snort-inline-users — The goal of this list is to help users debug/use snort_inline

Re: [Snort-inline-users] Re: snort-inline Stream4 workaround

[Jason <sec...@br...>]

my .02

Rob McMillen wrote:

[...]

> 
> 
> I have a problem with an inline device sending resets onto the network.
> What happens if a "bad guy" figures out that your have an inline device
> that sends resets on certain packets?  How hard would it be to craft that
> packet that makes the inline device send a reset, but craft it with a
> spoofed source ip address?  This could potentially be used as a denial of
> service bot (I am sure there is a better term for this).
> 
> Am I just being too paranoid?

Other than advertising the presence of an inline device I do not think
that resets are a bad thing. There is no traffic amplification so it is 
a reflector at best. The attacker could simply craft the same packets 
and send them down the line. I can see where it might be possible to use 
the system as a reflector to reset internal connections however proper 
border filtering should make that a non issue. Even if the inline device 
used a "make state unusable" strategy and sent 3 or 4 bogus packets, 
they will be relatively small compared to the data being sent to the 
inline device so there would be a packet amplification but not data 
amplification case. This might open up other possible prediction attacks 
when using the system as a reflector but it is still an edge case and 
does not seem to have significant value. Time and motivation would 
ultimately test that one.

I can see where sending the reset to the attacker could highlight an 
opening for them to launch a DoS against the inline device through 
resource exhaustion but this problem is worse without the resets.

Perhaps a specific reset case where the stream is taken over by inline 
and the next few packets ( a small random number ) are acked while a 
reset is sent to the target immediately. The acked pkts can be silently 
dropped and never sent to the target. After a few acks the reset is sent 
to the attacker and the entire tracker flushed. This would help prevent 
easy identification of the inline device since predictability on a 
specific pattern or packet would not produce an observable repeating result.

> 
> Also, reject only works in nat mode (i.e. when the inline device has an
> interface with an ip address).  Why?  Because I have not gotten off my
> lazy butt to change the way libnet launches the packets.  It does not know
> how to send them out if the interface is not up.

Easy enough to solve, require a response port to run in this mode. Use a 
rule to drop any inbound pkts to the interface and set it as the default 
route for external networks. Use net routes on the management interface 
for local networks...

> 
> Just out of curiosity, would the list see the stream reassembly being used
> for certain ports or for all ports?  Wondering if it would be worth while
> to generate an inline stream reassembler..

I do not see any value in an inline device that does not reassemble all 
tcp traffic, for optimization purposes it could be tied to ports that 
have rules for them however one tcp any any style rule would mean 
reassemble everything.

> 
> Thanks in advance,
> 
> Rob
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: SourceForge.net Broadband
> Sign-up now for SourceForge Broadband and get the fastest
> 6.0/768 connection for only $19.95/mo for the first 3 months!
> http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> 

[Snort-inline-users] snort_inline with high load

[Thomas P. <tho...@UG...>]

Hi,

When using snort inline to handle large amounts of traffic (100 MBit 
link). I get an error like this ( start snort with -q)

IpqLoop: : Failed to receive netlink message: No buffer space available

Some posts on the netfilter list say it's a bad idea to copy large 
amounts of data from/to userspace. Although there's no much of a 
workaround in this case.

Any ideas on how to handle this?

greets,
Thomas

[Snort-inline-users] Re: snort-inline Stream4 workaround

[Rob M. <ro...@ho...>]

> Alright, I think that I have found a pseudo work-around for this issue, and
> anybody is welcome to shoot holes in it if they wish.  If we set all of the
> rules to reject rather than drop, the packet is tracked correctly through
> the stream as it should be.  If we send out RST's due to an alert there is
> no retransmission from the client i.e. no Re-transmissions to continue to
> track and eventually prune due to pruning time-out.  Unlike normal flexresp
> which just listens on the network and sends resets if it see's nasty
> packets, Rob or Jed coded InlineReject() to drop the packet just like
> InlineDrop() and then send the reset.  I'm wondering why we don't make this
> default behavior of snort_inline, snort_inline wouldn't have to process the
> same packet over and over again i.e. no multiple alerts on the same packet.

I have a problem with an inline device sending resets onto the network.
What happens if a "bad guy" figures out that your have an inline device
that sends resets on certain packets?  How hard would it be to craft that
packet that makes the inline device send a reset, but craft it with a
spoofed source ip address?  This could potentially be used as a denial of
service bot (I am sure there is a better term for this).

Am I just being too paranoid?

Also, reject only works in nat mode (i.e. when the inline device has an
interface with an ip address).  Why?  Because I have not gotten off my
lazy butt to change the way libnet launches the packets.  It does not know
how to send them out if the interface is not up.

Just out of curiosity, would the list see the stream reassembly being used
for certain ports or for all ports?  Wondering if it would be worth while
to generate an inline stream reassembler..

Thanks in advance,

Rob

Re: [Snort-inline-users] Stream4 and snort_inline anybody have any ideas?

[Pieter C. <pie...@co...>]

>From a commercial point of view, getting stream4 to alert properly in
inline mode is already a good step forward.

        It stores the packet and loops it through StoreStreamPkt waiting
        for an ack from our server that "should" never answer. This
        would not be a problem if we could some how set an infinite
        PRUNE_QUANTA and STREAM4_TTL_LIMIT on packets that generated an
        alert. If this were possible we could just wait for the RST from
        the server in which case the session would be deleted from
        Stream4


Is it not possible to spoof the ack packet at the same time the drop is
called?
        
For some reason, even alerting when using snort with the -Q option
doesn't work properly.

        Is stream4 really worth all of the effort. Is there anything
        else you guy's want would rather see working in snort_inline?
> 

I think so. If you install fragroute and run it with the tcp
segmentation option, then you can completely circumvent the inline
device by breaking any attack into small tcp segments. Not that
commercially feasible because things go real slow, but doable. I have
not seen automated tools do this yet?

Pieter

On Fri, 2004-05-14 at 08:57, William Metcalf wrote:
> Alright so here is what I have found so far regarding snort_inline and
> the stream4 preprocessor. From what I can tell when an alert is
> detected in traffic being reassembled in stream4. InlineDrop(); Is
> called and the packet is properly dropped. I believe the problem is in
> the way that Stream4 handles an un-acked packet, It stores the packet
> and loops it through StoreStreamPkt waiting for an ack from our server
> that "should" never answer. This would not be a problem if we could
> some how set an infinite PRUNE_QUANTA and STREAM4_TTL_LIMIT on packets
> that generated an alert. If this were possible we could just wait for
> the RST from the server in which case the session would be deleted
> from Stream4. Otherwise we hit our TTL and PRUNE limits and the stream
> gets dropped from stream4 prematurely. I changed these values globally
> in my spp_stream4.c file, and everything I have been throwing at
> snort_inline seems to get dropped correctly. The only thing I'm
> worried about is that on a busy network we would hit our memory limit
> for Stream4 and start pruning sessions because of it. The default is
> 8mb, If you up these values I would also suggest that up the amount of
> memory you are using for stream4. This method kind of stinks, Does
> anybody have a better Idea of how to do this without completely
> rewriting stream4? Is stream4 really worth all of the effort. Is there
> anything else you guy's want would rather see working in snort_inline?
> 
> Regards,
> 
> Will
-- 
Pieter Claassen <pie...@co...>

Re: [Snort-inline-users] Stream4 and snort_inline anybody have any ideas?

