snort-inline-users Mailing List for snort_inline (Page 7)

Brought to you by: count_zero_rod, redmaze, vicjul78

snort-inline-users — The goal of this list is to help users debug/use snort_inline

You can subscribe to this list here.

2003	Jan	Feb	Mar	Apr (1)	May (15)	Jun (23)	Jul (54)	Aug (20)	Sep (18)	Oct (19)	Nov (36)	Dec (30)
2004	Jan (48)	Feb (16)	Mar (36)	Apr (36)	May (45)	Jun (47)	Jul (93)	Aug (29)	Sep (28)	Oct (42)	Nov (45)	Dec (53)
2005	Jan (62)	Feb (51)	Mar (65)	Apr (28)	May (57)	Jun (23)	Jul (24)	Aug (72)	Sep (16)	Oct (53)	Nov (53)	Dec (3)
2006	Jan (56)	Feb (6)	Mar (15)	Apr (14)	May (35)	Jun (57)	Jul (35)	Aug (7)	Sep (22)	Oct (16)	Nov (18)	Dec (9)
2007	Jan (8)	Feb (3)	Mar (11)	Apr (35)	May (6)	Jun (10)	Jul (26)	Aug (4)	Sep	Oct (29)	Nov	Dec (7)
2008	Jan (1)	Feb (2)	Mar (2)	Apr (13)	May (8)	Jun (3)	Jul (19)	Aug (20)	Sep (6)	Oct (5)	Nov	Dec (4)
2009	Jan (1)	Feb	Mar (1)	Apr	May	Jun (10)	Jul (2)	Aug (5)	Sep	Oct (1)	Nov	Dec (5)
2010	Jan (10)	Feb (10)	Mar (2)	Apr	May (7)	Jun	Jul	Aug	Sep	Oct	Nov (1)	Dec
2011	Jan	Feb (4)	Mar	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2012	Jan	Feb	Mar	Apr (1)	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2013	Jan	Feb (2)	Mar (3)	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec

Flat | Threaded

<< < 1 .. 5 6 7 8 9 .. 68 > >> (Page 7 of 68)

[Snort-inline-users] (no subject)

From: Matt J. <jo...@jo...> - 2007-12-27 01:54:29

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Fax 61-29-4750-026
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

Re: [Snort-inline-users] snort_inline-2.6.1.5 nfnetlink_queue WARNING

From: <ch...@os...> - 2007-10-18 06:44:27

Dear Will Metcalf;
 Perfect works !
 your svn code work correct !
 svn_code without nfnetlink_queue  and with nfnetlink_queue  appear to
have no problem!

 I will continue to use your svn code ,If there is a problem I will
promptly let you know !

