Menu
▾
▴
snort-inline-users — The goal of this list is to help users debug/use snort_inline
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(15) |
Jun
(23) |
Jul
(54) |
Aug
(20) |
Sep
(18) |
Oct
(19) |
Nov
(36) |
Dec
(30) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(48) |
Feb
(16) |
Mar
(36) |
Apr
(36) |
May
(45) |
Jun
(47) |
Jul
(93) |
Aug
(29) |
Sep
(28) |
Oct
(42) |
Nov
(45) |
Dec
(53) |
| 2005 |
Jan
(62) |
Feb
(51) |
Mar
(65) |
Apr
(28) |
May
(57) |
Jun
(23) |
Jul
(24) |
Aug
(72) |
Sep
(16) |
Oct
(53) |
Nov
(53) |
Dec
(3) |
| 2006 |
Jan
(56) |
Feb
(6) |
Mar
(15) |
Apr
(14) |
May
(35) |
Jun
(57) |
Jul
(35) |
Aug
(7) |
Sep
(22) |
Oct
(16) |
Nov
(18) |
Dec
(9) |
| 2007 |
Jan
(8) |
Feb
(3) |
Mar
(11) |
Apr
(35) |
May
(6) |
Jun
(10) |
Jul
(26) |
Aug
(4) |
Sep
|
Oct
(29) |
Nov
|
Dec
(7) |
| 2008 |
Jan
(1) |
Feb
(2) |
Mar
(2) |
Apr
(13) |
May
(8) |
Jun
(3) |
Jul
(19) |
Aug
(20) |
Sep
(6) |
Oct
(5) |
Nov
|
Dec
(4) |
| 2009 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(10) |
Jul
(2) |
Aug
(5) |
Sep
|
Oct
(1) |
Nov
|
Dec
(5) |
| 2010 |
Jan
(10) |
Feb
(10) |
Mar
(2) |
Apr
|
May
(7) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2011 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: unor <uno...@ya...> - 2004-01-30 17:03:38
|
Yes. Here are the basic requirements I have set: Able to actively stop "malicious" traffic Rich ruleset Management via ssh Quickly deployable Inline, no routing (no network changes) Undecided on fail open or closed... I prefer to have a choice free Basic operation: Completely open Bridge_FW with Snort_inline making dicisions on what to drop. This is not being designed as a long term solution... more like an "If all else fails" backup to have on hand for temporary situations if they arise. A potential deployment scenario would be to have these running (or ready to go) at various choke points with an "empty ruleset" until the next "Insert_Malicious_Activity" happens. Quickly craft a rule (assuming it is possible) and deploy it to provide protection until (Insert_Vendor) updates a signature or whatever. I'm sure there are a million other ways to do this and I'm not by any means claiming to have a "New" or "Better" idea... The technology is free, runs on cheap hardware and it seems to work. I have not done any load testing (yet) and have heard that there is a performance hit with respect to the trip down to user space which is why I plan on starting out with a solution that is more of a single perpose temporary fix for when nothing else works. For now, I only have what Will suggested earlier... IPTABLES -A FORWARD -j QUEUE IPTABLES -A FORWARD -j ACCEPT I believe this is all I need for now because this is not meant to be a firewall... it's a purpose built IPS. I'll barrow some of the iptable stuff from rc.firewall (and learn more myself) to help lock down the management interface when I get there. I feel that snort_inline fits well. I have something working (more or less) but am open to input if you have suggestions. Thanks for participating. The sorceforge page looks great... Clean and to the point. I don't know C and hate HTML but I can script a bit and can write reasonably well provided a spell checker is available <grin>. Let me know if I can help. Earl Sammons --- Rob McMillen <rv...@ca...> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Is your intent to let all traffic flow via > snort_inline? Both outbound > and inbound? > > Rob > > On Fri, 23 Jan 2004, unor wrote: > > > I'm looking for a "simple" version of the infamous > > rc.firewall from the honeynet project. > > > > I want to do a bridged inline IPS with with > > snort_inline and therefore don't need the outbound > > blocking / rate limiting and other various parts > of > > the existing rc.firewall script. Is there > anything > > like this out there? > > > > I'm trying to hack up a version of rc.firewall > myself > > but... If I get it working I'll post it. > > > > Earl > > > > __________________________________ > > Do you Yahoo!? > > Yahoo! SiteBuilder - Free web site building tool. > Try it! > > http://webhosting.yahoo.com/ps/sb/ > > > > > > > ------------------------------------------------------- > > The SF.Net email is sponsored by EclipseCon 2004 > > Premiere Conference on Open Tools Development and > Integration > > See the breadth of Eclipse activity. February 3-5 > in Anaheim, CA. > > http://www.eclipsecon.org/osdn > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.8 > Comment: Made with pgp4pine 1.76 > > iQA/AwUBQBGelvnAyY+9KLjdEQKedwCgvWx0ZOgZ3dgEyh+48f8yMtPEtiQAoP1b > skuc76JsfD/7DO36276ScqkC > =3BUx > -----END PGP SIGNATURE----- > > > > > ------------------------------------------------------- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and > Integration > See the breadth of Eclipse activity. February 3-5 in > Anaheim, CA. > http://www.eclipsecon.org/osdn > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it! http://webhosting.yahoo.com/ps/sb/ |