[Stephan S. <ss...@as...>]

Hi Will,

great to hear that you are making progress on this issue.
Did you notice that Marty has rewritten the stream4 preprocessor, which AFAIK
has not made it into stable Snort releases? Maybe this will improve some things.
Here's the mail Marty sent to snort-devel 2 months ago:

> Hi everyone,
> 
> We checked some code into CVS a few days ago that make a couple pretty big changes as to how the stream reassembler works and I'm soliciting feedback as to how the changes work.  The biggest change is that I replaced the state machine in stream4 for TCP state tracking and changed the way that state transitions are handled.  Basically, the state machine has been reduced from ~650 lines of code down to about ~230 or so, I removed the different state trees that paid attention to state differently based on whether or not you were the client or server and I added a state queuing mechanism into the engine so that we can defer state transitions until we see the side being transitioned indicate that it has seen the transition itself.  Session teardown state transitions are modeled more correctly in the new code as well and it seems to work a lot more efficiently in general.
> 
> Another change that was made was to the unified output plugin (one that should be translated across all the logging plugins in the not too distant future I hope).  One of the big annoyances with the way we do stream reassembly is the "pseudo-packet" that we generate to analyze the reassembled stream segments.  A lot has been written on the pros and  cons of doing it this way, but one of the side effects of this method and the way that Snort's engine works is that if there was a detection event on a reassembled pseudo-packet, the pseudo-packet got logged.
> 
> I made a change to the way that the unified output module works so that it can get access to the packets that are queued (fully) in the stream4 StreamTrackers and log them instead of logging the pseudo packet.  The way it works is to generate the event on the first packet in the reassembled stream and log all subsequent packets in the stream as tagged packets referencing the original event.  The upside of this method is that it logs the actual packets instead of the pseudo-packet so you can look for signs of hand crafting and such, not to mention that you now have the set of unmodified packets for legal/whatever purposes you might need them for.
> 
> Anyway, this code is in CVS now and if people could give it a test and report if they see any weirdness, I'd appreciate it.  If  you want to keep tabs on the stream state transitions specifically I added in a new SNORT_DEBUG value (8388608) to track those independent of other debug statements in Snort.  The new stream logging stuff only works if you're using log_unified as an output type, but it should work with Barnyard (including the latest builds) just fine.
> 
>      -Marty

Regards,
Stephan

-- 
Stephan Scholz <ss...@as...> | Development
Astaro AG | www.astaro.com | Phone +49-721-490069-0 | Fax -55

Awards for ASL:
- Nätverk & Kommunikation Magazine, Sweden: "Five Stars" - October 2003
- Linux Enterprise Readers' Choice Award: Best Firewall - October 2003
- LinuxWorld Product Excellence Award: Best Security Solution - August 2003
- "Excellent" Infoworld Magazine - August 2003

Re: [Snort-inline-users] Stream4 and snort_inline anybody have any ideas?

[pieter c. <pi...@co...>]

>From a commercial point of view, getting stream4 to alert properly in
inline mode is already a good step forward.

        It stores the packet and loops it through StoreStreamPkt waiting
        for an ack from our server that "should" never answer. This
        would not be a problem if we could some how set an infinite
        PRUNE_QUANTA and STREAM4_TTL_LIMIT on packets that generated an
        alert. If this were possible we could just wait for the RST from
        the server in which case the session would be deleted from
        Stream4


Is it not possible to spoof the ack packet at the same time the drop is
called?
        
For some reason, even alerting when using snort with the -Q option
doesn't work properly.

        Is stream4 really worth all of the effort. Is there anything
        else you guy's want would rather see working in snort_inline?
> 

I think so. If you install fragroute and run it with the tcp
segmentation option, then you can completely circumvent the inline
device by breaking any attack into small tcp segments. Not that
commercially feasible because things go real slow, but doable. I have
not seen automated tools do this yet.

Pieter

On Fri, 2004-05-14 at 08:57, William Metcalf wrote:
> Alright so here is what I have found so far regarding snort_inline and
> the stream4 preprocessor. From what I can tell when an alert is
> detected in traffic being reassembled in stream4. InlineDrop(); Is
> called and the packet is properly dropped. I believe the problem is in
> the way that Stream4 handles an un-acked packet, It stores the packet
> and loops it through StoreStreamPkt waiting for an ack from our server
> that "should" never answer. This would not be a problem if we could
> some how set an infinite PRUNE_QUANTA and STREAM4_TTL_LIMIT on packets
> that generated an alert. If this were possible we could just wait for
> the RST from the server in which case the session would be deleted
> from Stream4. Otherwise we hit our TTL and PRUNE limits and the stream
> gets dropped from stream4 prematurely. I changed these values globally
> in my spp_stream4.c file, and everything I have been throwing at
> snort_inline seems to get dropped correctly. The only thing I'm
> worried about is that on a busy network we would hit our memory limit
> for Stream4 and start pruning sessions because of it. The default is
> 8mb, If you up these values I would also suggest that up the amount of
> memory you are using for stream4. This method kind of stinks, Does
> anybody have a better Idea of how to do this without completely
> rewriting stream4? Is stream4 really worth all of the effort. Is there
> anything else you guy's want would rather see working in snort_inline?
> 
> Regards,
> 
> Will

[Snort-inline-users] Stream4 and snort_inline anybody have any ideas?

