snort-inline-users — The goal of this list is to help users debug/use snort_inline

Re: [Snort-inline-users] Keeping the Pig up to date

[Ixion <ix...@cf...>]

While you're at it, how does an ebuild for Gentoo sound? ;) I know someon=
e
who actually wrote an ebuild, I will try to put him in contact with you.

Have a terrific holiday everyone!

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> This is a very good question, and I am open to suggestions.  At this ti=
me,
> the only way to keep it up to date is to constantly visit
> snort-inline.sf.net to look for updates or monitor this list for releas=
e
> messages.
>
> I am thinking about making a debian package so debian users can use the
> apt-get update/upgrade to keep their snort-inline package up to date.
>
> Rob
>
> On Fri, 26 Dec 2003, Bill Warren wrote:
>
>> I jsut go my Snort-Inline box up and going.  It is blocking all sorts =
of
>> junk.  What are some good ways to keep it up to date?
>>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
> Comment: Made with pgp4pine 1.76
>
> iQA/AwUBP+xamvnAyY+9KLjdEQJ3NwCgwY42lXZ8IawkhMi9oGsXfjHb5WoAoP8q
> KYDTX+ljSlRYP4ztRh81Qivh
> =3D2ncv
> -----END PGP SIGNATURE-----
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM=
's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admi=
n.
> Click now! http://ads.osdn.com/?ad_id=3D1278&alloc_id=3D3371&op=3Dclick
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

Re: [Snort-inline-users] Keeping the Pig up to date

[Lance S. <la...@ho...>]

On Fri, 26 Dec 2003, Bill Warren wrote:

> I jsut go my Snort-Inline box up and going.  It is blocking all sorts of 
> junk.  What are some good ways to keep it up to date?

If you mean the snort-inline rulebase, snortconf developed by Brian
Caswell (maintainer of the Snort rulebase) should help you.  This
tool is designed to take a current Snort rulebase, then convert it
for snort-inline use, including reject, replace, and drop rulesets.
Its pretty flexible, allowing you to modify rules based on SID, rule
file, and classifcation.  Brian is maintaining it at 

   http://www.shmoo.com/~bmc/software/snortconfig/

So, use the same tools/process you normally do to keep your Snort
sensors rulebases current, then add this tool to convert those
current rules.  This should be able to work out of crond, but I have
not tried that.

lance

Re: [Snort-inline-users] Keeping the Pig up to date

[<Wil...@kc...>]

If you are talking about just your signatures you can use oinkmaster-0.9.

Add the following line under the SID's to modify section

modifysid  *  "^alert"  |  "drop"

schedule a cron job to run

oinkmaster.pl -o /snortrulesdir

and then have it stop and start the snort daemon.

I always leave these SIDS disabled due to false positives or personal 
preference.

disablesid 534, 533, 2174, 2175, 1448, 466, 1841, 538, 532, 537, 536, 535, 
1201, 485, 620, 2087, 663, 882, 884, 1002, 1243, 1852, 1857, 1150, 1456, 
1653, 1200, 1288, 1549, 1448, 1042, 2201, 895

Regards,

Will




Bill Warren <bw...@op...>

Sent by: sno...@li...
12/26/2003 09:27 AM
 
        To:     Sno...@li...
        cc: 
        Subject:        [Snort-inline-users] Keeping the Pig up to date

I jsut go my Snort-Inline box up and going.  It is blocking all sorts of 
junk.  What are some good ways to keep it up to date?
-- 

**********************************
Bill Warren
Optivel, Inc.
E-mail: bw...@op...
Voice:  317.275.2305
Fax:    317.275.2301
Web:    http://www.optivel.com
**********************************



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-inline-users mailing list
Sno...@li...
https://lists.sourceforge.net/lists/listinfo/snort-inline-users

Re: [Snort-inline-users] Keeping the Pig up to date

[Rob M. <rv...@ca...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is a very good question, and I am open to suggestions.  At this time, 
the only way to keep it up to date is to constantly visit 
snort-inline.sf.net to look for updates or monitor this list for release 
messages.

I am thinking about making a debian package so debian users can use the 
apt-get update/upgrade to keep their snort-inline package up to date.

Rob

On Fri, 26 Dec 2003, Bill Warren wrote:

> I jsut go my Snort-Inline box up and going.  It is blocking all sorts of 
> junk.  What are some good ways to keep it up to date?
> 

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Made with pgp4pine 1.76

iQA/AwUBP+xamvnAyY+9KLjdEQJ3NwCgwY42lXZ8IawkhMi9oGsXfjHb5WoAoP8q
KYDTX+ljSlRYP4ztRh81Qivh
=2ncv
-----END PGP SIGNATURE-----

[Snort-inline-users] Keeping the Pig up to date

[Bill W. <bw...@op...>]

I jsut go my Snort-Inline box up and going.  It is blocking all sorts of 
junk.  What are some good ways to keep it up to date?
-- 

**********************************
Bill Warren
Optivel, Inc.
E-mail: bw...@op...
Voice:  317.275.2305
Fax:    317.275.2301
Web:    http://www.optivel.com
**********************************

Re: [Snort-inline-users] snort_inline not blocking - ip_queue loaded but unused

[pieter c. <pi...@co...>]

Can you verify that your rules actually have drop/sdrop/reject targets?

