxiliary files such as `acconfig.h', `config.h.bot'
> WARNING: and `config.h.top', to define templates for `config.h.in'
> WARNING: is deprecated and discouraged.
> =20
> WARNING: Using the third argument of `AC_DEFINE' and
> WARNING: `AC_DEFINE_UNQUOTED' allows to define a template without
> WARNING: `acconfig.h':
> =20
> WARNING: AC_DEFINE([NEED_MAIN], 1,
> WARNING: [Define if a function `main' is needed.])
> =20
> WARNING: More sophisticated templates can also be produced, see the
> WARNING: documentation.
> configure.in:843: error: `src/win32/WIN32-Includes/Makefile' is already
> registered with AC_CONFIG_FILES.
> autoconf/status.m4:844: AC_CONFIG_FILES is expanded from...
> configure.in:843: the top level
> autom4te: /usr/bin/m4 failed with exit status: 1
> autoheader: /usr/bin/autom4te failed with exit status: 1
> make: *** [stamp-h.in] Error 1
>=20
> Thanks, in advance
>=20
> Steffen
>=20
>=20
>=20
>=20
>=20
> =20
>=20
>=20
>=20
> -------------------------------------------------------
> This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
> Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
> Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
> REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKN=
D
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
--=20
|
|
From: Steffen M. (extern) <es...@ge...> - 2004-06-15 09:31:55
|
Hi, I had like to try out snort-inline on a RedHat 9 system. But if I try to run make it fails. Can anyone help me out? I have already installed a snort sensor on it (nearly the same configuration described by Patrick Harper). I have added: libipq bridge-patch bridge-utils Actually, I try to install snort-inline with: ./configure --enable-inline (works) or ./configure --prefix=/DifferentFromInstalledSensor --enable-inline make (fails) make install I get the following output of make: cd . && autoheader WARNING: Using auxiliary files such as `acconfig.h', `config.h.bot' WARNING: and `config.h.top', to define templates for `config.h.in' WARNING: is deprecated and discouraged. WARNING: Using the third argument of `AC_DEFINE' and WARNING: `AC_DEFINE_UNQUOTED' allows to define a template without WARNING: `acconfig.h': WARNING: AC_DEFINE([NEED_MAIN], 1, WARNING: [Define if a function `main' is needed.]) WARNING: More sophisticated templates can also be produced, see the WARNING: documentation. configure.in:843: error: `src/win32/WIN32-Includes/Makefile' is already registered with AC_CONFIG_FILES. autoconf/status.m4:844: AC_CONFIG_FILES is expanded from... configure.in:843: the top level autom4te: /usr/bin/m4 failed with exit status: 1 autoheader: /usr/bin/autom4te failed with exit status: 1 make: *** [stamp-h.in] Error 1 Thanks, in advance Steffen |
|
From: Roland T. (SourceForge) <raz...@co...> - 2004-06-15 07:31:17
|
Will wrote: > the attack originates from, with -sH stick generates random ip's. At > least on my box when I hit 32000 directories snort_inline dies, all > traffic being passed to queue space isn't ever inspected, and never > traverses the bridge i.e DoS. what do you guy's think about taring and > gziping everything within /var/log/snort when we hit x number of Do you actually want your log data chopped up into hundreds (thousands) of files like that anyway? Surely unified is a more useful approach? - Raz |
|
From: William M. <Wil...@kc...> - 2004-06-14 21:41:05
|
After running a stick attack against snort_inline in stateless mode for= about an hour snort_inline dies with the following error. The problem= lies in that if you run stick against snort_inline like ./stick -dH 192.168.1.1 it generates a directory for every source IP address that t= he attack originates from, with -sH stick generates random ip's. At least= on my box when I hit 32000 directories snort_inline dies, all traffic bein= g passed to queue space isn't ever inspected, and never traverses the bri= dge i.e DoS. what do you guy's think about taring and gziping everything within /var/log/snort when we hit x number of directories. This will b= e a problem even with stream4 enabled, because we can't inspect state on a stateless protocol UDP, if somebody crafted a stick attack with purely = UDP traffic we would still have a DoS. detect.c:852: CheckSrcIPEqual: detect.c:904: Mismatch on SIP fpdetect.c:508: =3D> Header check failed, checking next node fpdetect.c:510: =3D> returned from next node check fpdetect.c:416: =3D> Checking Option Node 1710 