[William M. <Wil...@kc...>]

Alright so here is what I have found so far regarding snort_inline and =
the
stream4 preprocessor.  From what I can tell when an alert is detected i=
n
traffic being reassembled in stream4.  InlineDrop();  Is called and the=

packet is properly dropped.  I believe the problem is in the way that
Stream4 handles an un-acked packet,  It stores the packet and loops it
through StoreStreamPkt waiting for an ack from our server that "should"=

never answer.  This would not be a problem if we could some how set an
infinite PRUNE_QUANTA and   STREAM4_TTL_LIMIT on packets that generated=
 an
alert. If this were possible we could just wait for the RST from the se=
rver
in which case the session would be deleted from Stream4.  Otherwise we =
hit
our TTL and PRUNE limits and the stream gets dropped from stream4
prematurely.  I changed these values globally in my spp_stream4.c file,=
 and
everything I have been throwing at snort_inline seems to get dropped
correctly. The only thing I'm worried about is that on a busy network w=
e
would hit our memory limit for Stream4 and start pruning sessions becau=
se
of it.  The default is 8mb, If you up these values I would also suggest=

that up the amount of memory you are using for stream4. This method kin=
d of
stinks, Does anybody have a better Idea of how to do this without
completely rewriting stream4? Is stream4 really worth all of the effort=
.
Is there anything else you guy's want would rather see working in
snort_inline?

Regards,

Will=

[Snort-inline-users] snort-inline on 2.4.26 kernel

[Kathy S. <kat...@ho...>]

I am trying to run snort-inline on a new 2.4.26 kernel, patched with the 
proper ebtables patch.  In the kernel config I build all Ehernet bridging 
into kernel (vice doing modules) and choose all iptables options as 
built-in.   Problem in when I start snort-inline in the Q mode, it tells me 
:

   InitInline:  Failed to send netlink message:  Connection refused

which according to others means I don't have ip_queue loaded.  Problem is, I 
don't see the ip_queue option as a module in the 2.4.26!  Am I just missing 
it somewhere?  Or do I build everything (ethernet bridging, iptables stuff) 
as modules?

Thanks for any help.

Re: [Snort-inline-users] snort_inline segfault

[Ben J. <be...@ma...>]

Dear All,
Anyone running snort Inline 2.1.2, Postgresql, Barnyard 0.2.0?

When I Load it and it parses the snort.log file i get with gdb:
and it says util.c line 524
timet = tv->tv_sec;
anyone running with success?
I already changed my snort.conf to log_unified and when i connect to my db normally with snort it works.
So it must be a barnyard issue?

Regards,
Ben

[Snort-inline-users] Flow-portscan

[Jochen V. <jv...@it...>]

Hi,

Im using snortinline-2.1.0 and try to get portscan messages.
If i use as output msg i get nothing
If i use as output pktkludge i get an unattravtive output
If i use as output pktkludge with barnyard i get an unattravtive output with
wrong Ips.

Any comments?
Thx for help
jo


---snort------------------
snort -c snort.conf -i br0 -Q -de -A none

---portscan-config----------
preprocessor flow-portscan: server-watchnet [192.168.0.0/24] tcp-penalties
on server-learning-time 3600 server-scanner-limit 50 alert-mode all
output-mode msg

----output-mode-msg---------------
If i use msg as output-mode i get nothing

----output-mode-pktkludge---------------
If i us pktkludge as output-mode a get a file PROTO255
With following content
 
[**] Portscan detected from 192.168.0.40 Talker(fixed: 15 sliding: 15)
Scanner(fixed: 0 sliding: 0) [**]
05/11-14:12:51.000000 192.168.0.40 -> 192.168.0.143 PROTO255 TTL:0 TOS:0x10
ID:0 IpLen:20 DgmLen:507
41 64 64 72 65 73 73 3A 20 31 39 32 2E 31 36 38  Address: 192.168
2E 30 2E 34 30 0A 41 54 5F 53 43 4F 52 45 3A 20  .0.40.AT_SCORE: 
31 35 0A 53 54 5F 53 43 4F 52 45 3A 20 31 35 0A  15.ST_SCORE: 15.
41 53 5F 53 43 4F 52 45 3A 20 30 0A 53 53 5F 53  AS_SCORE: 0.SS_S
43 4F 52 45 3A 20 30 0A 54 6F 74 61 6C 20 43 6F  CORE: 0.Total Co
6E 6E 65 63 74 69 6F 6E 73 3A 20 31 35 0A 53 63  nnections: 15.Sc
61 6E 46 6C 61 67 73 3A 20 30 78 31 0A 41 54 5F  anFlags: 0x1.AT_
53 54 41 52 54 45 4E 44 3A 20 31 30 38 34 32 37  STARTEND: 108427
37 35 37 31 20 31 30 38 34 32 37 37 36 30 31 0A  7571 1084277601.
53 54 5F 53 54 41 52 54 45 4E 44 3A 20 31 30 38  ST_STARTEND: 108
34 32 37 37 35 37 31 20 31 30 38 34 32 37 37 36  4277571 10842776
30 31 0A 41 53 5F 53 54 41 52 54 45 4E 44 3A 20  01.AS_STARTEND: 
31 30 38 34 32 37 37 35 37 31 20 31 30 38 34 32  1084277571 10842
37 37 35 38 36 0A 53 53 5F 53 54 41 52 54 45 4E  77586.SS_STARTEN
44 3A 20 31 30 38 34 32 37 37 35 37 31 20 31 30  D: 1084277571 10
38 34 32 37 37 35 39 31 0A 52 45 46 5F 53 45 43  84277591.REF_SEC
3A 20 20 20 30 0A 52 45 46 5F 45 56 45 4E 54 3A  :   0.REF_EVENT:
20 30 0A 43 6F 6E 6E 49 6E 66 6F 3A 20 28 36 3A   0.ConnInfo: (6:
31 39 32 2E 31 36 38 2E 30 2E 31 34 33 3A 32 33  192.168.0.143:23
30 31 20 46 6C 61 67 73 3A 20 32 29 0A 43 6F 6E  01 Flags: 2).Con
6E 49 6E 66 6F 3A 20 28 36 3A 31 39 32 2E 31 36  nInfo: (6:192.16
38 2E 30 2E 31 34 33 3A 33 30 38 32 31 20 46 6C  8.0.143:30821 Fl
61 67 73 3A 20 32 29 0A 43 6F 6E 6E 49 6E 66 6F  ags: 2).ConnInfo
3A 20 28 36 3A 31 39 32 2E 31 36 38 2E 30 2E 31  : (6:192.168.0.1
34 33 3A 34 36 35 20 46 6C 61 67 73 3A 20 32 29  43:465 Flags: 2)
0A 43 6F 6E 6E 49 6E 66 6F 3A 20 28 36 3A 31 39  .ConnInfo: (6:19
32 2E 31 36 38 2E 30 2E 31 34 33 3A 32 30 30 33  2.168.0.143:2003
34 20 46 6C 61 67 73 3A 20 32 29 0A 43 6F 6E 6E  4 Flags: 2).Conn
49 6E 66 6F 3A 20 28 36 3A 31 39 32 2E 31 36 38  Info: (6:192.168
2E 30 2E 31 34 33 3A 31 30 30 30 30 20 46 6C 61  .0.143:10000 Fla
67 73 3A 20 32 29 0A                             gs: 2).