|
From: Carmelo Z. <czu...@op...> - 2004-01-28 09:31:43
|
I would like to know where I can obtain information on snort-inline+freebsd. Regards. Carmelo Zubeldia |
|
From: Nick R. <ni...@ro...> - 2004-01-28 09:02:57
|
> I was wondering if anyone had any idea about the following error when > running snort-inline on Freebsd? > IpfwLoop: can't create divert socket: Protocol not supported This is because you didn't build your kernel with: options IPDIVERT The default (GENERIC) kernel doesn't support divert sockets. You MUST build a new kernel. See the FreeBSD handbook for more information on building a kernel. In fact, to use snort-inline with FreeBSD you should build a kernel with (at minimum): options IPFIREWALL options IPFIREWALL_VERBOSE options IPDIVERT The version of snort-inline which this was designed for was the 4.X branch of FreeBSD. Because of the drastic changes in the 5.X branch, much more testing is needed. Also for you FreeBSD folks, I have not tested this with IPFW2. Everything should work but it's not tested. I will try to do more testing and patching (if needed) sometime in the near future, including submitting this to the ports collection. On another note, has anyone asked the PF and IPF authors if there are similar methods in their firewalls to get packets out of firewall hooks? An interface API or equivalent? > Thank you for your assistance in this matter Can you CC me directly on regard to this matter. I only get the digest messages which are kludgey to respond to. Thanks. -- Nick Rogness <ni...@ro...> - How many people here have telekenetic powers? Raise my hand. -Emo Philips |
|
From: Rob M. <rv...@ca...> - 2004-01-28 05:49:38
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I am trying to compile 2.1.0a and I get errors when running make.. > > I get the following: > > Make[3]: *** [spo_alert_fast.o] Error 1 > Leaving directory '/root/snort_inline-2.1.0a/src/output-plugins' > Make[2]: *** [all-recursive] Error 1 > Leaving directory /root/snort_inline/src > Make[1]: *** [all-recursive] Error 1 > Leaving directory /root/snort_inline > Make: *** [all] Error 2 > > I had run ./configure --enable-inline prior to make.. > > I am running on the 2.6.1 kernel, iptables 1.2.9, Libnet-latest... > > Any ideas?? Can you send more of the make output? What distro are you using? You need to ensure you are using libnet 1.0.x vice the newest 1.1.x. Rob -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.76 iQA/AwUBQBdUL/nAyY+9KLjdEQLa+ACeOoJgCs7eiGDlZ2NnhiiqVgn3QJAAnRQL UpQw9++IjVa/Noo9xOqeYATv =2VKU -----END PGP SIGNATURE----- |
|
From: Charles T. <ct...@gu...> - 2004-01-28 04:42:06
|
I am trying to compile 2.1.0a and I get errors when running make.. I get the following: Make[3]: *** [spo_alert_fast.o] Error 1 Leaving directory '/root/snort_inline-2.1.0a/src/output-plugins' Make[2]: *** [all-recursive] Error 1 Leaving directory /root/snort_inline/src Make[1]: *** [all-recursive] Error 1 Leaving directory /root/snort_inline Make: *** [all] Error 2 I had run ./configure --enable-inline prior to make.. =20 I am running on the 2.6.1 kernel, iptables 1.2.9, Libnet-latest... Any ideas?? Thanks, Charles Charles Tholen, GSEC Sr. Security Engineer ct...@gu...=20 -----Original Message----- From: Rob McMillen [mailto:rv...@ca...]=20 Sent: Tuesday, January 27, 2004 2:23 PM To: sno...@li... Subject: Re: [Snort-inline-users] problem with 2.1.x -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is because the configuration file is different for snort-2.0.x and=20 snort-2.1.x. You will have to ensure you have the newer configuration=20 file that comes with snort_inline-2.1.0a which should be located in etc of=20 the source distro. Rob On Tue, 27 Jan 2004, unor wrote: > Running RedHat 8.0 with kernel 2.6.1 compiled from > scratch. >=20 > If I compile/Run snort_inline 2.0.5 all's well... >=20 > If I compile/Run 2.1.x (2.1.0 and 2.1.0a) I get the > following: >=20 > Starting snort_inline: Reading from iptables > Running in IDS mode > Log directory =3D /var/log/snort_inline/200401 > Initializing Inline mode >=20 > --=3D=3D Initializing Snort =3D=3D-- > Initializing Output Plugins! > Setting the Packet Processor to decode packets from > iptables > Initializing Preprocessors! > Initializing Plug-ins! > Parsing Rules file /etc/snort_inline/snort_inline.conf >=20 > +++++++++++++++++++++++++++++++++++++++++++++++++++ > Initializing rule chains... > ERROR: unknown preprocessor "??