fpdetect.c:503: [*] Rule Head 142 detect.c:757: Checking bidirectional rule... detect.c:424: CheckAddrPort: detect.c:431: SRC detect.c:468: addr 88ec7= 40, port 49463 detect.c:522: , addresses accepteddetect.c:528: , any port match, packet accepted detect.c:762: Src->Src check passed detect.c:424: CheckAddrPort: detect.c:451: DST detect.c:468: addr 6401a= 8c0, port 80 detect.c:518: , no address match, packet rejected detect.c:768: Dst->Dst check failed, checking inverse combination detect.c:424: CheckAddrPort: detect.c:431: SRC detect.c:468: addr 88ec7= 40, port 49463 detect.c:518: , no address match, packet rejected detect.c:789: Inverse Dst->Src check failed, trying next rule fpdetect.c:508: =3D> Header check failed, checking next node fpdetect.c:510: =3D> returned from next node check fpdetect.c:203: =3D> Got rule match, rtn type =3D 14 detect.c:402: Triggering responses (nil) detect.c:1453: <!!> Generating Alert and dropping! "WEB-MISC ht= tp directory traversal" ERROR: OpenLogFile() =3D> mkdir(/var/log/snort/64.199.142.8) log direct= ory: Too many links Fatal Error, Quitting.. Regards, Will= |
|
From: Eric H. <eri...@ap...> - 2004-06-05 07:01:00
|
All, Applied Watch Technologies has created a whitepaper on deploying a Snort-Inline bridging firewall. Although the paper is based on installing it with the Applied Watch Command Center, it has been designed to be logically separate in to separate chapters so those not using Applied Watch to manage and monitor their Snort-Inline sensors can still use it as a reference guide. This paper is available at: http://www.appliedwatch.com/guides/awcc-snort-inline.pdf Best Regards, Eric Hines, GCIA CEO, President Applied Watch Technologies, Inc. 4204 Commercial Way Glenview, IL 60025 Direct: (877) 262-7593 x327 Fax: (877) 262-7593 http://www.appliedwatch.com |
|
From: Rob M. <ro...@ho...> - 2004-06-04 14:12:18
|
> What about as a separate preprocessor, I tried adding a check for > InlineMode() following GetSession(p), but it was costing to much at session > initialization, i.e latency. Maybe we add the check at the time of > preprocessor initialization, and set a global variable based on > InlineMode() that would call a separate GetSession(p) Anybody have any > better suggestions????? Great! When I get back, I'll take a few and look through the code. I like the idea of checking at preproc init. We can have different functions and the preproc init figures out which one to call (via function pointers). Rob |
|
From: Josh B. <jos...@li...> - 2004-06-04 03:50:38
|
I think that drop functionality should be implemented as a configuration option. Something that can be turned on or off. > > > > > > This is the diff for stream4 and 2.1.3. This has been working beautifully > for me, I just changed my previous patch to deal with the addition of > event > queueing. What do you guy's think of adding drops for bad traffic picked > up by the decoder... snort doesn't look at it because assumes that it is > invalid traffic.... Should we add drop functionality to the decoder? > > Regards, > > Will > > (See attached file: spp_stream4-2.1.3.diff) Thanks, Josh Berry, CISSP CTO, VP of Product Development LinkNet-Solutions 469-831-8543 jos...@li... |
|
From: Nick R. <ni...@ro...> - 2004-06-01 19:20:59
|
On Tue, 1 Jun 2004, Eric Hines wrote: > All, > > Is anyone here familiar with any porting efforts or projects that have > ported Snort-Inline to OpenBSD? Not that I've heard of. It would be nice to get the author of PF to release some patch so we can port it. -- Nick Rogness <ni...@ro...> - How many people here have telekenetic powers? Raise my hand. -Emo Philips |
|
From: Eric H. <eri...@ap...> - 2004-06-01 16:11:02
|
All, Is anyone here familiar with any porting efforts or projects that have ported Snort-Inline to OpenBSD? BRDS, Eric Hines, GCIA CEO, President, Chairman Applied Watch Technologies, Inc. http://www.appliedwatch.com Direct: (877) 262-7593 x327 Fax: (877) 262-7593 |
|
From: Federico P. <pe...@ac...> - 2004-05-28 14:44:48
|
William Metcalf wrote:
> You will need this diff, Snort inline doesn't set an interface if it is
> reading traffic from ip_queue, we have to trick the output plug-in to
> thinking there is one..... to install it just go into the directory for
> snort_inline and patch -p1 < /pathtodiff/dbpatch.diff
Thank you very much, but I guess I will use snort-inline unified log and
barnyard. This seems to be the better choice.