:-*

Best Regards

ChunXin  2007/10/18


> it is svn so don't forget to ./autojunk.sh ;-)
>
> On 10/17/07, ChunXin <ch...@os...> wrote:
>> thanks a lot ! i will try it
>>
>> Will Metcalf $B<LF;(B:
>> > I have made some changes to the svn version of snort_inline that
>> > should resolve your issue.  I also added fixes for a potential DoS
>> > issue when the splay tree tree fills up submitted by  Marcus Sundberg
>> > at Ingate, thanx dude ;-)....  You can check out the latest devel
>> > version from svn as always with the following command...
>> >
>> > svn co
>> https://snort-inline.svn.sourceforge.net/svnroot/snort-inline/trunk
>> >
>> >
>> > On 10/16/07, Victor Julien <li...@in...> wrote:
>> >
>> >> Where did you install the libnetfilter_queue library? If you didn't
>> >> install it in /usr please try that...
>> >>
>> >> Cheers,
>> >> Victor
>> >>
>> >>
>> >> ch...@os... wrote:
>> >>
>> >>> Yeah , Can you help me ?
>> >>>
>> >>>
>> >>>
>> >>>> do you even need multiple queue support?
>> >>>>
>> >>>> On 10/16/07, ch...@os... <ch...@os...> wrote:
>> >>>>
>> >>>>
>> >>>>> I encountered such a problem when i configure snort_inline-2.6.1.5
>> with
>> >>>>> "--enable-nfnetlink" option ,description of the issue as follows:
>> >>>>> --------------------------------------
>> >>>>> .......................
>> >>>>> checking linux/netfilter/nfnetlink_queue.h usability... no
>> >>>>> checking linux/netfilter/nfnetlink_queue.h presence... yes
>> >>>>> configure: WARNING: linux/netfilter/nfnetlink_queue.h: present but
>> >>>>> cannot
>> >>>>> be compiled
>> >>>>> configure: WARNING: linux/netfilter/nfnetlink_queue.h:     check
>> for
>> >>>>> missing prerequisite headers?
>> >>>>> configure: WARNING: linux/netfilter/nfnetlink_queue.h: see the
>> Autoconf
>> >>>>> documentation
>> >>>>> configure: WARNING: linux/netfilter/nfnetlink_queue.h:     section
>> >>>>> "Present But Cannot Be Compiled"
>> >>>>> configure: WARNING: linux/netfilter/nfnetlink_queue.h: proceeding
>> with
>> >>>>> the
>> >>>>> preprocessor's result
>> >>>>> configure: WARNING: linux/netfilter/nfnetlink_queue.h: in the
>> future,
>> >>>>> the
>> >>>>> compiler will take precedence
>> >>>>> configure: WARNING:     ##
>> ------------------------------------------ ##
>> >>>>> configure: WARNING:     ## Report this to the AC_PACKAGE_NAME
>> lists.  ##
>> >>>>> configure: WARNING:     ##
>> ------------------------------------------ ##
>> >>>>> checking for linux/netfilter/nfnetlink_queue.h... yes
>> >>>>> checking libnetfilter_queue/libnetfilter_queue.h usability... yes
>> >>>>> checking libnetfilter_queue/libnetfilter_queue.h presence... yes
>> >>>>> checking for libnetfilter_queue/libnetfilter_queue.h... yes
>> >>>>> checking for nfqnl_open in -lnetfilter_queue... no
>> >>>>> checking for nfq_set_queue_maxlen in -lnetfilter_queue... no
>> >>>>> .................................
>> >>>>> ---------------------------------------------------------------------
>> >>>>> I am using libnetfilter_queue-0.0.12 and libnfnetlink-0.0.16 , The
>> >>>>> installation process both are "./configure && make && make
>> install"
>> >>>>> I do not have to recompile the kernel,because I see that kernel
>> already
>> >>>>> support the nfnetfilter_queue feature ( at /boot/config-2.6.20-15
>>  ->
>> >>>>> CONFIG_NETFILTER_NETLINK_QUEUE=m) .
>> >>>>>
>> >>>>> what wrong with my installation?  and how can i debug it ?
>> >>>>> I think my previous question (Segmentation fault and snort_inline
>> stop
>> >>>>> when using namp  ) may be related to the issue
>> >>>>>
>> >>>>> Best Reagrds
>> >>>>>
>> >>>>> ChunXin
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>
>> >>
>> >> -------------------------------------------------------------------------
>> >> This SF.net email is sponsored by: Splunk Inc.
>> >> Still grepping through log files to find problems?  Stop.
>> >> Now Search log events and configuration files using AJAX and a
>> browser.
>> >> Download your FREE copy of Splunk now >> http://get.splunk.com/
>> >> _______________________________________________
>> >> Snort-inline-users mailing list
>> >> Sno...@li...
>> >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>> >>
>> >>
>> >>
>>
>>
>

Re: [Snort-inline-users] snort_inline-2.6.1.5 nfnetlink_queue WARNING

From: ChunXin <ch...@os...> - 2007-10-18 06:43:18

Dear Will Metcalf;
Perfect works !
your svn code work correct !
svn_code without nfnetlink_queue and with nfnetlink_queue appear to have
no problem!

I will continue to use your svn code ,If there is a problem I will
promptly let you know !