----pktkludge-barnyard-------------------------------------------
If i use pktkludge as output-mode and use barnyard i get

[**] [121:3:1] <span class="prep_text">&nbsp;prep&nbsp;</span>
flow-portscan: Fixed Scale Talker Limit Exceed
ed [**]
[Classification: Not Suspicious Traffic] [Priority: 2]
Event ID: 9     Event Reference: 9
05/19/18-12:12:19.1161512052 8.0.69.16 -> 1.250.0.0
PROTO068 TTL:67 TOS:0x41 ID:16708 IpLen:52 DgmLen:17220 RB DF
IP Options (1) => EOL 
Frag Offset: 0xD41   Frag Size: 0x1D4
2E 34 30 0A 41 54 5F 53 43 4F 52 45 3A 20 31 35  .40.AT_SCORE: 15
0A 53 54 5F 53 43 4F 52 45 3A 20 31 35 0A 41 53  .ST_SCORE: 15.AS
5F 53 43 4F 52 45 3A 20 30 0A 53 53 5F 53 43 4F  _SCORE: 0.SS_SCO
52 45 3A 20 30 0A 54 6F 74 61 6C 20 43 6F 6E 6E  RE: 0.Total Conn
65 63 74 69 6F 6E 73 3A 20 31 35 0A 53 63 61 6E  ections: 15.Scan
46 6C 61 67 73 3A 20 30 78 31 0A 41 54 5F 53 54  Flags: 0x1.AT_ST
41 52 54 45 4E 44 3A 20 31 30 38 34 32 37 38 33  ARTEND: 10842783
39 31 20 31 30 38 34 32 37 38 34 32 31 0A 53 54  91 1084278421.ST
5F 53 54 41 52 54 45 4E 44 3A 20 31 30 38 34 32  _STARTEND: 10842
37 38 33 39 31 20 31 30 38 34 32 37 38 34 32 31  78391 1084278421
0A 41 53 5F 53 54 41 52 54 45 4E 44 3A 20 31 30  .AS_STARTEND: 10
38 34 32 37 38 33 39 31 20 31 30 38 34 32 37 38  84278391 1084278
34 30 36 0A 53 53 5F 53 54 41 52 54 45 4E 44 3A  406.SS_STARTEND:
20 31 30 38 34 32 37 38 33 39 31 20 31 30 38 34   1084278391 1084
32 37 38 34 31 31 0A 52 45 46 5F 53 45 43 3A 20  278411.REF_SEC: 
20 20 30 0A 52 45 46 5F 45 56 45 4E 54 3A 20 30    0.REF_EVENT: 0
0A 43 6F 6E 6E 49 6E 66 6F 3A 20 28 36 3A 31 39  .ConnInfo: (6:19
32 2E 31 36 38 2E 30 2E 31 34 33 3A 34 33 32 31  2.168.0.143:4321
20 46 6C 61 67 73 3A 20 32 29 0A 43 6F 6E 6E 49   Flags: 2).ConnI
6E 66 6F 3A 20 28 36 3A 31 39 32 2E 31 36 38 2E  nfo: (6:192.168.
30 2E 31 34 33 3A 37 30 37 30 20 46 6C 61 67 73  0.143:7070 Flags
3A 20 32 29 0A 43 6F 6E 6E 49 6E 66 6F 3A 20 28  : 2).ConnInfo: (
36 3A 31 39 32 2E 31 36 38 2E 30 2E 31 34 33 3A  6:192.168.0.143:
33 32 37 36 38 20 46 6C 61 67 73 3A 20 32 29 0A  32768 Flags: 2).
43 6F 6E 6E 49 6E 66 6F 3A 20 28 36 3A 31 39 32  ConnInfo: (6:192
2E 31 36 38 2E 30 2E 31 34 33 3A 36 36 36 36 20  .168.0.143:6666 
46 6C 61 67 73 3A 20 32 29 0A 43 6F 6E 6E 49 6E  Flags: 2).ConnIn
66 6F 3A 20 28 36 3A 31 39 32 2E 31 36 38 2E 30  fo: (6:192.168.0
2E 31 34 33 3A 31 30 38 30 20 46 6C 61 67 73 3A  .143:1080 Flags:
20 32 29 0A                                       2).

Re: [Snort-inline-users] snort_inline segfault

[die t. <rei...@fh...>]

Am Dienstag, 11. Mai 2004 02:10 schrieb William Metcalf:
> calling all users with sql problems what are your nic and bridge
> configurations?   Are you running bridging without an ip stack or with an
> ip stack?  Are you using this for management???  Are you using a third card
> for management?  Trying to find some sort of common thread with all of
> these problems.
>
> Regards,
>
> Will

hi will,

im running snort_inline 2.1.2. i have my firewall in bridged mode, without an 
ip address, using a third interface for admin tasks.
this is the commandline which works now including -i

/usr/local/bin/snort_inline -D -Q -U -y -R -I -u snort -g snort \ 
-t /var/snort_inline -l /var/snort_inline/log \ 
-c /var/snort_inline/etc/rules/snort.conf -i br0 \

i tested without -u -g and -t (and -i) parameter because i guessed the chroot 
or privdrop breaks things, but didn't helped.
i guess its because i have no ip on my bridge. eth0 as my admin interface has 
an ip.

any more info needed?

sebastian

[Snort-inline-users] =?iso-8859-1?Q?Content_doesn=B4t_work?=

[Jochen V. <jv...@it...>]

Hi,

If i test the inline function with http://x.x.x.x/../../etc/passwd i get no
log.

If i change content with uricontent it works.

Whats the problem?

Thx for help 

---Version---
Version 2.1.0 (Build 9)

---Config---
preprocessor flow: stats_interval 0 hash 2
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor bo
preprocessor flow-portscan: scoreboard-rows-talker 30000
scoreboard-rows-scanner 30000 scanner-fixed-threshold 15
scanner-sliding-threshold 40 scanner-fixed-window 15 scanner-sliding-window
20 scanner-sliding-scale-factor 0.50 talker-fixed-threshold 30
talker-sliding-threshold 30 talker-fixed-window 30 talker-sliding-window 20
talker-sliding-scale-factor 0.50 server-rows 65535 server-watchnet
[10.2.0.0/30] src-ignore-net [192.168.1.1/32,192.168.0.0/24] dst-ignore-net
[10.0.0.0/30] tcp-penalties on server-learning-time 14400
server-ignore-limit 200 server-scanner-limit 4 alert-mode once output-mode
msg
preprocessor frag2: timeout 60,memcap 4194304
preprocessor http_inspect_server: server default profile all ports { 80 8080
} flow_depth 250 inspect_uri_only oversize_dir_length 300
preprocessor rpc_decode:  111 32771
preprocessor stream4: disable_evasion_alerts,memcap 8388608,timeout
30,detect_scans
preprocessor stream4_reassemble: ports [21 23 25 53 80 143 110 111 513],
both
preprocessor telnet_decode