Pieter
On Mon, 2003-12-15 at 04:32, Brent Deterding wrote:
> I have the problem in this thread
> http://sourceforge.net/mailarchive/forum.php?thread_id=3303416&forum_id=3293
> 3 that everything is being passed through unless it hits up against a limit.
> ip_queue is loaded but is unused.
> 
> RedHat 9 with 2.4.22 patched with ebtables-brnf-3-vs-2.4.22
> I am using the snort_inline toolkit for 2.05 and iptables 1.2.9 (removed the
> rpm version)
> bridge-utils is the latest and compiled from source
> 
> Snort_inline will create entries in /var/log but they are never alerts -
> just packet dumps. I am only using test.rules
> 
> Any help is most appreciated - I can provide more information if necessary.
> 
> -- Brent
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users

RE: [Snort-inline-users] snort_inline not blocking - ip_queue loaded but unused

[Brent D. <br...@de...>]

Ended up being that I didn't create /var/log/snort - so the proper log file
was not present and it defaulted to just logging packet dumps. I didn't
notice it because I was running snort_inline from the command line in the
foreground. I started using snort_inline.sh and saw the error msg there.

Incidently - my ip_queue is still unused but it doesn't seem to matter.

-- Brent

-----Original Message-----
From: sno...@li...
[mailto:sno...@li...]On Behalf Of
Brent Deterding
Sent: Sunday, December 14, 2003 10:32 PM
To: sno...@li...
Subject: [Snort-inline-users] snort_inline not blocking - ip_queue
loaded but unused


I have the problem in this thread
http://sourceforge.net/mailarchive/forum.php?thread_id=3303416&forum_id=3293
3 that everything is being passed through unless it hits up against a limit.
ip_queue is loaded but is unused.

RedHat 9 with 2.4.22 patched with ebtables-brnf-3-vs-2.4.22
I am using the snort_inline toolkit for 2.05 and iptables 1.2.9 (removed the
rpm version)
bridge-utils is the latest and compiled from source

Snort_inline will create entries in /var/log but they are never alerts -
just packet dumps. I am only using test.rules

Any help is most appreciated - I can provide more information if necessary.

-- Brent



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-inline-users mailing list
Sno...@li...
https://lists.sourceforge.net/lists/listinfo/snort-inline-users

[Snort-inline-users] snort_inline not blocking - ip_queue loaded but unused

[Brent D. <br...@de...>]

I have the problem in this thread
http://sourceforge.net/mailarchive/forum.php?thread_id=3303416&forum_id=3293
3 that everything is being passed through unless it hits up against a limit.
ip_queue is loaded but is unused.

RedHat 9 with 2.4.22 patched with ebtables-brnf-3-vs-2.4.22
I am using the snort_inline toolkit for 2.05 and iptables 1.2.9 (removed the
rpm version)
bridge-utils is the latest and compiled from source

Snort_inline will create entries in /var/log but they are never alerts -
just packet dumps. I am only using test.rules

Any help is most appreciated - I can provide more information if necessary.

-- Brent

RE: [Snort-inline-users] snort inline hangs and ip_queue not working?

[Brent D. <br...@de...>]

I ran into this and realized I had a snort_inline process running in daemon
mode still. Don't know if that helps or not.

-- Brent
  -----Original Message-----
  From: sno...@li...
[mailto:sno...@li...]On Behalf Of Thomas
Pollet
  Sent: Tuesday, November 25, 2003 10:54 AM
  To: sno...@li...
  Subject: Re: [Snort-inline-users] snort inline hangs


    Hi,

    I'm trying to set up snort inline. But after initialization it errors
    with code 16. Seems to be an ipq problem
    (the sample program from libipq manual gave same error).
    I guess I missed something during setup, but can't find out exactly
what.
    I'd highly appreciate any help.

    thanks in advance,

    Thomas Pollet

    This problem is quite similiar to the one discussed in

http://sourceforge.net/mailarchive/forum.php?thread_id=3303416&forum_id=3293
3
    although nobody posted a solution.

    for the record,

    I am using slackware 9, kernel 2.4.22,  iptables-1.2.9 and my lsmod
looks like


    Module                  Size  Used by    Not tainted
    iptable_filter          1644   1  (autoclean)
    ip_conntrack_irc        2992   0  (unused)
    ip_conntrack_ftp        3888   0  (unused)
    ip_conntrack           18016   2  [ip_conntrack_irc ip_conntrack_ftp]
    ipt_LOG                 3384   0  (unused)
    ip_tables              11768   2  [iptable_filter ipt_LOG]
    pcmcia_core            38112   0
    ip_queue                5420   0  (unused)
    ide-scsi                8048   0
    3c59x                  26736   1
    nls_cp850               3580   1  (autoclean)
    nls_iso8859-15          3356   2  (autoclean)
    ntfs                   51040   2  (autoclean)

RE: [Snort-inline-users] FW: Message from snort_inline 2.0.5

[Brian J. <bja...@ci...>]

Josh,
	Yeah, ip_queue loaded and snort_inline apparently working Ok, dropping
packets etc. The message just came up in what appeared to be a normal run.
Any more thoughts?
Brian

>Do you have the ip_queue module loaded?  Check with a lsmod | grep
>ip_queue, if it is not loaded try loading it with an insmod ip_queue.
>
>> 	I have received the following from snort-inline-2.0.5, 'IpqLoop: :
Failed
>> to receive netlink message: No buffer space available'. This message is
>> displayed on the console as I am currently running inline in non-daemon
>> mode. Can anyone enlighten me as to what it means and how I can  prevent
>> it
>> in the future?
>> 	It's just struck me that this test box only has 64meg of RAM and I have
>> not
>> enabled the snort low-memory option, would this help?
>> regards,
>> Brian
>>

>Thanks,
>Josh Berry, CTO
>LinkNet-Solutions
>469-831-8543
>jos...@li...