_decode" > Fatal Error, Quitting.. >=20 > Any ideas? > Thanks. >=20 > Earl >=20 > __________________________________ > Do you Yahoo!? > Yahoo! SiteBuilder - Free web site building tool. Try it!=20 > http://webhosting.yahoo.com/ps/sb/ >=20 >=20 > ------------------------------------------------------- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration See the=20 > breadth of Eclipse activity. February 3-5 in Anaheim, CA.=20 > http://www.eclipsecon.org/osdn=20 > _______________________________________________ > Snort-inline-users mailing list=20 > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users >=20 >=20 -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.76 iQA/AwUBQBbIlPnAyY+9KLjdEQKh3QCghjjavSO0Cf/2QR7rACx68LqDJxsAoPfl oAyAgUbDunV7hU/LYfbGVJ/J =3DftJW -----END PGP SIGNATURE----- ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-inline-users mailing list Sno...@li... https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
|
From: Rob M. <rv...@ca...> - 2004-01-27 19:53:54
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is because the configuration file is different for snort-2.0.x and snort-2.1.x. You will have to ensure you have the newer configuration file that comes with snort_inline-2.1.0a which should be located in etc of the source distro. Rob On Tue, 27 Jan 2004, unor wrote: > Running RedHat 8.0 with kernel 2.6.1 compiled from > scratch. > > If I compile/Run snort_inline 2.0.5 all's well... > > If I compile/Run 2.1.x (2.1.0 and 2.1.0a) I get the > following: > > Starting snort_inline: Reading from iptables > Running in IDS mode > Log directory = /var/log/snort_inline/200401 > Initializing Inline mode > > --== Initializing Snort ==-- > Initializing Output Plugins! > Setting the Packet Processor to decode packets from > iptables > Initializing Preprocessors! > Initializing Plug-ins! > Parsing Rules file /etc/snort_inline/snort_inline.conf > > +++++++++++++++++++++++++++++++++++++++++++++++++++ > Initializing rule chains... > ERROR: unknown preprocessor "??_decode" > Fatal Error, Quitting.. > > Any ideas? > Thanks. > > Earl > > __________________________________ > Do you Yahoo!? > Yahoo! SiteBuilder - Free web site building tool. Try it! > http://webhosting.yahoo.com/ps/sb/ > > > ------------------------------------------------------- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.76 iQA/AwUBQBbIlPnAyY+9KLjdEQKh3QCghjjavSO0Cf/2QR7rACx68LqDJxsAoPfl oAyAgUbDunV7hU/LYfbGVJ/J =ftJW -----END PGP SIGNATURE----- |
|
From: unor <uno...@ya...> - 2004-01-27 19:28:16
|
problem solved... I was using an old conf file hacked up from std snort... here is the diff in case anyone else ever comes across this... I'm sure those in the know can point out the offending line: (test=my broken conf file, src=conf from snort_inline src tree) diff test src > preprocessor stream4: disable_evasion_alerts > preprocessor stream4_reassemble < preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace < preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 32000 > preprocessor bo < preprocessor bo: -nobrute Earl --- unor <uno...@ya...> wrote: > Running RedHat 8.0 with kernel 2.6.1 compiled from > scratch. > > If I compile/Run snort_inline 2.0.5 all's well... > > If I compile/Run 2.1.x (2.1.0 and 2.1.0a) I get the > following: > > Starting snort_inline: Reading from iptables > Running in IDS mode > Log directory = /var/log/snort_inline/200401 > Initializing Inline mode > > --== Initializing Snort ==-- > Initializing Output Plugins! > Setting the Packet Processor to decode packets from > iptables > Initializing Preprocessors! > Initializing Plug-ins! > Parsing Rules file > /etc/snort_inline/snort_inline.conf > > +++++++++++++++++++++++++++++++++++++++++++++++++++ > Initializing rule chains... > ERROR: unknown preprocessor "??_decode" > Fatal Error, Quitting.. > > Any ideas? > Thanks. > > Earl > > __________________________________ > Do you Yahoo!? > Yahoo! SiteBuilder - Free web site building tool. > Try it! > http://webhosting.yahoo.com/ps/sb/ > __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it! http://webhosting.yahoo.com/ps/sb/ |
|
From: unor <uno...@ya...> - 2004-01-27 18:46:23
|
Running RedHat 8.0 with kernel 2.6.1 compiled from
scratch.