---Rule---
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
/etc/passwd"; flow:to_server,established; content:"/etc/passwd"; nocase;
classtype:attempted-recon; sid:1122; rev:4;)

[Snort-inline-users] snort_inline segfault

[sebastian <rei...@fh...>]

hi, 
after a weekend trying to get snort_inline to work (finally it works now :) i 
stumbled across a problem which took me a lot of time to figure out because 
of a not existent error message, maybe in the next version???
here it comes:

i used snort without the database plugin and without the -i <iface> parameter 
which worked well. after that i tried to use the database output plugin and 
it segfaults without giving me any reason.
as the problem only occurs if the database plugin is enabled, i think the 
problem resides in src/output-plugins/spo_database.c in line 350. if i omit 
the -i parameter PRINT_INTERFACE(pv.interface) returns NULL.

sth. like that would be nice:
if (PRINT_INTERFACE(pv.interface) == NULL) {
	fprintf(stderr, "ERROR: please specify parameter -i <iface>\n");
	exit(1);
}

sebastian

Re: [Snort-inline-users] Question: about the snort_inline

[520 j. <jac...@ho...>]

Dear Willian:

             Thanks for your spport.

             I set all enviromental variable that will be used in system 
path.
             and do

             ./configure --with-mysql=/usr/local/mysql

             make

             make install

             and now, It my test enviroment:

              PC1: eth0: IP 192.192.192.1 --->LAN
                   eth1: IP 172.19.100.69 -->WAN
                         DGW 172.19.1.254
                         DNS 168.95.1.1

              PC2: eth0: IP 192.192.192.10--->LAN PC
                        DGW 192.192.192.1
                        DNS 168.95.1.1

              the PC1 eth0 and PC2 eth0 connected by ip sharing.
              the PC1 eth1 can connect to internet.
              and I echo 1 > /proc/sys/net/ipv4/ip_forward  to be the 
forward mode.


              The drop-rule only used the test.rules and modify two rules:

              drop tcp any any <> any any (msg: "hell stream"; content: 
"yahoo"; nocase;)
              drop udp any any <> any any (msg: "hell stream"; content: 
"yahoo"; nocase;)

            and do

              ./snort_inline -c ./snort_inline.conf -l /var/log -Q

              [root@jackie69 snort]# ./snort_inline -c ./snort_inline.conf 
-l /var/log
-Q
Reading from iptables
Running in IDS mode
Log directory = /var/log
Initializing Inline mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Setting the Packet Processor to decode packets from iptables
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file ./snort_inline.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
2 Snort rules read...
2 Option Chains linked into 2 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++


+-----------------------[thresholding-config]----------------------------------

| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------

| none
+-----------------------[thresholding-local]-----------------------------------

| none
+-----------------------[suppression]------------------------------------------

| none
-------------------------------------------------------------------------------

Rule application
order: ->activation->dynamic->drop->sdrop->reject->alert->pass->log
        --== Initialization Complete ==--

*******************
snort_inline-2.1.2
*******************
a modification of ...

-*> Snort! <*-
Version 2.1.2 (Build 25)
By Martin Roesch (ro...@so..., www.snort.org)
            

               But why the PC2 still can connect to internet?

               Does it set drop in tables when it init. ?

               Could you please tell me what's wrong with it?


Best Regard.