Re: [Snort-inline-users] FW: Message from snort_inline 2.0.5

[Dale L. H. <dh...@ni...>]

I was playing with this the other day as well. I found a page (it's 
late, due to brain damage I can't find it tonight) that suggests setting 
the following values to 1 Megabyte:

*/proc/sys/net/core/rmem_default*
*/proc/sys/net/core/rmem_max*

I believe you'll find by inspecting those values, you'll see they are 
set to something like 65535. The page I found said to set them to 
1048576.  I found the following link that may help (it is not the one I 
was working off the other day):

    http://www.lip.pt/computing/cg-services/other-changes.htm



Brian Jameson wrote:

>	I have received the following from snort-inline-2.0.5, 'IpqLoop: : Failed
>to receive netlink message: No buffer space available'. This message is
>displayed on the console as I am currently running inline in non-daemon
>mode. Can anyone enlighten me as to what it means and how I can  prevent it
>in the future?
>	It's just struck me that this test box only has 64meg of RAM and I have not
>enabled the snort low-memory option, would this help?
>regards,
>Brian
>
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: IBM Linux Tutorials.
>Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
>Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
>Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
>_______________________________________________
>Snort-inline-users mailing list
>Sno...@li...
>https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
>  
>

-- 
"The trouble with doing something right the first time 
 is that nobody appreciates how difficult it was."

-- Dale L. Handy, P.E.
   dh...@ni...
   http://www.nitrodata.com

Re: [Snort-inline-users] FW: Message from snort_inline 2.0.5

[Josh B. <jos...@li...>]

Do you have the ip_queue module loaded?  Check with a lsmod | grep
ip_queue, if it is not loaded try loading it with an insmod ip_queue.

> 	I have received the following from snort-inline-2.0.5, 'IpqLoop: : Failed
> to receive netlink message: No buffer space available'. This message is
> displayed on the console as I am currently running inline in non-daemon
> mode. Can anyone enlighten me as to what it means and how I can  prevent
> it
> in the future?
> 	It's just struck me that this test box only has 64meg of RAM and I have
> not
> enabled the snort low-memory option, would this help?
> regards,
> Brian
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>


Thanks,
Josh Berry, CTO
LinkNet-Solutions
469-831-8543
jos...@li...

[Snort-inline-users] FW: Message from snort_inline 2.0.5

[Brian J. <bja...@ci...>]

	I have received the following from snort-inline-2.0.5, 'IpqLoop: : Failed
to receive netlink message: No buffer space available'. This message is
displayed on the console as I am currently running inline in non-daemon
mode. Can anyone enlighten me as to what it means and how I can  prevent it
in the future?
	It's just struck me that this test box only has 64meg of RAM and I have not
enabled the snort low-memory option, would this help?
regards,
Brian

[Snort-inline-users] Snort-reports update

[Pieter C. <pie...@co...>]

I have just released a new version of the snort-reports package.

http://countersnipe.com/downloads/snort_reports/0.1-6

Improvements include:

* Better configuration options
* Better support for debian release (bug with stow resolved)
* A number of installer and implementation bug fixes.

Thanks to those who provided input.

Pieter
-- 
Pieter Claassen <pie...@co...>

[Snort-inline-users] Snort_Inline 2.0.5 Linux Toolkit

[Lance S. <la...@ho...>]

On Tue, 2 Dec 2003, Rob McMillen wrote:

> I've finally gotten off my butt and updated snort_inline to the latest and 
> greatest snort version 2.0.5.  You can get it at:
> 
> http://sourceforge.net/projects/snort-inline/

Following Rob's footsteps, I have gotten off my lazy derrier and updated
the Snort_inline Linux Toolkit.  This is a collection of tools designed
to make running snort_inline faster and simpler on your Linux gateway.
It includes

 - Static, precompiled snort_inline binary for Linux (version 2.0.5)
 - Snort_inline.sh startup script (note, it appears that snort_inline
   runs nicely in chroot'd mode, but does not work running as an 
   unprivalleged user).
 - snortconfig: Brian Caswell's new tool for converting a current snort
   ruleset to snort_inline (drop, sdrop, reject, replace).  This is how
   you can keep your snort_inline rules current.
 - rc.firewall: used to deploy Data Control on Honeynets
 - test.rules:  ruleset used to test your snort_inline deployment

If you have any tools or goodies you would like added, please let
me know (including for FreeBSD).  

    http://www.honeynet.org/tools/snort_inline.tgz

Thanks!

lance

Re: [Snort-inline-users] Re: snort_inline-2.0.5 build error on RHEL3

[Josh B. <jos...@li...>]