If I compile/Run snort_inline 2.0.5 all's well...
If I compile/Run 2.1.x (2.1.0 and 2.1.0a) I get the
following:
Starting snort_inline: Reading from iptables
Running in IDS mode
Log directory = /var/log/snort_inline/200401
Initializing Inline mode
--== Initializing Snort ==--
Initializing Output Plugins!
Setting the Packet Processor to decode packets from
iptables
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort_inline/snort_inline.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR: unknown preprocessor "??_decode"
Fatal Error, Quitting..
Any ideas?
Thanks.
Earl
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/
|
|
From: Rob M. <rv...@ca...> - 2004-01-27 16:37:13
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
List,
I've updated snort_inline to include the following changes:
**********
* 2.1.0a *
**********
2004-01-26 Rob McMillen <ro...@ho...>
* Updated snort_inline to 2.1.0a. All future development will be
in this branch.
**********
* 2.0.6a *
**********
2004-01-24 Rob McMillen <ro...@ho...>
* Started separate snort_inline ChangeLog
* Fixed bug with handling multiple content/replace pairs within
the same rule (sp_patternmatch.c).
* Added icmp checksum for icmp payload replacement (sp_patternmatch.c).
I've also started a homepage for snort_inline which is located at:
snort-inline.sf.net. The old homepage simply redirected you to the
sourceforge project page. I hope to start populating this new page and
actually make it useful by staring a FAQ and HOWTO.
Let me know what you think.
Rob
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Made with pgp4pine 1.76
iQA/AwUBQBaaZ/nAyY+9KLjdEQJ+igCgueN2c/Fo+nU2/kvomrr/TcAPQecAn2lR
ZUgRZbudr1F6V/iG2h/HpAZw
=HHdq
-----END PGP SIGNATURE-----
|
|
From: Stephan S. <ss...@as...> - 2004-01-27 09:09:44
|
Does anybody have an idea how much effort it would be to adapt the stream4 preprocessor to inline mode ? Maybe there is something I can do about it. I haven't had time to dig into the code though. Stephan > Keep in mind that SNIL does not support the stream4 preprocessor which > means that if you are trying to match a packet where the signature ends > up spanning two TCP datagrams, then it will fail (no half matching of > signatures!). Something like this can easily happen with long signatures > and small TCP datagram sizes and is also influenced by the location of > the signature in the data being packetised. > > Note that it is not an IP fragmentation issue but a question of TCP data > spanning more than one packet. > > There is unfortunately currently not a cure in the OSS community for > this problem and unless we get TCP reassembly support going, will be > with us for a while. -- Stephan Scholz <ss...@as...> | Development Astaro AG | www.astaro.com | Phone +49-721-490069-0 | Fax -55 Awards for ASL: - Nätverk & Kommunikation Magazine, Sweden: "Five Stars" - October 2003 - Linux Enterprise Readers' Choice Award: Best Firewall - October 2003 - LinuxWorld Product Excellence Award: Best Security Solution - August 2003 - "Excellent" Infoworld Magazine - August 2003 |
|
From: Josh B. <jos...@li...> - 2004-01-26 16:35:30
|
I am currently working on a project (pending at SourceForge) for developing a web based framework for Security Information Management and Correlation. The system will run on Linux and is called Secure React (Reporter for Event Analysis Correlation and Tracking). I need all the help I can get as the system is intended to be a centralized portal for systems such as IDS, IPS, VA, Web Monitoring, etc (Think something like A.C.I.D. for all of these systems). Right now I am mutilating the ACID code to extend it for the capabilities I need, and looking at Nessus' DB format, Vigilante's DB format and SurfControl's DB format. I would like to be able to search all of these systems from one console, and generate reports, etc. I am new to PHP/MySQL development and would appreciate help from anyone willing to lend it. Other capabilities that I want to add: 1) Correlation/Trend Creation for IP's and DNS names 2) Capability of marking false-positives within all the modules of the system 3) Capability of assigning resources to valid security events and creating incident response tickets 4) Capability of being able to easily add new modules to the system (similar to how Squirrelmail works) Please respond if you are interested. |
|
From: Rob M. <rv...@ca...> - 2004-01-26 11:28:38