:-*

Best Regards

ChunXin 2007/10/18


Will Metcalf 写道:
> it is svn so don't forget to ./autojunk.sh ;-)
>
> On 10/17/07, ChunXin <ch...@os...> wrote:
>   
>> thanks a lot ! i will try it
>>
>> Will Metcalf $B<LF;(B:
>>     
>>> I have made some changes to the svn version of snort_inline that
>>> should resolve your issue.  I also added fixes for a potential DoS
>>> issue when the splay tree tree fills up submitted by  Marcus Sundberg
>>> at Ingate, thanx dude ;-)....  You can check out the latest devel
>>> version from svn as always with the following command...
>>>
>>> svn co https://snort-inline.svn.sourceforge.net/svnroot/snort-inline/trunk
>>>
>>>
>>> On 10/16/07, Victor Julien <li...@in...> wrote:
>>>
>>>       
>>>> Where did you install the libnetfilter_queue library? If you didn't
>>>> install it in /usr please try that...
>>>>
>>>> Cheers,
>>>> Victor
>>>>
>>>>
>>>> ch...@os... wrote:
>>>>
>>>>         
>>>>> Yeah , Can you help me ?
>>>>>
>>>>>
>>>>>
>>>>>           
>>>>>> do you even need multiple queue support?
>>>>>>
>>>>>> On 10/16/07, ch...@os... <ch...@os...> wrote:
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> I encountered such a problem when i configure snort_inline-2.6.1.5 with
>>>>>>> "--enable-nfnetlink" option ,description of the issue as follows:
>>>>>>> --------------------------------------
>>>>>>> .......................
>>>>>>> checking linux/netfilter/nfnetlink_queue.h usability... no
>>>>>>> checking linux/netfilter/nfnetlink_queue.h presence... yes
>>>>>>> configure: WARNING: linux/netfilter/nfnetlink_queue.h: present but
>>>>>>> cannot
>>>>>>> be compiled
>>>>>>> configure: WARNING: linux/netfilter/nfnetlink_queue.h:     check for
>>>>>>> missing prerequisite headers?
>>>>>>> configure: WARNING: linux/netfilter/nfnetlink_queue.h: see the Autoconf
>>>>>>> documentation
>>>>>>> configure: WARNING: linux/netfilter/nfnetlink_queue.h:     section
>>>>>>> "Present But Cannot Be Compiled"
>>>>>>> configure: WARNING: linux/netfilter/nfnetlink_queue.h: proceeding with
>>>>>>> the
>>>>>>> preprocessor's result
>>>>>>> configure: WARNING: linux/netfilter/nfnetlink_queue.h: in the future,
>>>>>>> the
>>>>>>> compiler will take precedence
>>>>>>> configure: WARNING:     ## ------------------------------------------ ##
>>>>>>> configure: WARNING:     ## Report this to the AC_PACKAGE_NAME lists.  ##
>>>>>>> configure: WARNING:     ## ------------------------------------------ ##
>>>>>>> checking for linux/netfilter/nfnetlink_queue.h... yes
>>>>>>> checking libnetfilter_queue/libnetfilter_queue.h usability... yes
>>>>>>> checking libnetfilter_queue/libnetfilter_queue.h presence... yes
>>>>>>> checking for libnetfilter_queue/libnetfilter_queue.h... yes
>>>>>>> checking for nfqnl_open in -lnetfilter_queue... no
>>>>>>> checking for nfq_set_queue_maxlen in -lnetfilter_queue... no
>>>>>>> .................................
>>>>>>> ---------------------------------------------------------------------
>>>>>>> I am using libnetfilter_queue-0.0.12 and libnfnetlink-0.0.16 , The
>>>>>>> installation process both are "./configure && make && make install"
>>>>>>> I do not have to recompile the kernel,because I see that kernel  already
>>>>>>> support the nfnetfilter_queue feature ( at /boot/config-2.6.20-15   ->
>>>>>>> CONFIG_NETFILTER_NETLINK_QUEUE=m) .
>>>>>>>
>>>>>>> what wrong with my installation?  and how can i debug it ?
>>>>>>> I think my previous question (Segmentation fault and snort_inline stop
>>>>>>> when using namp  ) may be related to the issue
>>>>>>>
>>>>>>> Best Reagrds
>>>>>>>
>>>>>>> ChunXin
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>               
>>>> -------------------------------------------------------------------------
>>>> This SF.net email is sponsored by: Splunk Inc.
>>>> Still grepping through log files to find problems?  Stop.
>>>> Now Search log events and configuration files using AJAX and a browser.
>>>> Download your FREE copy of Splunk now >> http://get.splunk.com/
>>>> _______________________________________________
>>>> Snort-inline-users mailing list
>>>> Sno...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>>>
>>>>
>>>>
>>>>         
>>

Re: [Snort-inline-users] snort_inline-2.6.1.5 nfnetlink_queue WARNING

From: Will M. <wil...@gm...> - 2007-10-18 04:06:52

it is svn so don't forget to ./autojunk.sh ;-)