Sorry that was a typo, I replaced #include <net/if.h> with #include
<linux/if.h>


> Thanks for this information, the only workaround that I could find was
> replacing all instances of #include <net/if.h> with #include <net/linux.h>
> in the linux source.  I figured that it would cause issues down the road,
> this will help alot.
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Not sure what RedHat has done with its kernel headers.  I actually had
>> to
>> do the following in order to get snort_inline to compile in RedHat 9.0
>> with the default kernel and kernel headers:
>>
>> 1.  Download the kernel source (best to get stable latest and greatest
>> from www.kernel.org).
>> 2.  Build kernel from scratch (feel free to use RedHat's .config file).
>> 3.  mv /usr/include/linux /usr/include/linux.orig
>> 4.  cd /usr/include
>> 5.  ln -s /usr/src/linux<new kernel source>/include/linux linux
>>     (on my box: ln -s /usr/src/linux-2.4.22/include/linux linux)
>>     Why do we do this?  We are doing this to use the new kernel headers
>> vice the older ones installed on your default RedHat install located in
>> /usr/include/linux.
>> 6.  Download the iptables source (www.iptables.org).
>> 7.  Build iptables
>>     a.  make KERNEL_DIR=/usr/src/<new source>
>>     b.  make install KERNEL_DIR=/usr/src/<new source>
>>     c.  make install-devel
>>
>> **** CONSIDER REMOVING OLDER VERSIONS OF IPTABLES OFF SYSTEM.  DEFAULT
>> SRC
>> INSTALLS IPTABLES IN /usr/local/sbin and /usr/local/lib vice /usr/sbin
>> and
>> /lib
>>
>> 8.  Build snort_inline
>>
>> I really need to get off my butt and develop the snort_inline home page
>> so
>> I can have a repository for documentation and FAQ.
>>
>> Rob
>>
>> On Thu, 4 Dec 2003, Matthew Callaway wrote:
>>
>>> Greetings,
>>>
>>> Is there a known problem building snort_inline (up to 2.0.5) against
>>> the
>>> glibc-kernheaders that come with Red Hat Enterprise Linux 3?
>>>
>>> The Error:
>>>
>>> gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../.. -I../../src
>>> -I/usr/include/pcap -I../../src/output-plugins
>>> -I../../src/detection-plugins -I../../src/preprocessors  -I/usr/include
>>> -g -O2 -Wall -DGIDS -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD
>>> -DHAVE_NET_ETHERNET_H -DLIBNET_LIL_ENDIAN -c `test -f
>>> 'spo_alert_fast.c'
>>> || echo './'`spo_alert_fast.c
>>> In file included from /usr/include/linux/netfilter_ipv4/ip_queue.h:10,
>>>                  from /usr/include/libipq.h:37,
>>>                  from ../../src/inline.h:8,
>>>                  from ../../src/snort.h:38,
>>>                  from spo_alert_fast.c:51:
>>> /usr/include/linux/if.h:59: redefinition of `struct ifmap'
>>> /usr/include/linux/if.h:77: redefinition of `struct ifreq'
>>> /usr/include/linux/if.h:126: redefinition of `struct ifconf'
>>> make[3]: *** [spo_alert_fast.o] Error 1
>>> make[3]: Leaving directory
>>> `/home/matt/src/BUILD/snort-2.0.5/src/output-plugins'
>>> make[2]: *** [all-recursive] Error 1
>>> make[2]: Leaving directory `/home/matt/src/BUILD/snort-2.0.5/src'
>>> make[1]: *** [all-recursive] Error 1
>>> make[1]: Leaving directory `/home/matt/src/BUILD/snort-2.0.5'
>>> make: *** [all] Error 2
>>>
>>>
>>> [matt@obelisk SPECS]$ rpm -qf
>>> /usr/include/linux/netfilter_ipv4/ip_queue.h
>>> glibc-kernheaders-2.4-8.34
>>>
>>>
>>> Some Googling finds:
>>>
>>> http://groups.google.com/groups?hl=en&lr=lang_en&ie=UTF-8&oe=UTF-8&safe=off&threadm=vmk8c6.6f4.ln%40batty&rnum=9&prev=/groups%3Fnum%3D100%26hl%3Den%26lr%3Dlang_en%26ie%3DUTF-8%26oe%3DUTF-8%26safe%3Doff%26q%3Dredefinition%2Bof%2B%2560struct%2Bifmap%27%26btnG%3DGoogle%2BSearch
>>>
>>> "Glibc has it's own definitions that often conflict with those in
>>> /usr/include/linux (the kernel).  Programs that #include these kernel
>>> includes must be modified so that these includes are taken out and only
>>> the explicit kernel definitions that are needed are included.  You can
>>> either attempt this yourself or wait =)."
>>>
>>>
>>> Do you favor <linux/if.h> or <net/if.h>?
>>>
>>> Can you add a ./configure switch to specify the path to alternate
>>> kernel
>>> includes via an environment variable?
>>>
>>> I note the difference between the glibc package and the kernel package:
>>>
>>> diff -u <kernel version> <glibc version>
>>> diff -u linux/include/linux/netfilter_ipv4/ip_queue.h
>>> /usr/include/linux/netfilter_ipv4/ip_queue.h
>>> ---
>>> /home/matt/src/BUILD/kernel-2.4.21/linux/include/linux/netfilter_ipv4/ip_queue.h
>>> 2000-08-10 14:35:15.000000000 -0500
>>> +++ /usr/include/linux/netfilter_ipv4/ip_queue.h        2003-01-30
>>> 12:03:23.000000000 -0600
>>> @@ -7,15 +7,7 @@
>>>  #ifndef _IP_QUEUE_H
>>>  #define _IP_QUEUE_H
>>>
>>> -#ifdef __KERNEL__
>>> -#ifdef DEBUG_IPQ
>>> -#define QDEBUG(x...) printk(KERN_DEBUG ## x)
>>> -#else
>>> -#define QDEBUG(x...)
>>> -#endif  /* DEBUG_IPQ */
>>> -#else
>>> -#include <net/if.h>
>>> -#endif /* ! __KERNEL__ */
>>> +#include <linux/if.h>
>>>
>>>  /* Messages sent from kernel */
>>>  typedef struct ipq_packet_msg {
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Matt
>>>
>>>
>>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: PGP 6.5.8
>> Comment: Made with pgp4pine 1.76
>>
>> iQA/AwUBP8/NGPnAyY+9KLjdEQJDkACgzmFlwCXeSHU7m7apZlLpEJ31UvMAmwf6
>> WVoOFIZDWWHQ+KO6uZ4xinD3
>> =Tw6F
>> -----END PGP SIGNATURE-----
>>
>>
>>
>>
>> -------------------------------------------------------
>> This SF.net email is sponsored by: IBM Linux Tutorials.
>> Become an expert in LINUX or just sharpen your skills.  Sign up for
>> IBM's
>> Free Linux Tutorials.  Learn everything from the bash shell to sys
>> admin.
>> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
>> _______________________________________________
>> Snort-inline-users mailing list
>> Sno...@li...
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>
>
> Thanks,
> Josh Berry, CTO
> LinkNet-Solutions
> 469-831-8543
> jos...@li...
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>


Thanks,
Josh Berry, CTO
LinkNet-Solutions
469-831-8543
jos...@li...