BTW... for know I prefer to log in both, the binary unified mode and the
default mode (an alert file and a subdirectory for each IP payload). Is
it possible to have more than one output plugin simultaneously? which is
the default plugin? In my old conf file there were none selected, but
did log in the way I told. Know I chose:
output unified_log, ....
but the alert file and the subdirectories are not created any more, just
the unified_log file.
Thank you!
--
Federico Petronio
pe...@ac...
|
|
From: William M. <Wil...@kc...> - 2004-05-28 04:15:49
|
I know that the fnord preprocessor is depreciated, but has anybody trie= d a converted fnord preprocessor for snort-inline? While tools like ADmuta= te try to defeat IDS and in this case IPS by changing the NOP sled typical= ly 0x90 to something that is equivalent and then encrypting the payload. = The NOP sled would still have to be unencrypted and we could alert and drop= on this. What do you guy's think, If I adapted it for snort-inline would = you use it. Does anybody know if it causes high false positives? Regards, Will= |
|
From: Federico P. <pe...@ac...> - 2004-05-27 16:17:43
|
Hi all... I am looking for MySQL support in snort-inline. Since the
prebuild binaries in the download section does not provide that feature
I will try to compile the binaries myself.
The questions is, what command line did the builders of those binaries
used? I have snort-inline working perfect and I just want to add the
MySQL feature, so I would like to use exactly the same configure plus
the --with-mysql parameter.
Thanks a lots!
--
Federico Petronio
pe...@ac...
|
|
From: Emilian U. <lo...@cl...> - 2004-05-23 09:00:06
|
http://snort-inline.sourceforge.net/FAQ.html On Sun, 23 May 2004, Michael Boman wrote: > Hi, > > I have some problems getting Snort-inline to compile on my Fedora Core 1 > system. Please advice how I can rectify this problem. Also please let me > know if there is any additional information you require to troubleshoot > the problem. > > Best regards > Michael Boman > > > Build host: > Fedora Core 1 with all the updates > libnet-1.0.2-2.rhfc1.dag > pcre-devel-4.4-1 > gcc-3.3.2-1 > libpcap-0.7.2-8.fc1.1 > iptables-devel-1.2.9-1.0 > glibc-2.3.2-101.4 > > Compilation steps: > ./configure > make > > Result: > [...] > Making all in output-plugins > make[3]: Entering directory > `/usr/src/redhat/BUILD/snort_inline-2.1.2/src/output-plugins' > gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../.. -I../../src > -I../../src/sfutil -I/usr/include/pcap -I../../src/output-plugins > -I../../src/detection-plugins -I../../src/preprocessors > -I../../src/preprocessors/flow -I../../src/preprocessors/portscan > -I../../src/preprocessors/flow/int-snort > -I../../src/preprocessors/HttpInspect/include-I/usr/include/pcre > -I/usr/include-g -O2 -Wall -DGIDS -D_BSD_SOURCE -D__BSD_SOURCE > -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H -DLIBNET_LIL_ENDIAN -c `test -f > 'spo_alert_fast.c' || echo './'`spo_alert_fast.c > In file included from /usr/include/linux/netfilter_ipv4/ip_queue.h:10, > from /usr/include/libipq.h:37, > from ../../src/inline.h:8, > from ../../src/snort.h:38, > from spo_alert_fast.c:51: > /usr/include/linux/if.h:59: error: redefinition of `struct ifmap' > /usr/include/linux/if.h:77: error: redefinition of `struct ifreq' > /usr/include/linux/if.h:126: error: redefinition of `struct ifconf' > make[3]: *** [spo_alert_fast.o] Error 1 > make[3]: Leaving directory > `/usr/src/redhat/BUILD/snort_inline-2.1.2/src/output-plugins' > make[2]: *** [all-recursive] Error 1 > make[2]: Leaving directory > `/usr/src/redhat/BUILD/snort_inline-2.1.2/src' > make[1]: *** [all-recursive] Error 1 > make[1]: Leaving directory `/usr/src/redhat/BUILD/snort_inline-2.1.2' > make: *** [all] Error 2 > > -- > Michael Boman > |
|
From: Michael B. <mi...@ay...> - 2004-05-23 07:33:19
|
Hi,
I have some problems getting Snort-inline to compile on my Fedora Core 1
system. Please advice how I can rectify this problem. Also please let me
know if there is any additional information you require to troubleshoot
the problem.