On 10/17/07, ChunXin <ch...@os...> wrote:
> thanks a lot ! i will try it
>
> Will Metcalf 写道:
> > I have made some changes to the svn version of snort_inline that
> > should resolve your issue.  I also added fixes for a potential DoS
> > issue when the splay tree tree fills up submitted by  Marcus Sundberg
> > at Ingate, thanx dude ;-)....  You can check out the latest devel
> > version from svn as always with the following command...
> >
> > svn co https://snort-inline.svn.sourceforge.net/svnroot/snort-inline/trunk
> >
> >
> > On 10/16/07, Victor Julien <li...@in...> wrote:
> >
> >> Where did you install the libnetfilter_queue library? If you didn't
> >> install it in /usr please try that...
> >>
> >> Cheers,
> >> Victor
> >>
> >>
> >> ch...@os... wrote:
> >>
> >>> Yeah , Can you help me ?
> >>>
> >>>
> >>>
> >>>> do you even need multiple queue support?
> >>>>
> >>>> On 10/16/07, ch...@os... <ch...@os...> wrote:
> >>>>
> >>>>
> >>>>> I encountered such a problem when i configure snort_inline-2.6.1.5 with
> >>>>> "--enable-nfnetlink" option ,description of the issue as follows:
> >>>>> --------------------------------------
> >>>>> .......................
> >>>>> checking linux/netfilter/nfnetlink_queue.h usability... no
> >>>>> checking linux/netfilter/nfnetlink_queue.h presence... yes
> >>>>> configure: WARNING: linux/netfilter/nfnetlink_queue.h: present but
> >>>>> cannot
> >>>>> be compiled
> >>>>> configure: WARNING: linux/netfilter/nfnetlink_queue.h:     check for
> >>>>> missing prerequisite headers?
> >>>>> configure: WARNING: linux/netfilter/nfnetlink_queue.h: see the Autoconf
> >>>>> documentation
> >>>>> configure: WARNING: linux/netfilter/nfnetlink_queue.h:     section
> >>>>> "Present But Cannot Be Compiled"
> >>>>> configure: WARNING: linux/netfilter/nfnetlink_queue.h: proceeding with
> >>>>> the
> >>>>> preprocessor's result
> >>>>> configure: WARNING: linux/netfilter/nfnetlink_queue.h: in the future,
> >>>>> the
> >>>>> compiler will take precedence
> >>>>> configure: WARNING:     ## ------------------------------------------ ##
> >>>>> configure: WARNING:     ## Report this to the AC_PACKAGE_NAME lists.  ##
> >>>>> configure: WARNING:     ## ------------------------------------------ ##
> >>>>> checking for linux/netfilter/nfnetlink_queue.h... yes
> >>>>> checking libnetfilter_queue/libnetfilter_queue.h usability... yes
> >>>>> checking libnetfilter_queue/libnetfilter_queue.h presence... yes
> >>>>> checking for libnetfilter_queue/libnetfilter_queue.h... yes
> >>>>> checking for nfqnl_open in -lnetfilter_queue... no
> >>>>> checking for nfq_set_queue_maxlen in -lnetfilter_queue... no
> >>>>> .................................
> >>>>> ---------------------------------------------------------------------
> >>>>> I am using libnetfilter_queue-0.0.12 and libnfnetlink-0.0.16 , The
> >>>>> installation process both are "./configure && make && make install"
> >>>>> I do not have to recompile the kernel,because I see that kernel  already
> >>>>> support the nfnetfilter_queue feature ( at /boot/config-2.6.20-15   ->
> >>>>> CONFIG_NETFILTER_NETLINK_QUEUE=m) .
> >>>>>
> >>>>> what wrong with my installation?  and how can i debug it ?
> >>>>> I think my previous question (Segmentation fault and snort_inline stop
> >>>>> when using namp  ) may be related to the issue
> >>>>>
> >>>>> Best Reagrds
> >>>>>
> >>>>> ChunXin
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>
> >>
> >> -------------------------------------------------------------------------
> >> This SF.net email is sponsored by: Splunk Inc.
> >> Still grepping through log files to find problems?  Stop.
> >> Now Search log events and configuration files using AJAX and a browser.
> >> Download your FREE copy of Splunk now >> http://get.splunk.com/
> >> _______________________________________________
> >> Snort-inline-users mailing list
> >> Sno...@li...
> >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >>
> >>
> >>
>
>