                               Jackie 

---Original---------------------------------------------------------
>
>Like Rob said,
>just do
>
>make clean
>./configure --with-mysql
>make
>make install
>
>That is if your libraries are in your path statement otherwise include
>everything you did below minus the line
>
>--enable-ipfw --with-libipq-includes=/usr/local/include
>
>You probably don't need flexresp either
>
>If you want to get really crazy try
>
>./configure --with-mysql=/usr/local/mysql --enable-inline
>--with-libipq-includes=/usr/local/include
>--with-libipq-libraries=/usr/local/lib
>make
>make install
>
>Regards,
>
>Will
>
>
>
>
>
>              "520 jackie"
>              <jackie520520@hot
>              mail.com>                                                  
To
>                                        Wil...@kc...
>              05/03/2004 09:32                                           
cc
>              PM
>                                                                    
Subject
>                                        Re: [Snort-inline-users] Question:
>                                        about the snort_inline
>
>
>
>
>
>
>
>
>
>
>Dear Willian:
>              Thanks for your reply.
>./configure
>
>./configure --with-mysql=/usr/local/mysql --enable-flexresp
>--with-libnet-includes=/usr/include --with-libnet-libraries=/usr/lib
>--enable-ipfw --with-libipq-includes=/usr/local/include
>--with-libipq-libraries=/usr/local/lib
>
>Output(It the second times configure output):
>
>checking for a BSD-compatible install... /usr/bin/install -c
>checking whether build environment is sane... yes
>checking for gawk... gawk
>checking whether make sets $(MAKE)... yes
>checking for style of include used by make... GNU
>checking for gcc... gcc
>checking for C compiler default output... a.out
>checking whether the C compiler works... yes
>checking whether we are cross compiling... no
>checking for suffix of executables...
>checking for suffix of object files... o
>checking whether we are using the GNU C compiler... yes
>checking whether gcc accepts -g... yes
>checking for gcc option to accept ANSI C... none needed
>checking dependency style of gcc... gcc
>checking for gcc option to accept ANSI C... none needed
>checking for ranlib... ranlib
>checking for gcc... (cached) gcc
>checking whether we are using the GNU C compiler... (cached) yes
>checking whether gcc accepts -g... (cached) yes
>checking for gcc option to accept ANSI C... (cached) none needed
>checking dependency style of gcc... (cached) gcc
>checking build system type... i586-pc-linux-gnu
>checking host system type... i586-pc-linux-gnu
>checking whether byte ordering is bigendian... no
>checking for sparc alignment... no
>checking how to run the C preprocessor... gcc -E
>checking for egrep... grep -E
>checking for ANSI C header files... yes
>checking for sys/types.h... yes
>checking for sys/stat.h... yes
>checking for stdlib.h... yes
>checking for string.h... yes
>checking for memory.h... yes
>checking for strings.h... yes
>checking for inttypes.h... yes
>checking for stdint.h... yes
>checking for unistd.h... yes
>checking for strings.h... (cached) yes
>checking for string.h... (cached) yes
>checking for stdlib.h... (cached) yes
>checking for unistd.h... (cached) yes
>checking sys/sockio.h usability... no
>checking sys/sockio.h presence... no
>checking for sys/sockio.h... no
>checking paths.h usability... yes
>checking paths.h presence... yes
>checking for paths.h... yes
>checking for inet_ntoa in -lnsl... yes
>checking for socket in -lsocket... no
>checking whether printf must be declared... no
>checking whether fprintf must be declared... no
>checking whether syslog must be declared... no
>checking whether puts must be declared... no
>checking whether fputs must be declared... no
>checking whether fputc must be declared... no
>checking whether fopen must be declared... no
>checking whether fclose must be declared... no
>checking whether fwrite must be declared... no
>checking whether fflush must be declared... no
>checking whether getopt must be declared... no
>checking whether bzero must be declared... no
>checking whether bcopy must be declared... no
>checking whether memset must be declared... no
>checking whether strtol must be declared... no
>checking whether strcasecmp must be declared... no
>checking whether strncasecmp must be declared... no
>checking whether strerror must be declared... no
>checking whether perror must be declared... no
>checking whether socket must be declared... no
>checking whether sendto must be declared... no
>checking whether vsnprintf must be declared... no
>checking whether snprintf must be declared... no
>checking whether strtoul must be declared... no
>checking for snprintf... yes
>checking for strlcpy... no
>checking for strlcat... no
>checking for strerror... yes
>checking for __FUNCTION__... yes
>checking for floor in -lm... yes
>checking for pcap_datalink in -lpcap... yes
>checking pcre.h usability... yes
>checking pcre.h presence... yes
>checking for pcre.h... yes
>checking for pcre_compile in -lpcre... yes
>checking for mysql... yes
>checking for compress in -lz... yes
>checking "for libnet.h version 1.0.x"... /usr/local/include
>checking libnet.h usability... yes
>checking libnet.h presence... yes
>checking for libnet.h... yes
>checking for libnet version 1.0.2a... yes
>checking for libnet_build_ip in -lnet... yes
>checking for u_int8_t... yes
>checking for u_int16_t... yes
>checking for u_int32_t... yes
>checking for a BSD-compatible install... /usr/bin/install -c
>configure: creating ./config.status
>config.status: creating Makefile
>config.status: creating src/Makefile
>config.status: creating src/sfutil/Makefile
>config.status: creating src/detection-plugins/Makefile
>config.status: creating src/output-plugins/Makefile
>config.status: creating src/preprocessors/Makefile
>config.status: creating src/preprocessors/HttpInspect/Makefile
>config.status: creating src/preprocessors/HttpInspect/include/Makefile
>config.status: creating src/preprocessors/HttpInspect/utils/Makefile
>config.status: creating
>src/preprocessors/HttpInspect/anomaly_detection/Makefile
>config.status: creating src/preprocessors/HttpInspect/client/Makefile
>config.status: creating 
src/preprocessors/HttpInspect/event_output/Makefile
>config.status: creating
>src/preprocessors/HttpInspect/mode_inspection/Makefile
>config.status: creating
>src/preprocessors/HttpInspect/normalization/Makefile
>config.status: creating src/preprocessors/HttpInspect/server/Makefile
>config.status: creating
>src/preprocessors/HttpInspect/session_inspection/Makefile
>config.status: creating
>src/preprocessors/HttpInspect/user_interface/Makefile
>config.status: creating src/preprocessors/flow/Makefile
>config.status: creating src/preprocessors/flow/int-snort/Makefile
>config.status: creating src/preprocessors/flow/portscan/Makefile
>config.status: creating src/parser/Makefile
>config.status: creating doc/Makefile
>config.status: creating contrib/Makefile
>config.status: creating etc/Makefile
>config.status: creating rules/Makefile
>config.status: creating templates/Makefile
>config.status: creating src/win32/Makefile
>config.status: creating config.h
>config.status: config.h is unchanged
>config.status: executing depfiles commands
>
>And I modify the config.h and add smoe define var:
>(Beacuse I found the Redhat 6.2 this var. is called __func__, and the 
newer
>
>version is called __FUNCTION__)
>
>#ifndef __FUNCTION__
>#undef __FUNCTION__
>#define ____FUNCTION__ __func__
>#endif
>
>#ifdef __func__
>#define __func__ __FUNCTION__
>#endif
>
>
>Next,
>
>make
>
>URCE -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H -DLIBNET_LIL_ENDIAN -c `test -f
>'inline.c' || echo './'`inline.c
>In file included from /usr/include/libnet.h:51,
>                  from inline.c:8:
>/usr/include/netinet/ip.h:224: warning: `IPOPT_EOL' redefined
>decode.h:436: warning: this is the location of the previous definition
>/usr/include/netinet/ip.h:226: warning: `IPOPT_NOP' redefined
>decode.h:440: warning: this is the location of the previous definition
>/usr/include/netinet/ip.h:229: warning: `IPOPT_RR' redefined
>decode.h:444: warning: this is the location of the previous definition
>/usr/include/netinet/ip.h:230: warning: `IPOPT_TS' redefined
>decode.h:452: warning: this is the location of the previous definition
>/usr/include/netinet/ip.h:232: warning: `IPOPT_SECURITY' redefined
>decode.h:456: warning: this is the location of the previous definition
>decode.h:456: warning: this is the location of the previous definition
>/usr/include/netinet/ip.h:234: warning: `IPOPT_LSRR' redefined
>decode.h:460: warning: this is the location of the previous definition
>/usr/include/netinet/ip.h:235: warning: `IPOPT_SATID' redefined
>decode.h:468: warning: this is the location of the previous definition
>/usr/include/netinet/ip.h:237: warning: `IPOPT_SSRR' redefined
>decode.h:472: warning: this is the location of the previous definition
>inline.c: In function `InitInline':
>inline.c:155: warning: implicit declaration of function `pcap_open_dead'
>inline.c:155: warning: assignment makes pointer from integer without a
>cast
>inline.c:88: warning: unused variable `status'
>inline.c: In function `IpfwLoop':
>inline.c:231: `IPPROTO_DIVERT' undeclared (first use in this function)
>inline.c:231: (Each undeclared identifier is reported only once
>inline.c:231: for each function it appears in.)
>inline.c: In function `HandlePacket':
>inline.c:309: warning: unused variable `status'
>make[3]: *** [inline.o] Error 1
>make[3]: Leaving directory `/backup/IDS/snort_inline-2.1.2/src'
>make[2]: *** [all-recursive] Error 1
>make[2]: Leaving directory `/backup/IDS/snort_inline-2.1.2/src'
>make[1]: *** [all-recursive] Error 1
>make[1]: Leaving directory `/backup/IDS/snort_inline-2.1.2'
>make: *** [all] Error 2
>
>and I found the function Ipfwloop in inline.c is only for FreeBSD.
>
>Could you please tell me how to do? Does It have another solutions for
>other linux systems?
>
>
>Best Regards.
>                                                                  Jackie
>
>---Original
>Mail---------------------------------------------------------------
> >what is the output from your ./configure, make, and make install?
> >
> >Regards,
> >
> >Will
> >
> >
> >
> >              "HOT-Jackie"
> >              <jackie520520@hot
> >              mail.com>
>To
> >              Sent by:
><sno...@li...urcefor
> >              snort-inline-user         ge.net>
> >              s-...@li...u
>cc
> >              rceforge.net
> >
>Subject
> >                                        [Snort-inline-users] Question:
> >              05/03/2004 11:44          about the snort_inline
> >              AM
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >Dear All,
> >                  I am the snort_inline new user.
> >             And I have some problems when I compiler the snort_inline
> >v2.12.
> >             The function IpfwLoop only support FreeBSD, But my
>environment
> >is Redhat: v6.2, Kernel: v2.4.20  iptables: v1.2.9.
> >             Could anyone tell me how to do? Or it have another 
solutions?
> >Thx all!!
> >
> >Best Regards.
> >
> >Jackie
>
>_________________________________________________________________
>謅鬖葞 MSN 磟棎紵ㄩ謅鉌葞抰拶蜪椳橏ㄛ?迼鰬葯欒鎏?筈
>http://members.msn.com?pgmarket=zh-tw
>