Best regards
Michael Boman
Build host:
Fedora Core 1 with all the updates
libnet-1.0.2-2.rhfc1.dag
pcre-devel-4.4-1
gcc-3.3.2-1
libpcap-0.7.2-8.fc1.1
iptables-devel-1.2.9-1.0
glibc-2.3.2-101.4
Compilation steps:
./configure
make
Result:
[...]
Making all in output-plugins
make[3]: Entering directory
`/usr/src/redhat/BUILD/snort_inline-2.1.2/src/output-plugins'
gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../.. -I../../src
-I../../src/sfutil -I/usr/include/pcap -I../../src/output-plugins
-I../../src/detection-plugins -I../../src/preprocessors
-I../../src/preprocessors/flow -I../../src/preprocessors/portscan=20
-I../../src/preprocessors/flow/int-snort=20
-I../../src/preprocessors/HttpInspect/include -I/usr/include/pcre
-I/usr/include -g -O2 -Wall -DGIDS -D_BSD_SOURCE -D__BSD_SOURCE
-D__FAVOR_BSD -DHAVE_NET_ETHERNET_H -DLIBNET_LIL_ENDIAN -c `test -f
'spo_alert_fast.c' || echo './'`spo_alert_fast.c
In file included from /usr/include/linux/netfilter_ipv4/ip_queue.h:10,
from /usr/include/libipq.h:37,
from ../../src/inline.h:8,
from ../../src/snort.h:38,
from spo_alert_fast.c:51:
/usr/include/linux/if.h:59: error: redefinition of `struct ifmap'
/usr/include/linux/if.h:77: error: redefinition of `struct ifreq'
/usr/include/linux/if.h:126: error: redefinition of `struct ifconf'
make[3]: *** [spo_alert_fast.o] Error 1
make[3]: Leaving directory
`/usr/src/redhat/BUILD/snort_inline-2.1.2/src/output-plugins'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory
`/usr/src/redhat/BUILD/snort_inline-2.1.2/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/usr/src/redhat/BUILD/snort_inline-2.1.2'
make: *** [all] Error 2
--=20
Michael Boman
|
|
From: William M. <Wil...@kc...> - 2004-05-21 06:47:16
|
Looking through my past e-mails, I missed a question that Ben Jsh asked, which was how to run snort_inline in stateless mode. If you use the default patch, you are running stateless mode. If you are running your own .conf file comment out: preprocessor stream4: disable_evasion_alerts preprocessor stream4_reassemble In addition you should probably comment out anything that has to do with flow and frag2 Regards, Will |
|
From: William M. <Wil...@kc...> - 2004-05-21 06:19:59
|
I was going through the past e-mails that I sent to the list regarding
stream4 and snort_inline, and I realized that most of them were not ver=
y
clear regarding the problem. In addition I wanted to get the lists inp=
ut
on some ideas I had for dealing with the problem. Each time stream4 se=
es a
packet it check's to see if there is a session to which the packet belo=
ngs,
if it can't find an associated session it calls CreateNewSession. The
problem is that since we are dropping packets, if an alert is generated=
the
attacking computer believes that packet never made to the server and
retransmits. When a new session is initiated a counter is started agai=
nst
the value set in PRUNE_QUANTA. This counter times out before the attac=
king
computer is done retransmitting ACK|PUSH packets and prunes the session=
.