Re: [Snort-inline-users] snort_inline-2.6.1.5 nfnetlink_queue WARNING

From: ChunXin <ch...@os...> - 2007-10-18 03:55:06

thanks a lot ! i will try it

Will Metcalf 写道:
> I have made some changes to the svn version of snort_inline that
> should resolve your issue.  I also added fixes for a potential DoS
> issue when the splay tree tree fills up submitted by  Marcus Sundberg
> at Ingate, thanx dude ;-)....  You can check out the latest devel
> version from svn as always with the following command...
>
> svn co https://snort-inline.svn.sourceforge.net/svnroot/snort-inline/trunk
>
>
> On 10/16/07, Victor Julien <li...@in...> wrote:
>   
>> Where did you install the libnetfilter_queue library? If you didn't
>> install it in /usr please try that...
>>
>> Cheers,
>> Victor
>>
>>
>> ch...@os... wrote:
>>     
>>> Yeah , Can you help me ?
>>>
>>>
>>>       
>>>> do you even need multiple queue support?
>>>>
>>>> On 10/16/07, ch...@os... <ch...@os...> wrote:
>>>>
>>>>         
>>>>> I encountered such a problem when i configure snort_inline-2.6.1.5 with
>>>>> "--enable-nfnetlink" option ,description of the issue as follows:
>>>>> --------------------------------------
>>>>> .......................
>>>>> checking linux/netfilter/nfnetlink_queue.h usability... no
>>>>> checking linux/netfilter/nfnetlink_queue.h presence... yes
>>>>> configure: WARNING: linux/netfilter/nfnetlink_queue.h: present but
>>>>> cannot
>>>>> be compiled
>>>>> configure: WARNING: linux/netfilter/nfnetlink_queue.h:     check for
>>>>> missing prerequisite headers?
>>>>> configure: WARNING: linux/netfilter/nfnetlink_queue.h: see the Autoconf
>>>>> documentation
>>>>> configure: WARNING: linux/netfilter/nfnetlink_queue.h:     section
>>>>> "Present But Cannot Be Compiled"
>>>>> configure: WARNING: linux/netfilter/nfnetlink_queue.h: proceeding with
>>>>> the
>>>>> preprocessor's result
>>>>> configure: WARNING: linux/netfilter/nfnetlink_queue.h: in the future,
>>>>> the
>>>>> compiler will take precedence
>>>>> configure: WARNING:     ## ------------------------------------------ ##
>>>>> configure: WARNING:     ## Report this to the AC_PACKAGE_NAME lists.  ##
>>>>> configure: WARNING:     ## ------------------------------------------ ##
>>>>> checking for linux/netfilter/nfnetlink_queue.h... yes
>>>>> checking libnetfilter_queue/libnetfilter_queue.h usability... yes
>>>>> checking libnetfilter_queue/libnetfilter_queue.h presence... yes
>>>>> checking for libnetfilter_queue/libnetfilter_queue.h... yes
>>>>> checking for nfqnl_open in -lnetfilter_queue... no
>>>>> checking for nfq_set_queue_maxlen in -lnetfilter_queue... no
>>>>> .................................
>>>>> ---------------------------------------------------------------------
>>>>> I am using libnetfilter_queue-0.0.12 and libnfnetlink-0.0.16 , The
>>>>> installation process both are "./configure && make && make install"
>>>>> I do not have to recompile the kernel,because I see that kernel  already
>>>>> support the nfnetfilter_queue feature ( at /boot/config-2.6.20-15   ->
>>>>> CONFIG_NETFILTER_NETLINK_QUEUE=m) .
>>>>>
>>>>> what wrong with my installation?  and how can i debug it ?
>>>>> I think my previous question (Segmentation fault and snort_inline stop
>>>>> when using namp  ) may be related to the issue
>>>>>
>>>>> Best Reagrds
>>>>>
>>>>> ChunXin
>>>>>
>>>>>
>>>>>
>>>>>           
>>>       
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc.
>> Still grepping through log files to find problems?  Stop.
>> Now Search log events and configuration files using AJAX and a browser.
>> Download your FREE copy of Splunk now >> http://get.splunk.com/
>> _______________________________________________
>> Snort-inline-users mailing list
>> Sno...@li...
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>>
>>