Re: [Snort-inline-users] Re: snort_inline-2.0.5 build error on RHEL3

[Josh B. <jos...@li...>]

Thanks for this information, the only workaround that I could find was
replacing all instances of #include <net/if.h> with #include <net/linux.h>
in the linux source.  I figured that it would cause issues down the road,
this will help alot.

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Not sure what RedHat has done with its kernel headers.  I actually had to
> do the following in order to get snort_inline to compile in RedHat 9.0
> with the default kernel and kernel headers:
>
> 1.  Download the kernel source (best to get stable latest and greatest
> from www.kernel.org).
> 2.  Build kernel from scratch (feel free to use RedHat's .config file).
> 3.  mv /usr/include/linux /usr/include/linux.orig
> 4.  cd /usr/include
> 5.  ln -s /usr/src/linux<new kernel source>/include/linux linux
>     (on my box: ln -s /usr/src/linux-2.4.22/include/linux linux)
>     Why do we do this?  We are doing this to use the new kernel headers
> vice the older ones installed on your default RedHat install located in
> /usr/include/linux.
> 6.  Download the iptables source (www.iptables.org).
> 7.  Build iptables
>     a.  make KERNEL_DIR=/usr/src/<new source>
>     b.  make install KERNEL_DIR=/usr/src/<new source>
>     c.  make install-devel
>
> **** CONSIDER REMOVING OLDER VERSIONS OF IPTABLES OFF SYSTEM.  DEFAULT SRC
> INSTALLS IPTABLES IN /usr/local/sbin and /usr/local/lib vice /usr/sbin and
> /lib
>
> 8.  Build snort_inline
>
> I really need to get off my butt and develop the snort_inline home page so
> I can have a repository for documentation and FAQ.
>
> Rob
>
> On Thu, 4 Dec 2003, Matthew Callaway wrote:
>
>> Greetings,
>>
>> Is there a known problem building snort_inline (up to 2.0.5) against the
>> glibc-kernheaders that come with Red Hat Enterprise Linux 3?
>>
>> The Error:
>>
>> gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../.. -I../../src
>> -I/usr/include/pcap -I../../src/output-plugins
>> -I../../src/detection-plugins -I../../src/preprocessors  -I/usr/include
>> -g -O2 -Wall -DGIDS -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD
>> -DHAVE_NET_ETHERNET_H -DLIBNET_LIL_ENDIAN -c `test -f 'spo_alert_fast.c'
>> || echo './'`spo_alert_fast.c
>> In file included from /usr/include/linux/netfilter_ipv4/ip_queue.h:10,
>>                  from /usr/include/libipq.h:37,
>>                  from ../../src/inline.h:8,
>>                  from ../../src/snort.h:38,
>>                  from spo_alert_fast.c:51:
>> /usr/include/linux/if.h:59: redefinition of `struct ifmap'
>> /usr/include/linux/if.h:77: redefinition of `struct ifreq'
>> /usr/include/linux/if.h:126: redefinition of `struct ifconf'
>> make[3]: *** [spo_alert_fast.o] Error 1
>> make[3]: Leaving directory
>> `/home/matt/src/BUILD/snort-2.0.5/src/output-plugins'
>> make[2]: *** [all-recursive] Error 1
>> make[2]: Leaving directory `/home/matt/src/BUILD/snort-2.0.5/src'
>> make[1]: *** [all-recursive] Error 1
>> make[1]: Leaving directory `/home/matt/src/BUILD/snort-2.0.5'
>> make: *** [all] Error 2
>>
>>
>> [matt@obelisk SPECS]$ rpm -qf
>> /usr/include/linux/netfilter_ipv4/ip_queue.h
>> glibc-kernheaders-2.4-8.34
>>
>>
>> Some Googling finds:
>>
>> http://groups.google.com/groups?hl=en&lr=lang_en&ie=UTF-8&oe=UTF-8&safe=off&threadm=vmk8c6.6f4.ln%40batty&rnum=9&prev=/groups%3Fnum%3D100%26hl%3Den%26lr%3Dlang_en%26ie%3DUTF-8%26oe%3DUTF-8%26safe%3Doff%26q%3Dredefinition%2Bof%2B%2560struct%2Bifmap%27%26btnG%3DGoogle%2BSearch
>>
>> "Glibc has it's own definitions that often conflict with those in
>> /usr/include/linux (the kernel).  Programs that #include these kernel
>> includes must be modified so that these includes are taken out and only
>> the explicit kernel definitions that are needed are included.  You can
>> either attempt this yourself or wait =)."
>>
>>
>> Do you favor <linux/if.h> or <net/if.h>?
>>
>> Can you add a ./configure switch to specify the path to alternate kernel
>> includes via an environment variable?
>>
>> I note the difference between the glibc package and the kernel package:
>>
>> diff -u <kernel version> <glibc version>
>> diff -u linux/include/linux/netfilter_ipv4/ip_queue.h
>> /usr/include/linux/netfilter_ipv4/ip_queue.h
>> ---
>> /home/matt/src/BUILD/kernel-2.4.21/linux/include/linux/netfilter_ipv4/ip_queue.h
>> 2000-08-10 14:35:15.000000000 -0500
>> +++ /usr/include/linux/netfilter_ipv4/ip_queue.h        2003-01-30
>> 12:03:23.000000000 -0600
>> @@ -7,15 +7,7 @@
>>  #ifndef _IP_QUEUE_H
>>  #define _IP_QUEUE_H
>>
>> -#ifdef __KERNEL__
>> -#ifdef DEBUG_IPQ
>> -#define QDEBUG(x...) printk(KERN_DEBUG ## x)
>> -#else
>> -#define QDEBUG(x...)
>> -#endif  /* DEBUG_IPQ */
>> -#else
>> -#include <net/if.h>
>> -#endif /* ! __KERNEL__ */
>> +#include <linux/if.h>
>>
>>  /* Messages sent from kernel */
>>  typedef struct ipq_packet_msg {
>>
>>
>>
>> Thanks,
>>
>> Matt
>>
>>
>>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
> Comment: Made with pgp4pine 1.76
>
> iQA/AwUBP8/NGPnAyY+9KLjdEQJDkACgzmFlwCXeSHU7m7apZlLpEJ31UvMAmwf6
> WVoOFIZDWWHQ+KO6uZ4xinD3
> =Tw6F
> -----END PGP SIGNATURE-----
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>


Thanks,
Josh Berry, CTO
LinkNet-Solutions
469-831-8543
jos...@li...