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Is your intent to let all traffic flow via snort_inline? Both outbound and inbound? Rob On Fri, 23 Jan 2004, unor wrote: > I'm looking for a "simple" version of the infamous > rc.firewall from the honeynet project. > > I want to do a bridged inline IPS with with > snort_inline and therefore don't need the outbound > blocking / rate limiting and other various parts of > the existing rc.firewall script. Is there anything > like this out there? > > I'm trying to hack up a version of rc.firewall myself > but... If I get it working I'll post it. > > Earl > > __________________________________ > Do you Yahoo!? > Yahoo! SiteBuilder - Free web site building tool. Try it! > http://webhosting.yahoo.com/ps/sb/ > > > ------------------------------------------------------- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.76 iQA/AwUBQBGelvnAyY+9KLjdEQKedwCgvWx0ZOgZ3dgEyh+48f8yMtPEtiQAoP1b skuc76JsfD/7DO36276ScqkC =3BUx -----END PGP SIGNATURE----- |
|
From: <Wil...@kc...> - 2004-01-23 15:22:15
|
IF you are just trying to do IPS filtering, the only two rules you really
need are two rules in the forward chain.
IPTABLES -A FORWARD -j QUEUE
IPTABLES -A FORWARD -j ACCEPT
Regards,
Will
unor <uno...@ya...>
Sent by: sno...@li...
01/23/2004 09:09 AM
To: sno...@li...
cc:
Subject: [Snort-inline-users] simple rc.firewall
I'm looking for a "simple" version of the infamous
rc.firewall from the honeynet project.
I want to do a bridged inline IPS with with
snort_inline and therefore don't need the outbound
blocking / rate limiting and other various parts of
the existing rc.firewall script. Is there anything
like this out there?
I'm trying to hack up a version of rc.firewall myself
but... If I get it working I'll post it.
Earl
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/
-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-inline-users mailing list
Sno...@li...
https://lists.sourceforge.net/lists/listinfo/snort-inline-users
|
|
From: unor <uno...@ya...> - 2004-01-23 15:09:31
|
I'm looking for a "simple" version of the infamous rc.firewall from the honeynet project. I want to do a bridged inline IPS with with snort_inline and therefore don't need the outbound blocking / rate limiting and other various parts of the existing rc.firewall script. Is there anything like this out there? I'm trying to hack up a version of rc.firewall myself but... If I get it working I'll post it. Earl __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it! http://webhosting.yahoo.com/ps/sb/ |
|
From: Hess, B. <ben...@te...> - 2004-01-22 18:32:16
|
I was wondering if anyone had any idea about the following error when running snort-inline on Freebsd? IpfwLoop: can't create divert socket: Protocol not supported Thank you for your assistance in this matter Benjamin Hess Sr. Systems Engineer Technology Alliance Group (480)778-2400 ************************************************************* This e-mail and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on. ************************************************************* -----Original Message----- From: Hess, Ben Sent: Tuesday, January 13, 2004 12:44 PM To: 'Rob McMillen'; sno...@li... Subject: RE: [Snort-inline-users] Snort Inline on FreeBSD I have the ipfw setup with a divert command that seems to be working properly but when I attempt to initiate snort_inline it comes back with: IpfwLoop: can't create divert socket: Protocol not supported As soon as I can get a working product I will copy a rc.firewall file to the list for others to use. Benjamin Hess Sr. Systems Engineer Technology Alliance Group (480)778-2400 ************************************************************* This e-mail and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on. ************************************************************* -----Original Message----- From: Rob McMillen [mailto:rv...@ca... <mailto:rv...@ca...> ] Sent: Monday, January 12, 2004 7:02 PM To: sno...@li... Subject: Re: [Snort-inline-users] Snort Inline on FreeBSD -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Great! A volunteer to test out beta code. I've actually included some code that was provided to work on freebsd with ipfw and divert. If you know how to set up a divert socket and rules, you can use snort_inline. Warning!!! This has not been tested before. You would be the first, and feedback would be great!! You can compile it as follows: ./configure --enable-ipfw --with-mysql make make install The -J <port> uses ipfw divert socket <port> to listen on vice libpcap (FreeBSD only). If you have the time, a script to automatically setup the ipfw firewall for use