_________________________________________________________________
免費試聽 MSN 英語學習：和真人老師線上學英文 http://www.msn.com.tw/english/ 

[Snort-inline-users] stream4 preproc v2

[William M. <Wil...@kc...>]

I think that I might have found the root of our problem regarding strea=
m4.
After doing some debugging, it appears as if stream4 resets the stream
after an alert, due to the way we drop traffic I always see multiple
alerts, which I assume means that the attacking computer tries to
retransmit the same packet over and over again.  I sent an e-mail to th=
e
snort-devel mailing list to see if they knew how to disable the flushin=
g of
the stream due to an alert.  Notice the line that reads

 spp_stream4.c:4078: Flusing stream due to an alert!

If we can fix this, I bet stream4 will work for us.

Regards,

Will



spp_stream4.c:1720: pcount stream packet 31
spp_stream4.c:1746: Got Packet 0x6401A8C0:2948 ->  0x6501A8C0:80
***AP***spp_stream4.c:1751: pkt_seq: 2241703975, pkt_ack: 1212128272
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x6401A8C0 sp: 2948  cip: 0x6501A8=
C0
cp: 80 flags: ***AP***
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...=

spp_stream4.c:3455: Looking for sip: 0x6501A8C0 sp: 80  cip: 0x6401A8C0=
 cp:
2948 flags: ***AP***
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 0, server: 0)
spp_stream4.c:1886: client packet: ***AP***
spp_stream4.c:2409: Server state: ESTABLISHED
spp_stream4.c:3608: Storing client packet (426 bytes)
spp_stream4.c:3655: EVASIVE RETRANS: pkt seq: 0x859DB027 stream->last_a=
ck:
0x859DB1A9
spp_stream4.c:4655: server.base_seq(1212128272) server.last_ack(1212128=
272)
server.next_seq(0)
spp_stream4.c:1958: Stream is established!,ssnflags =3D 0x7
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2004: pkt is from client
spp_stream4.c:3498: 1 streams active, 992 bytes in use
spp_stream4.c:1674: Prune time quanta exceeded, pruning stream cache
spp_stream4.c:1685: Pruned for timeouts, 1 sessions active, 992 bytes i=
n
use
spp_stream4.c:1685: Stream4 memory cap hit 0 times
spp_stream4.c:4078: Flusing stream due to an alert!
spp_stream4.c:4103: [AFS] Bytes Tracked: 386
spp_stream4.c:4106: [AFS] Bytes Tracked: 0
spp_stream4.c:4115: Moved the base_seq to 2241704361!=

Re: [Snort-inline-users] snort_inline segfault with enabled database output plugin

[Rob M. <ro...@ho...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Do you have gdb on your system?  If so, can you run this and send the
output to the list?

gdb snort_inline

at the prompt,

run -v -Q -U -y -t /var/snort_inline -l /var/snort_inline/log -c
/var/snort_inline/etc/rules/snort.conf

once you get the segfault,

bt

This will help me figure out what is causing the problem.

Thanks,

Rob

On Mon, 3 May 2004, Joe Hickory wrote:

> hi list,
>
> i can't find an answer anywhere, maybe i have the wrong keywords...
> i'm using snort_inline 2.1.2. everything works fine, without database output
>  plugin enabled.
> i started snort_inline with the following command:
> /usr/local/bin/snort_inline -v -D -Q -U -y -t /var/snort_inline -l
> /var/snort_inline/log -c /var/snort_inline/etc/rules/snort.conf
>
> i don't think the chroot is the problem because without chroot, snort_inline
> segfaults also.
>
> this is the end of the output i get when i start snort manually without -D :
>
> telnet_decode arguments:
>     Ports to decode telnet on: 21 23 25 119
> database: compiled support for ( mysql )
> database: configured to use mysql
> database:          user = acid
> database: password is set
> database: database name = acid
> database:          host = localhost
> database:   sensor name = honeyhost
> Segmentation fault
>
> this is the database plugin line within my configfile:
> output database: alert, mysql user=acid password=password dbname=acid
> host=localhost sensor_name=honeyhost
>
> i used the create_mysql script in the contrib subdir to create the database.
> mysql> select * from schema;
> +------+---------------------+
> | vseq | ctime               |
> +------+---------------------+
> |  106 | 2004-05-03 11:50:53 |
> +------+---------------------+
> 1 row in set (0.00 sec)
>
> hope that's enough info. would be great to get a hint.
>
> thanks
> joe
>
>
> --
> "Sie haben neue Mails!" - Die GMX Toolbar informiert Sie beim Surfen!
> Jetzt aktivieren unter http://www.gmx.net/info
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 10g.
> Take an Oracle 10g class now, and we'll give you the exam FREE.
> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Made with pgp4pine 1.76

iD8DBQFAlvk4+cDJj70ouN0RAhtEAJwKBWVUrKBFwGM+X0H07YIUTVlZ5gCg1R67
HlCtPQUEpM5C1G01Vdpqx/8=
=a2RX
-----END PGP SIGNATURE-----

[Snort-inline-users] stream4 reassembly and snort-inline

[William M. <Wil...@kc...>]

Regarding stream4 reassembly and snort_inline, Is the problem that we a=
re
taking traffic out of libipq i.e. iptables instead of libpcap, and tryi=
ng
to reassemble traffic that snort_inline does not understand?  I know th=
at
iptables is only meant to be a packet filter, but has anybody heard of
anything possibly in the patch-o-matic that will handle stream reassemb=
ly
before it gets to snort_inline?