[Snort-inline-users] Re: snort-inline 2.0.5 and Red Hat kernels

[Rob M. <rv...@ca...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matthew,
	Thanks for this solution.  I should be able to add this to the 
configure script, and it is a much easier solution than the one I sent 
earlier :)

Rob

On Thu, 4 Dec 2003, Matthew Callaway wrote:

> Regarding my earlier email.  This fixes it.
> 
> cd /usr/include
> mv linux linux.glibc
> ln -s ~/src/BUILD/kernel-2.4.21/linux/include linux
> 
> make
> 
> 
> That is, point to a set of "real" kernel includes instead of RH's
> glibc-kernheaders package.
> 
> Note that the above 2.4.21 kernel tree is Red Hat's EL3 kernel, not a
> stock vanilla kernel.  That is, the problem isn't with RH kernel
> headers, but RH glibc kernel headers.
> 
> A solution to this would be to add a ./configure flag to specify kernel
> includes, in the same fashion you can specify lipq and pcap includes.
> 
> Thanks!
> 
> Matt
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Made with pgp4pine 1.76

iQA/AwUBP8/Ni/nAyY+9KLjdEQLHSQCg+dz/43CxXUznFdk0BDf+ma8H9b8AnRBa
hGmxJRb0XnNQVrKQ9z8r0a+n
=T9FC
-----END PGP SIGNATURE-----

[Snort-inline-users] Re: snort_inline-2.0.5 build error on RHEL3

[Rob M. <rv...@ca...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Not sure what RedHat has done with its kernel headers.  I actually had to 
do the following in order to get snort_inline to compile in RedHat 9.0 
with the default kernel and kernel headers:

1.  Download the kernel source (best to get stable latest and greatest 
from www.kernel.org).
2.  Build kernel from scratch (feel free to use RedHat's .config file).
3.  mv /usr/include/linux /usr/include/linux.orig
4.  cd /usr/include
5.  ln -s /usr/src/linux<new kernel source>/include/linux linux
    (on my box: ln -s /usr/src/linux-2.4.22/include/linux linux)
    Why do we do this?  We are doing this to use the new kernel headers 
vice the older ones installed on your default RedHat install located in 
/usr/include/linux.
6.  Download the iptables source (www.iptables.org).
7.  Build iptables
    a.  make KERNEL_DIR=/usr/src/<new source>
    b.  make install KERNEL_DIR=/usr/src/<new source>
    c.  make install-devel

**** CONSIDER REMOVING OLDER VERSIONS OF IPTABLES OFF SYSTEM.  DEFAULT SRC 
INSTALLS IPTABLES IN /usr/local/sbin and /usr/local/lib vice /usr/sbin and 
/lib

8.  Build snort_inline

I really need to get off my butt and develop the snort_inline home page so 
I can have a repository for documentation and FAQ.

Rob

On Thu, 4 Dec 2003, Matthew Callaway wrote:

> Greetings,
> 
> Is there a known problem building snort_inline (up to 2.0.5) against the
> glibc-kernheaders that come with Red Hat Enterprise Linux 3?
> 
> The Error:
> 
> gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../.. -I../../src
> -I/usr/include/pcap -I../../src/output-plugins
> -I../../src/detection-plugins -I../../src/preprocessors  -I/usr/include
> -g -O2 -Wall -DGIDS -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD
> -DHAVE_NET_ETHERNET_H -DLIBNET_LIL_ENDIAN -c `test -f 'spo_alert_fast.c'
> || echo './'`spo_alert_fast.c
> In file included from /usr/include/linux/netfilter_ipv4/ip_queue.h:10,
>                  from /usr/include/libipq.h:37,
>                  from ../../src/inline.h:8,
>                  from ../../src/snort.h:38,
>                  from spo_alert_fast.c:51:
> /usr/include/linux/if.h:59: redefinition of `struct ifmap'
> /usr/include/linux/if.h:77: redefinition of `struct ifreq'
> /usr/include/linux/if.h:126: redefinition of `struct ifconf'
> make[3]: *** [spo_alert_fast.o] Error 1
> make[3]: Leaving directory
> `/home/matt/src/BUILD/snort-2.0.5/src/output-plugins'
> make[2]: *** [all-recursive] Error 1
> make[2]: Leaving directory `/home/matt/src/BUILD/snort-2.0.5/src'
> make[1]: *** [all-recursive] Error 1
> make[1]: Leaving directory `/home/matt/src/BUILD/snort-2.0.5'
> make: *** [all] Error 2
> 
> 
> [matt@obelisk SPECS]$ rpm -qf
> /usr/include/linux/netfilter_ipv4/ip_queue.h
> glibc-kernheaders-2.4-8.34
> 
> 
> Some Googling finds:
> 
> http://groups.google.com/groups?hl=en&lr=lang_en&ie=UTF-8&oe=UTF-8&safe=off&threadm=vmk8c6.6f4.ln%40batty&rnum=9&prev=/groups%3Fnum%3D100%26hl%3Den%26lr%3Dlang_en%26ie%3DUTF-8%26oe%3DUTF-8%26safe%3Doff%26q%3Dredefinition%2Bof%2B%2560struct%2Bifmap%27%26btnG%3DGoogle%2BSearch
> 
> "Glibc has it's own definitions that often conflict with those in
> /usr/include/linux (the kernel).  Programs that #include these kernel
> includes must be modified so that these includes are taken out and only
> the explicit kernel definitions that are needed are included.  You can
> either attempt this yourself or wait =)."
> 
> 
> Do you favor <linux/if.h> or <net/if.h>?
> 
> Can you add a ./configure switch to specify the path to alternate kernel
> includes via an environment variable?
> 
> I note the difference between the glibc package and the kernel package:
> 
> diff -u <kernel version> <glibc version>
> diff -u linux/include/linux/netfilter_ipv4/ip_queue.h /usr/include/linux/netfilter_ipv4/ip_queue.h
> ---
> /home/matt/src/BUILD/kernel-2.4.21/linux/include/linux/netfilter_ipv4/ip_queue.h
> 2000-08-10 14:35:15.000000000 -0500
> +++ /usr/include/linux/netfilter_ipv4/ip_queue.h        2003-01-30
> 12:03:23.000000000 -0600
> @@ -7,15 +7,7 @@
>  #ifndef _IP_QUEUE_H
>  #define _IP_QUEUE_H
> 
> -#ifdef __KERNEL__
> -#ifdef DEBUG_IPQ
> -#define QDEBUG(x...) printk(KERN_DEBUG ## x)
> -#else
> -#define QDEBUG(x...)
> -#endif  /* DEBUG_IPQ */
> -#else
> -#include <net/if.h>
> -#endif /* ! __KERNEL__ */
> +#include <linux/if.h>
> 
>  /* Messages sent from kernel */
>  typedef struct ipq_packet_msg {
> 
> 
> 
> Thanks,
> 
> Matt
> 
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Made with pgp4pine 1.76

iQA/AwUBP8/NGPnAyY+9KLjdEQJDkACgzmFlwCXeSHU7m7apZlLpEJ31UvMAmwf6
WVoOFIZDWWHQ+KO6uZ4xinD3
=Tw6F
-----END PGP SIGNATURE-----

[Snort-inline-users] snort_inline-2.0.5 released

[Rob M. <rv...@ca...>]

I've finally gotten off my butt and updated snort_inline to the latest and 
greatest snort version 2.0.5.  You can get it at:

http://sourceforge.net/projects/snort-inline/

In addition, 
   1. I've incorporated some beta code to support running snort_inline 
with ipfw on freeBSD.  Nick <ni...@ro...> was kind enough to provide 
this patch.  I call it beta because I've gotten it to compile in freeBSD, 
but I haven't had the time to really put it to the test.  Any volunteers 
willing to provide comments/feedback?  Anyone care to create a rc.firewall 
like script to work with ipfw?
   2. I've added a few rules for testing purposes (rules/test.rules) 
provided by Lance Spitzner <la...@ho...>, that will enable you to 
quickly test your snort_inline configuration.
   3. I've added Brian Casswell's snort rule configuration program 
(contrib/Net-Snort-Parser-1.9.tar.gz) that allows you to quickly modify 
snort rules and convert them to drop, sdrop, reject, or replace.  It also 
allows you to convert snort rules for use in a Honeynet.  For more 
information on this tool, to include several example configuration files, 
go to: http://www.shmoo.com/~bmc/software/snortconfig/


	I am still working on making the portscan and arpspoof 
preprocessors "drop".  This will be on the street very soon.  I've just 
been caught up in my day job and another project.

Rob

[Snort-inline-users] Snort-Inline Static Compile w/ SNMP

[Josh B. <jos...@li...>]

When I compile Snort-Inline normally it works fine (./configure <options>
&& make), but when I compile Snort-Inline statically (editing:
snort_inline_LDFLAGS = -static, in /src/Makefile) I get complaints:

....
....
/usr/lib/libssl.a(kssl.o)(.text+0x1d0f): In function `kssl_validate_times`:
: undefined reference to `krb5_timeofday`
/usr/lib/libssl.a(kssl.o)(.text+0x1d23): In function `kssl_validate_times`:
: undefined reference to `krb5_free_context`
Collect2: ld returned 1 exit status
make[3]: *** [snort_inline] Error 1
make[3]: Leaving directory `/usr/local/snort/src`
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/usr/local/snort/src`
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/usr/local/snort`
make: *** [all] Error 2

I am using Snort-2.0.2, I applied the SnortSNMP 2.0.2 Patch to the
Snort-2.0.2 source, and then applied the Snort-Inline-2.0.2 Patch to the
Snort-2.0.2 source.

I ran configure with this: ./configure --with-enable --with-mysql
--with-snmp --with-openssl (I have to use --with-openssl in order to get
Snort to compile with snmp support I don't know if it is something I am
doing wrong or what).

Then I just type make.

This is on a Redhat 9.0 box running a custom kernel 2.4.21 kernel with the
NSA SELinux patch (a long with many netfilter patch's).

Thanks,
Josh

RE: [Snort-inline-users] Bridging filtering traffic

[Hess, B. <ben...@te...>]

I have tried it with routing both on and off and I have setup all of the
interfaces correctly, however I am still getting non icmp traffic filtered.
My iptables are showing everything set for accept and have actually been
turned off. 

So what I can do is I can ping the host behind the bridge, and the arp
tables are passing fine, but traffic is being filtered. Any other ideas?