with snort_inline would be great! Rob On Mon, 12 Jan 2004, Hess, Ben wrote: > Hello, > I am attempting to get snort-inline compiled and running on > freebsd. I was wondering if I am able to use the built in ipfw or if I have > to install IPTables? Also if I can use ipfw then what switch do I need to > add to the configure command to make it work? For when I run ./configure > -enable-inline -enable-mysql it errors out saying that the libipq.h is > missing. > > Thank you for all of your help, > > Benjamin Hess > Sr. Systems Engineer > Technology Alliance Group > (480)778-2400 > > > ************************************************************* > This e-mail and any files transmitted with it may > contain confidential and/or proprietary information. > It is intended solely for the use of the individual > or entity who is the intended recipient. > Unauthorized use of this information is prohibited. > If you have received this in error, please contact > the sender by replying to this message and delete > this material from any system it may be on. > ************************************************************* > > -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.76 iQA/AwUBQANRhfnAyY+9KLjdEQLGRACg416+qcDQYXb0nG61rNuj2kbZ/NkAni08 4gMopPv76uovMqVZl/E+17Ih =btV0 -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html <http://www.perforce.com/perforce/loadprog.html> _______________________________________________ Snort-inline-users mailing list Sno...@li... https://lists.sourceforge.net/lists/listinfo/snort-inline-users <https://lists.sourceforge.net/lists/listinfo/snort-inline-users> |
|
From: Brian <bm...@sh...> - 2004-01-22 17:38:17
|
On Fri, 9 Jan 2004, Christopher Joyce wrote:
> Hello,
>
> I am having problems using snortconfig to convert my snort rules. I have
> setup a basic test to convert one file (x11.rules) and the file that is
> created in the directory specified below is blank.
>
> Here is what I have tried:
>
> snortconfig -inline -file test.conf -config honeynet.conf -directory
> snortconfig-rules
Using the latest release of snortconfig, your exact config works as
expected for me. What version of snortconfig are you using?
You can find this out by doing:
ident `which snortconfig`
Also, what version of the perl modules are you using? You can find this
out by doing:
perl -MNet::Snort::Parser::Rule -e 'print $Net::Snort::Parser::Rule::VERSION."\n";'
Thanks,
Brian
|
|
From: Obi O. <obi...@ya...> - 2004-01-22 16:43:21
|
I am not a guru or anything and I'm not sure if this will help, but here's my list of iptables modules and my iptables config that I used initially to get up and running. Once I got a very *simple* working model, I then went in and tweaked my iptables rules and made them stronger. I'm running on Debian 'woody' w/ 2.4.20 kernel, and what really got me over the hump was carefully reading the (very helpful!) book "Snort 2.0 Intrusion Detection" at http://www.snort.org/docs/#snort_books. Module Size Used by Not tainted ipt_multiport 640 0 (autoclean) ipt_limit 960 3 (autoclean) bridge 19140 1 (autoclean) ip_conntrack_irc 3040 0 (unused) ip_conntrack_ftp 3776 0 (unused) ip_queue 5004 0 ipt_LOG 3296 0 (unused) iptable_mangle 2208 0 (autoclean) (unused) iptable_nat 14324 0 (autoclean) (unused) ip_conntrack 16812 3 (autoclean) [ip_conntrack_irc ip_conntrack_ftp iptable_nat] iptable_filter 1728 1 (autoclean) ip_tables 10688 8 [ipt_multiport ipt_limit ipt_LOG iptable_mangle iptable_nat iptable_filter] ext3 56704 5 (autoclean) jbd 35976 5 (autoclean) [ext3] 8139too 16160 3 mii ### Support for connection tracking of FTP and IRC. modprobe ip_conntrack_ftp modprobe ip_conntrack_irc ### Enable ip_forward echo "1" > /proc/sys/net/ipv4/ip_forward iptables -A FORWARD -j QUEUE iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it! http://webhosting.yahoo.com/ps/sb/ |
|
From: Stephan S. <ss...@as...> - 2004-01-21 18:21:42
|
I experienced the same problem on some systems, and not on others. It seems like a kernel-related issue. Maybe the ip_queue interface suffers from a timing problem ?! I couldn't really reproduce it, which makes debugging a pain :-( Anybody else got this ? Stephan > Hello, > I am currentrly trying to run the snort_inline on one of our systems. The > problem is that the whole system "hangs" after about one day. > I have about 50 drop rules loaded to test the system. -- Stephan Scholz <ss...@as...> | Development Astaro AG | www.astaro.com | Phone +49-721-490069-0 | Fax -55 Awards for ASL: - Nätverk & Kommunikation Magazine, Sweden: "Five Stars" - October 2003 - Linux Enterprise Readers' Choice Award: Best Firewall - October 2003 - LinuxWorld Product Excellence Award: Best Security Solution - August 2003 - "Excellent" Infoworld Magazine - August 2003 |