Regards,

Will=

Re: [Snort-inline-users] Question: about the snort_inline

[Rob M. <ro...@ho...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>                  I am the snort_inline new user.
>             And I have some problems when I compiler the snort_inline v2.12.
>             The function IpfwLoop only support FreeBSD, But my environment is Redhat: v6.2, Kernel: v2.4.20  iptables: v1.2.9.
>             Could anyone tell me how to do? Or it have another solutions? Thx all!!


How are you trying to configure it?  Are you trying to compile from the
source?  Did you patch a version of snort?

If you are compiling from source, you should be able to simply:

./configure
make
make install

Hope this helps,

Rob
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Made with pgp4pine 1.76

iD4DBQFAlvFd+cDJj70ouN0RAr7lAJY/nHV17RZaiNS1bmhxx4Yv1YkzAJ9jHItt
WjBP6HWDm9LnJ+HgvpLOeQ==
=Vn6P
-----END PGP SIGNATURE-----

[Snort-inline-users] Question: about the snort_inline

[HOT-Jackie <jac...@ho...>]

Dear All,
                 I am the snort_inline new user.
            And I have some problems when I compiler the snort_inline =
v2.12.
            The function IpfwLoop only support FreeBSD, But my =
environment is Redhat: v6.2, Kernel: v2.4.20  iptables: v1.2.9.
            Could anyone tell me how to do? Or it have another =
solutions? Thx all!!

Best Regards.

                                                                         =
                                                       Jackie

[Snort-inline-users] snort_inline segfault with enabled database output plugin

[Joe H. <J.H...@gm...>]

hi list,

i can't find an answer anywhere, maybe i have the wrong keywords...
i'm using snort_inline 2.1.2. everything works fine, without database output
 plugin enabled.
i started snort_inline with the following command: 
/usr/local/bin/snort_inline -v -D -Q -U -y -t /var/snort_inline -l
/var/snort_inline/log -c /var/snort_inline/etc/rules/snort.conf

i don't think the chroot is the problem because without chroot, snort_inline
segfaults also.

this is the end of the output i get when i start snort manually without -D :

telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119 
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = acid
database: password is set
database: database name = acid
database:          host = localhost
database:   sensor name = honeyhost
Segmentation fault

this is the database plugin line within my configfile:
output database: alert, mysql user=acid password=password dbname=acid
host=localhost sensor_name=honeyhost

i used the create_mysql script in the contrib subdir to create the database.
mysql> select * from schema;
+------+---------------------+
| vseq | ctime               |
+------+---------------------+
|  106 | 2004-05-03 11:50:53 |
+------+---------------------+
1 row in set (0.00 sec)

hope that's enough info. would be great to get a hint.

thanks
joe


-- 
"Sie haben neue Mails!" - Die GMX Toolbar informiert Sie beim Surfen!
Jetzt aktivieren unter http://www.gmx.net/info

Re: Fw: [Snort-inline-users] snort_inline-2.1.2 released

[Federico P. <pe...@ac...>]

William Metcalf wrote:

> Anybody that needs a quick fix just remove the line in your 
> snort_inline.conf that reads
> 
> preprocessor stream4_reassemble: ports 3443, both
> 
> and replace with
> 
> preprocessor stream4_reassemble: both
> 
> preprocessor http_inspect: global \
> iis_unicode_map unicode.map 1252
> 
> preprocessor http_inspect_server: server default \
> profile all ports { 80 8080 8180 } oversize_dir_length 500

Hi all.

I'll like to ask two question about this:

- I don't understand exactly this thread... currently I am running
snort-inline 2.1.1 with a conf file and works ok. Is there any change in
2.1.2 that could make snort-inline stop working if I user the same conf
for 2.1.2?

- Some time ago, I found that, if I enable stream4, some packets that
actually should not pass snort-inle (because of drop rule hits) after a
lot a tries finally pass. After asking about this in the list, Pieter
Claassen told me that:

...
The core code is the same for SNIL and Snort but the preprocessors is
another story. The basic problem with stream4 is that it creates an
"uber" packet that it then re-injects into the analysis stream so that
attacks that normally would not be picked up because of boundary splits
then get picked up. Stream4 normally reassembles about 4 Meg of data per
stream if I remember correctly.

In inline mode the basic problem is that the data already passed through
the device by the time that the traditional stream4 approach picks the
anomaly up. So how do you drop data that is already through?
...


Is the stream4 problem solved? the only workaround that I found to that
was to comment out all the stream4 preprocessor lines in the conf.


Thank for...
-- 
                                         Federico Petronio
                                         pe...@ac...

[Snort-inline-users] preprocessors

[Jochen V. <jv...@it...>]

Hi,
Is there any detailed information how the preprocessors work in snort_inline
in qonjunction with iptables?
Thx for infos
jo

[Snort-inline-users] snort configuration on a dual homed ethernet host

[Kamal A. <kam...@ya...>]

Hi,

I would like to know if there is any document available to configure snort
on a dual homed ethernet host.
one port would be in promiscous mode, sniffing all the packets, and the
other port would send out filtered messages based on the rules.

Thanks in advance for any information.

-Kamal.

[Snort-inline-users] Patches for snort-inline+barnyard

[Roland T. <raz...@co...>]

Hi Rob.

Attached please find patches to snort_inline-2.1.2 and barnyard-0.1.0 to 
allow them to work together in inline mode. The approach is this:

- A new magic number INLINE_MAGIC is defined which is used for unified 
logs in inline mode. (In tap/IDS mode, LOG_MAGIC is still used for 
unified logs. In both modes, ALERT_MAGIC is still used for unified alerts.)

- In inline mode, IP datagrams are passed through libipq, and it is 
therefore these which hit the unified logs.

- Barnyard is caused to use DecodeIP instead of DecodeEthPkt when it 
sees INLINE_MAGIC.

Credit for this goes to my colleague Jon Mann.

Enjoy.

- Raz

Re: [Snort-inline-users] snort_inline-2.1.2 released

[Rob M. <ro...@ho...>]

> Was there any reason why the http_inspect preprocessor stuff was not added
> into the snort_inline.conf in version 2.1.2?  I'm thinking that uricontent
> matching is going to be broken without it.

Yes.  I forgot. :(  I'll ping the list for any additional changes prior to
2.1.3.

Thanks for the reminder.

Rob