After the session is pruned CallNewSession is called. This is where th=
e
problem arises, when the next ACK|PUSH packet is sent from the previous=
session, if the stream is not established and it is caught by stream4
midstream, fpdetect does not do detection on the packet (snot/stick
protection.) and the packet makes it through. Here is my thought, what=
if
we put a check into stream4 that after determining that it does not hav=
e a
session for the packet, checks the flags before calling CreateNewSessio=
n.
If the packet is anything other than syn we drop it and don't call
CreateNewSession. My other thought is that we figure out a way to flag=
sessions that have generated alerts, and would tell PruneCheck not to p=
rune
them. The problem with the second scenario is that I think it would be=
fairly trivial to defeat, the other thing we will have to worry about, =
is
hitting the stream4 memory cap. Right now if stream4 runs out of memor=
y,
and it can't prune sessions due to time, it prunes 5 random sessions.
Either way, below is a test patch for spp_stream4.c to check flags. I'=
ve
been running it for three day's and it seems to work fine. If anybody =
is
brave enough to try it, tweak the memory settings to fit your machine.
Eventually there will be a check for InlineMode(); I just thought you
guy's might want to test it : -)
Regards,
Will
--- snort-2.1.2/src/preprocessors/spp_stream4.c Tue Jan 27 11:21:23 200=
4
+++ snort-inline-2.1.2/src/preprocessors/spp_stream4.c Thu May 20 18:3=
6:19
2004
@@ -81,7 +81,7 @@
#include "perf.h"
#include "timersub.h"
#include "ubi_SplayTree.h"
-
+#include "inline.h"
#include "snort.h"
/* D E F I N E S **************************************************/=
@@ -123,8 +123,8 @@
#define FROM_SERVER 0
#define FROM_CLIENT 1
-#define PRUNE_QUANTA 30 /* seconds to timeout a session */
-#define STREAM4_MEMORY_CAP 8388608 /* 8MB */
+#define PRUNE_QUANTA 30 /* seconds to timeout a session */
+#define STREAM4_MEMORY_CAP 33554432 /* 32MB */
#define STREAM4_TTL_LIMIT 5 /* default for TTL Limit */
#define STATS_HUMAN_READABLE 1
@@ -1752,7 +1752,13 @@
/* see if we have a stream for this packet */
ssn =3D GetSession(p);
-
+ if(ssn =3D=3D NULL && ((p->tcph->th_flags) !=3D TH_SYN))
+ {
+ InlineDrop();
+ DEBUG_WRAP(DebugMessage(DEBUG_STREAM,
+ "Lets drop this its not a synner\n"););=
+ return;
+ }
if(ssn =3D=3D NULL)
{
DEBUG_WRAP(DebugMessage(DEBUG_STREAM,"Calling
CreateNewSession()\n"););
=
|
|
From: Josh B. <jos...@li...> - 2004-05-19 23:44:08
|
When running menuconfig it should be under: Networking Options/Netfilter Configuration/Userspace Queueing via NETLINK > Here's how I got it working. I manually modified the .config file and > added > the line: CONFIG_IP_NF_QUEUE=y. This built the ip_queue modules. I > could > find nowhere in the menuconfig/netfilter options where it would generate > this message. Everything seems to be working on. I want to go back today > and try Will's idea of checking the Code Maturity level options. I'll let > everyone know what happens, but the other change worked! Thanks! > > Kathy > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by: SourceForge.net Broadband > Sign-up now for SourceForge Broadband and get the fastest > 6.0/768 connection for only $19.95/mo for the first 3 months! > http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Kathy S. <kat...@ho...> - 2004-05-19 11:03:36
|
Here's how I got it working. I manually modified the .config file and added the line: CONFIG_IP_NF_QUEUE=y. This built the ip_queue modules. I could find nowhere in the menuconfig/netfilter options where it would generate this message. Everything seems to be working on. I want to go back today and try Will's idea of checking the Code Maturity level options. I'll let everyone know what happens, but the other change worked! Thanks! Kathy |
133 messages has been excluded from this view by a project administrator.