Re: [Snort-inline-users] snort_inline-2.6.1.5 nfnetlink_queue WARNING

From: Will M. <wil...@gm...> - 2007-10-17 20:33:50

I have made some changes to the svn version of snort_inline that
should resolve your issue.  I also added fixes for a potential DoS
issue when the splay tree tree fills up submitted by  Marcus Sundberg
at Ingate, thanx dude ;-)....  You can check out the latest devel
version from svn as always with the following command...

svn co https://snort-inline.svn.sourceforge.net/svnroot/snort-inline/trunk


On 10/16/07, Victor Julien <li...@in...> wrote:
> Where did you install the libnetfilter_queue library? If you didn't
> install it in /usr please try that...
>
> Cheers,
> Victor
>
>
> ch...@os... wrote:
> > Yeah , Can you help me ?
> >
> >
> >> do you even need multiple queue support?
> >>
> >> On 10/16/07, ch...@os... <ch...@os...> wrote:
> >>
> >>> I encountered such a problem when i configure snort_inline-2.6.1.5 with
> >>> "--enable-nfnetlink" option ,description of the issue as follows:
> >>> --------------------------------------
> >>> .......................
> >>> checking linux/netfilter/nfnetlink_queue.h usability... no
> >>> checking linux/netfilter/nfnetlink_queue.h presence... yes
> >>> configure: WARNING: linux/netfilter/nfnetlink_queue.h: present but
> >>> cannot
> >>> be compiled
> >>> configure: WARNING: linux/netfilter/nfnetlink_queue.h:     check for
> >>> missing prerequisite headers?
> >>> configure: WARNING: linux/netfilter/nfnetlink_queue.h: see the Autoconf
> >>> documentation
> >>> configure: WARNING: linux/netfilter/nfnetlink_queue.h:     section
> >>> "Present But Cannot Be Compiled"
> >>> configure: WARNING: linux/netfilter/nfnetlink_queue.h: proceeding with
> >>> the
> >>> preprocessor's result
> >>> configure: WARNING: linux/netfilter/nfnetlink_queue.h: in the future,
> >>> the
> >>> compiler will take precedence
> >>> configure: WARNING:     ## ------------------------------------------ ##
> >>> configure: WARNING:     ## Report this to the AC_PACKAGE_NAME lists.  ##
> >>> configure: WARNING:     ## ------------------------------------------ ##
> >>> checking for linux/netfilter/nfnetlink_queue.h... yes
> >>> checking libnetfilter_queue/libnetfilter_queue.h usability... yes
> >>> checking libnetfilter_queue/libnetfilter_queue.h presence... yes
> >>> checking for libnetfilter_queue/libnetfilter_queue.h... yes
> >>> checking for nfqnl_open in -lnetfilter_queue... no
> >>> checking for nfq_set_queue_maxlen in -lnetfilter_queue... no
> >>> .................................
> >>> ---------------------------------------------------------------------
> >>> I am using libnetfilter_queue-0.0.12 and libnfnetlink-0.0.16 , The
> >>> installation process both are "./configure && make && make install"
> >>> I do not have to recompile the kernel,because I see that kernel  already
> >>> support the nfnetfilter_queue feature ( at /boot/config-2.6.20-15   ->
> >>> CONFIG_NETFILTER_NETLINK_QUEUE=m) .
> >>>
> >>> what wrong with my installation?  and how can i debug it ?
> >>> I think my previous question (Segmentation fault and snort_inline stop
> >>> when using namp  ) may be related to the issue
> >>>
> >>> Best Reagrds
> >>>
> >>> ChunXin
> >>>
> >>>
> >>>
> >
> >
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>

Re: [Snort-inline-users] snort_inline-2.6.1.5 nfnetlink_queue WARNING

From: Victor J. <li...@in...> - 2007-10-16 21:11:35

Where did you install the libnetfilter_queue library? If you didn't
install it in /usr please try that...