|
From: James A. P. <ja...@pc...> - 2004-01-21 16:34:55
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matthias Haas wrote: | Hello, | I am currentrly trying to run the snort_inline on one of our systems. The | problem is that the whole system "hangs" after about one day. | I have about 50 drop rules loaded to test the system. | <snip> | - my iptables rules used to feed the queue module | iptables -t mangle -A PREROUTING -i eth1 -j QUEUE | iptables -t mangle -A POSTROUTING -o eth1 -j QUEUE shouldn't you also do statefull matching and push those through the QUEUE? that's what I've had to do to get all packets analysed. | | | Is there anything wrong with my setup or does anyone have similiar problems. | I've had similiar issues where logrotation doesn't properly restart snort-inline and so traffic doesn't flow, but the box doesn't hang tight. Of course the client doesn't check snort-inline and just reboots the box, but running monit and monitoring snort-inline has caught this condition and rectified it, as long as monit is able to start on startup (something with the bridge not being all the way up and dns not resolving, had to put a sleep 30 in :( ). - -- James A. Pattie ja...@pc... Linux SysAdmin / Systems Programmer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFADqodtUXjwPIRLVERAmUuAJ996dfcw0cpq1PaJ5JOvPXvR/hDbACfU9zr zmWA7jcM8WHY4CqK0/QWNk4= =s/NE -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. |
|
From: Brian J. <bja...@ci...> - 2004-01-21 11:45:08
|
Bill, Have a look at snortsnarf at http://www.silicondefense.com/software/snortsnarf/. I find this useful and being written in perl not to bad to taylor if you have to. regards, Brian >All, > >Now that I have my snort and snort-inline box up and going I would like >to get a report of what the worst items are. That way my boss can see >that in a week get hit with the SQL worm X number of times or John with >IP x.x.x.x is sending out X number of bad whatever. Any body know of a >sometime that can do this? > >Thanks, >Bill > >-- > >********************************** >Bill Warren >Optivel, Inc. >E-mail: bw...@op... >Voice: 317.275.2305 >Fax: 317.275.2301 >Web: http://www.optivel.com >********************************** |
|
From: pieter c. <pie...@co...> - 2004-01-20 22:47:21
|
Hi Federico, Keep in mind that SNIL does not support the stream4 preprocessor which means that if you are trying to match a packet where the signature ends up spanning two TCP datagrams, then it will fail (no half matching of signatures!). Something like this can easily happen with long signatures and small TCP datagram sizes and is also influenced by the location of the signature in the data being packetised. Note that it is not an IP fragmentation issue but a question of TCP data spanning more than one packet. There is unfortunately currently not a cure in the OSS community for this problem and unless we get TCP reassembly support going, will be with us for a while. Regards, Pieter On Tue, 2004-01-20 at 17:47, Federico Petronio wrote: > Same days ago I post to the bug section from SF.net the following, but I > can't realice if that's a snort-inline bug, a missconfiguration or what. > Any help would be welcome. > > ---- > I found that snort-inline is letting pass in packets that it shouldn't. > For instance: > > I have snort-inline 2.0.1 installed. I change the rule 2077 acction to drop. > > Then I try to access, using Mozilla 1.5 and IE6.0, the URL: > http://server_name/admin/fileman/upload.php?dir= > > the snort-inline log start showing lines like this: > > [**] [1:2077:2] WEB-PHP Mambo upload.php access [**] > [Classification: access to a potentially vulnerable web application] > [Priority: 2] > 01/13-18:31:06.944124 200.43.81.205:1586 -> 10.2.0.10:80 TCP TTL:117 > TOS:0x0 ID:3095 IpLen:20 DgmLen:578 DF > ***AP*** Seq: 0x45A19C2C Ack: 0x425899A4 Win: 0xFFFF TcpLen: 20 > [Xref => http://www.securityfocus.com/bid/6572] > > > but after 5 minutes of that, the webserver finally got the query and > answed. That means that snort-inline let pass through the packet that > should drop. Can anyone check that? I try several time and got the same > result. > > Thanks... |
|
From: <Wil...@kc...> - 2004-01-20 19:25:41
|