-----Original Message-----
From: Ixion [mailto:ix...@cf...] 
Sent: Tuesday, December 02, 2003 8:41 AM
To: Hess, Ben
Cc: 'sno...@li...'
Subject: Re: [Snort-inline-users] Bridging filtering traffic

I'm going out on a limb here, so please be gracious in your flaming.

what does 'cat /proc/sys/net/ipv4/ip_forward' on the bridge machine
return? It should return a '1'. If it returns '0', then add this to the
beginning of your firewall script:

/bin/echo "1" > /proc/sys/net/ipv4/ip_forward

I hope this helps

> Hello,
>             I have been attempting to get snort-inline running on a RedHat
> 9.0 in a passive state. The issue that I am running into is setting up the
> bridging. It says everything is running fine, I can get IPTables running
> on
> it and everything, however I can not get traffic through the bridge. I can
> get icmp traffic trhough, but all tcp and udp is being filtered. I
> attempted
> to shutdown all IPTables and tested just the bridging and I am still
> getting
> all tcp and udp filtered. If I move the host out from behind the bridge
> everything works fine. Any hints or clues as to what I am missing would be
> much appreciated. Below are the commands I am using to create the bridge:
>
> insmod bridge
> brctl addbr mybridge0
> brctl addif mybridge0 eth0
> brctl addif mybridge0 eth1
> ifconfig mybridge0 up
>
> I appreciate any and all help on this matter,
> Ben Hess
>

Re: [Snort-inline-users] Bridging filtering traffic

[Ixion <ix...@cf...>]

I'm going out on a limb here, so please be gracious in your flaming.

what does 'cat /proc/sys/net/ipv4/ip_forward' on the bridge machine
return? It should return a '1'. If it returns '0', then add this to the
beginning of your firewall script:

/bin/echo "1" > /proc/sys/net/ipv4/ip_forward

I hope this helps

> Hello,
>             I have been attempting to get snort-inline running on a Red=
Hat
> 9.0 in a passive state. The issue that I am running into is setting up =
the
> bridging. It says everything is running fine, I can get IPTables runnin=
g
> on
> it and everything, however I can not get traffic through the bridge. I =
can
> get icmp traffic trhough, but all tcp and udp is being filtered. I
> attempted
> to shutdown all IPTables and tested just the bridging and I am still
> getting
> all tcp and udp filtered. If I move the host out from behind the bridge
> everything works fine. Any hints or clues as to what I am missing would=
 be
> much appreciated. Below are the commands I am using to create the bridg=
e:
>
> insmod bridge
> brctl addbr mybridge0
> brctl addif mybridge0 eth0
> brctl addif mybridge0 eth1
> ifconfig mybridge0 up
>
> I appreciate any and all help on this matter,
> Ben Hess
>

Re: [Snort-inline-users] Bridging filtering traffic

[Stephan S. <ss...@as...>]

Hi Ben,

it has been a while since I tested it. But here are the commands I used:

brctl addbr br0
brctl addif br0 eth1
brctl addif br0 eth2
ip link set eth1 up
ip link set eth2 up
ip link set br0 up
brctl stp br0 off

Note that you need the bridge netfilter patch for your kernel, so that the packets
actually go into netfilter. It can be found at
http://bridge.sourceforge.net/devel/bridge-nf/bridge-nf-0.0.7-against-2.4.19.diff
(for kernel 2.4.19).

Stephan

Hess, Ben wrote:
>             I have been attempting to get snort-inline running on a 
> RedHat 9.0 in a passive state. The issue that I am running into is 
> setting up the bridging. It says everything is running fine, I can get 
> IPTables running on it and everything, however I can not get traffic 
> through the bridge. I can get icmp traffic trhough, but all tcp and udp 
> is being filtered. I attempted to shutdown all IPTables and tested just 
> the bridging and I am still getting all tcp and udp filtered. If I move 
> the host out from behind the bridge everything works fine. Any hints or 
> clues as to what I am missing would be much appreciated. Below are the 
> commands I am using to create the bridge:


-- 
Stephan Scholz <ss...@as...> | Development
Astaro AG | www.astaro.com | Phone +49-721-490069-0 | Fax -55

Awards for ASL:
- Nätverk & Kommunikation Magazine, Sweden: "Five Stars" - October 2003
- Linux Enterprise Readers' Choice Award: Best Firewall - October 2003
- LinuxWorld Product Excellence Award: Best Security Solution - August 2003
- "Excellent" Infoworld Magazine - August 2003

Re: [Snort-inline-users] Blocking Anomalous Events (fwd)

[Rob M. <rv...@ca...>]

Josh, 
	I would simply add a call do InlineDrop() right before the call to 
CallAlertFuncs().  InlineDrop() does not take any arguments.  I've 
highlighted the insertion below with 3 asterix(***).  This will drop the 
packet and continue to alert or log as required.
	The Inline functions do not do any alerting or logging.  They 
simply tell iptables to drop the packet.  Therefore, we still require the 
use of snort Alert and Log functions.

Rob

On Mon, 1 Dec 2003, Josh Berry wrote:

> Sorry I am not much of a developer,  So for this piece of code:
> 
> 
>                     if((runMode == MODE_IDS) &&
> pv.decoder_flags.decode_alerts)
>                     {
>                         SetEvent(&event, GENERATOR_SNORT_DECODE,
>                                  DECODE_BAD_80211_ETHLLC, 1, DECODE_CLASS,
  
                          /***/ InlineDrop();
> 5, 0);
>                         CallAlertFuncs(p, DECODE_BAD_80211_ETHLLC_STR,
> NULL, &event);
>                         CallLogFuncs(p, DECODE_BAD_80211_ETHLLC_STR, NULL,
> &event);
>                     }
> 
>                     return;
>                 }
> 
> Would I just replace the CallAlertFuncs with InlineDrop();?  Do I need to
> pass anything to InlineDrop?