Cheers,
Victor


ch...@os... wrote:
> Yeah , Can you help me ?
>
>   
>> do you even need multiple queue support?
>>
>> On 10/16/07, ch...@os... <ch...@os...> wrote:
>>     
>>> I encountered such a problem when i configure snort_inline-2.6.1.5 with
>>> "--enable-nfnetlink" option ,description of the issue as follows:
>>> --------------------------------------
>>> .......................
>>> checking linux/netfilter/nfnetlink_queue.h usability... no
>>> checking linux/netfilter/nfnetlink_queue.h presence... yes
>>> configure: WARNING: linux/netfilter/nfnetlink_queue.h: present but
>>> cannot
>>> be compiled
>>> configure: WARNING: linux/netfilter/nfnetlink_queue.h:     check for
>>> missing prerequisite headers?
>>> configure: WARNING: linux/netfilter/nfnetlink_queue.h: see the Autoconf
>>> documentation
>>> configure: WARNING: linux/netfilter/nfnetlink_queue.h:     section
>>> "Present But Cannot Be Compiled"
>>> configure: WARNING: linux/netfilter/nfnetlink_queue.h: proceeding with
>>> the
>>> preprocessor's result
>>> configure: WARNING: linux/netfilter/nfnetlink_queue.h: in the future,
>>> the
>>> compiler will take precedence
>>> configure: WARNING:     ## ------------------------------------------ ##
>>> configure: WARNING:     ## Report this to the AC_PACKAGE_NAME lists.  ##
>>> configure: WARNING:     ## ------------------------------------------ ##
>>> checking for linux/netfilter/nfnetlink_queue.h... yes
>>> checking libnetfilter_queue/libnetfilter_queue.h usability... yes
>>> checking libnetfilter_queue/libnetfilter_queue.h presence... yes
>>> checking for libnetfilter_queue/libnetfilter_queue.h... yes
>>> checking for nfqnl_open in -lnetfilter_queue... no
>>> checking for nfq_set_queue_maxlen in -lnetfilter_queue... no
>>> .................................
>>> ---------------------------------------------------------------------
>>> I am using libnetfilter_queue-0.0.12 and libnfnetlink-0.0.16 , The
>>> installation process both are "./configure && make && make install"
>>> I do not have to recompile the kernel,because I see that kernel  already
>>> support the nfnetfilter_queue feature ( at /boot/config-2.6.20-15   ->
>>> CONFIG_NETFILTER_NETLINK_QUEUE=m) .
>>>
>>> what wrong with my installation?  and how can i debug it ?
>>> I think my previous question (Segmentation fault and snort_inline stop
>>> when using namp  ) may be related to the issue
>>>
>>> Best Reagrds
>>>
>>> ChunXin
>>>
>>>
>>>       
>
>

Re: [Snort-inline-users] snort_inline-2.6.1.5 nfnetlink_queue WARNING

From: <ch...@os...> - 2007-10-16 15:55:15

Yeah , Can you help me ?

> do you even need multiple queue support?
>
> On 10/16/07, ch...@os... <ch...@os...> wrote:
>>
>> I encountered such a problem when i configure snort_inline-2.6.1.5 with
>> "--enable-nfnetlink" option ,description of the issue as follows:
>> --------------------------------------
>> .......................
>> checking linux/netfilter/nfnetlink_queue.h usability... no
>> checking linux/netfilter/nfnetlink_queue.h presence... yes
>> configure: WARNING: linux/netfilter/nfnetlink_queue.h: present but
>> cannot
>> be compiled
>> configure: WARNING: linux/netfilter/nfnetlink_queue.h:     check for
>> missing prerequisite headers?
>> configure: WARNING: linux/netfilter/nfnetlink_queue.h: see the Autoconf
>> documentation
>> configure: WARNING: linux/netfilter/nfnetlink_queue.h:     section
>> "Present But Cannot Be Compiled"
>> configure: WARNING: linux/netfilter/nfnetlink_queue.h: proceeding with
>> the
>> preprocessor's result
>> configure: WARNING: linux/netfilter/nfnetlink_queue.h: in the future,
>> the
>> compiler will take precedence
>> configure: WARNING:     ## ------------------------------------------ ##
>> configure: WARNING:     ## Report this to the AC_PACKAGE_NAME lists.  ##
>> configure: WARNING:     ## ------------------------------------------ ##
>> checking for linux/netfilter/nfnetlink_queue.h... yes
>> checking libnetfilter_queue/libnetfilter_queue.h usability... yes
>> checking libnetfilter_queue/libnetfilter_queue.h presence... yes
>> checking for libnetfilter_queue/libnetfilter_queue.h... yes
>> checking for nfqnl_open in -lnetfilter_queue... no
>> checking for nfq_set_queue_maxlen in -lnetfilter_queue... no
>> .................................
>> ---------------------------------------------------------------------
>> I am using libnetfilter_queue-0.0.12 and libnfnetlink-0.0.16 , The
>> installation process both are "./configure && make && make install"
>> I do not have to recompile the kernel,because I see that kernel  already
>> support the nfnetfilter_queue feature ( at /boot/config-2.6.20-15   ->
>> CONFIG_NETFILTER_NETLINK_QUEUE=m) .
>>
>> what wrong with my installation?  and how can i debug it ?
>> I think my previous question (Segmentation fault and snort_inline stop
>> when using namp  ) may be related to the issue
>>
>> Best Reagrds
>>
>> ChunXin
>>
>>
>