You should be able to compile snort_inline with MySQL support if you want to log to a MySQL database and an ACID server. As far as a document for the setup of MySQL and ACID refer to http://www.superhac.com/docs/snort_enterprise.pdf Compile snort with the --with-mysql option. If you are going to be sending this data across an unsecured like I would look at using stunnel to protect the MySQL traffic. http://www.stunnel.org/examples/mysql.html There is probably a better way to do this.... Just an idea..... Regards, Will Bill Warren <bw...@op...> Sent by: sno...@li... 01/20/2004 12:22 PM To: Sno...@li... cc: Subject: [Snort-inline-users] Looking for Weekly summary of Problems All, Now that I have my snort and snort-inline box up and going I would like to get a report of what the worst items are. That way my boss can see that in a week get hit with the SQL worm X number of times or John with IP x.x.x.x is sending out X number of bad whatever. Any body know of a sometime that can do this? Thanks, Bill -- ********************************** Bill Warren Optivel, Inc. E-mail: bw...@op... Voice: 317.275.2305 Fax: 317.275.2301 Web: http://www.optivel.com ********************************** ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-inline-users mailing list Sno...@li... https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
|
From: Bill W. <bw...@op...> - 2004-01-20 18:22:23
|
All, Now that I have my snort and snort-inline box up and going I would like to get a report of what the worst items are. That way my boss can see that in a week get hit with the SQL worm X number of times or John with IP x.x.x.x is sending out X number of bad whatever. Any body know of a sometime that can do this? Thanks, Bill -- ********************************** Bill Warren Optivel, Inc. E-mail: bw...@op... Voice: 317.275.2305 Fax: 317.275.2301 Web: http://www.optivel.com ********************************** |
|
From: Federico P. <pe...@ac...> - 2004-01-20 17:56:31
|
Same days ago I post to the bug section from SF.net the following, but I can't realice if that's a snort-inline bug, a missconfiguration or what. Any help would be welcome. ---- I found that snort-inline is letting pass in packets that it shouldn't. For instance: I have snort-inline 2.0.1 installed. I change the rule 2077 acction to drop. Then I try to access, using Mozilla 1.5 and IE6.0, the URL: http://server_name/admin/fileman/upload.php?dir= the snort-inline log start showing lines like this: [**] [1:2077:2] WEB-PHP Mambo upload.php access [**] [Classification: access to a potentially vulnerable web application] [Priority: 2] 01/13-18:31:06.944124 200.43.81.205:1586 -> 10.2.0.10:80 TCP TTL:117 TOS:0x0 ID:3095 IpLen:20 DgmLen:578 DF ***AP*** Seq: 0x45A19C2C Ack: 0x425899A4 Win: 0xFFFF TcpLen: 20 [Xref => http://www.securityfocus.com/bid/6572] but after 5 minutes of that, the webserver finally got the query and answed. That means that snort-inline let pass through the packet that should drop. Can anyone check that? I try several time and got the same result. Thanks... -- Federico Petronio pe...@ac... |
|
From: Matthias H. <ha...@li...> - 2004-01-20 08:38:24
|
Hello, I am currentrly trying to run the snort_inline on one of our systems. The problem is that the whole system "hangs" after about one day. I have about 50 drop rules loaded to test the system. My system setup is: - the latest 2.1.0 snort_inline. - iptables is 1.2.8 with patch-o-matic-20030912 installed. - vanilla 2.4.22 kernel - my currently used modules are: Module Size Used by ipsec 267648 2 8139too 13648 1 (autoclean) crc32 2848 0 (autoclean) [8139too] af_packet 8304 2 (autoclean) eepro100 18048 1 (autoclean) mii 2320 0 (autoclean) [8139too eepro100] ip_conntrack_irc 3136 1 (autoclean) ip_nat_irc 2400 0 (unused) ip_conntrack_ftp 3872 1 (autoclean) ip_nat_ftp 3040 0 (unused) ipt_mark 448 6 (autoclean) ipt_ttl 608 1 (autoclean) ipt_MARK 784 2 (autoclean) ipt_state 592 127 (autoclean) ipt_REJECT 3184 14 (autoclean) ipt_LOG 3296 96 (autoclean) ipt_limit 944 96 (autoclean) iptable_nat 15936 3 (autoclean) [ip_nat_irc ip_nat_ftp] ip_queue 5040 0 (unused) iptable_mangle 2192 1 (autoclean) iptable_filter 1712 1 (autoclean) - my iptables rules used to feed the queue module iptables -t mangle -A PREROUTING -i eth1 -j QUEUE iptables -t mangle -A POSTROUTING -o eth1 -j QUEUE Is there anything wrong with my setup or does anyone have similiar problems. Kind regards Matthias -- Matthias Haas Linogate GmbH Alter Postweg 101 86159 Augsburg Germany http://www.linogate.com ha...@li... |
133 messages has been excluded from this view by a project administrator.