Re: [Snort-inline-users] snort_inline-2.6.1.5 nfnetlink_queue WARNING

From: Will M. <wil...@gm...> - 2007-10-16 13:35:24

do you even need multiple queue support?

On 10/16/07, ch...@os... <ch...@os...> wrote:
>
> I encountered such a problem when i configure snort_inline-2.6.1.5 with
> "--enable-nfnetlink" option ,description of the issue as follows:
> --------------------------------------
> .......................
> checking linux/netfilter/nfnetlink_queue.h usability... no
> checking linux/netfilter/nfnetlink_queue.h presence... yes
> configure: WARNING: linux/netfilter/nfnetlink_queue.h: present but cannot
> be compiled
> configure: WARNING: linux/netfilter/nfnetlink_queue.h:     check for
> missing prerequisite headers?
> configure: WARNING: linux/netfilter/nfnetlink_queue.h: see the Autoconf
> documentation
> configure: WARNING: linux/netfilter/nfnetlink_queue.h:     section
> "Present But Cannot Be Compiled"
> configure: WARNING: linux/netfilter/nfnetlink_queue.h: proceeding with the
> preprocessor's result
> configure: WARNING: linux/netfilter/nfnetlink_queue.h: in the future, the
> compiler will take precedence
> configure: WARNING:     ## ------------------------------------------ ##
> configure: WARNING:     ## Report this to the AC_PACKAGE_NAME lists.  ##
> configure: WARNING:     ## ------------------------------------------ ##
> checking for linux/netfilter/nfnetlink_queue.h... yes
> checking libnetfilter_queue/libnetfilter_queue.h usability... yes
> checking libnetfilter_queue/libnetfilter_queue.h presence... yes
> checking for libnetfilter_queue/libnetfilter_queue.h... yes
> checking for nfqnl_open in -lnetfilter_queue... no
> checking for nfq_set_queue_maxlen in -lnetfilter_queue... no
> .................................
> ---------------------------------------------------------------------
> I am using libnetfilter_queue-0.0.12 and libnfnetlink-0.0.16 , The
> installation process both are "./configure && make && make install"
> I do not have to recompile the kernel,because I see that kernel  already
> support the nfnetfilter_queue feature ( at /boot/config-2.6.20-15   ->
> CONFIG_NETFILTER_NETLINK_QUEUE=m) .
>
> what wrong with my installation?  and how can i debug it ?
> I think my previous question (Segmentation fault and snort_inline stop
> when using namp  ) may be related to the issue
>
> Best Reagrds
>
> ChunXin
>
>

[Snort-inline-users] snort_inline-2.6.1.5 nfnetlink_queue WARNING

From: <ch...@os...> - 2007-10-16 13:20:46

I encountered such a problem when i configure snort_inline-2.6.1.5 with
"--enable-nfnetlink" option ,description of the issue as follows:
--------------------------------------
.......................
checking linux/netfilter/nfnetlink_queue.h usability... no
checking linux/netfilter/nfnetlink_queue.h presence... yes
configure: WARNING: linux/netfilter/nfnetlink_queue.h: present but cannot
be compiled
configure: WARNING: linux/netfilter/nfnetlink_queue.h:     check for
missing prerequisite headers?
configure: WARNING: linux/netfilter/nfnetlink_queue.h: see the Autoconf
documentation
configure: WARNING: linux/netfilter/nfnetlink_queue.h:     section
"Present But Cannot Be Compiled"
configure: WARNING: linux/netfilter/nfnetlink_queue.h: proceeding with the
preprocessor's result
configure: WARNING: linux/netfilter/nfnetlink_queue.h: in the future, the
compiler will take precedence
configure: WARNING:     ## ------------------------------------------ ##
configure: WARNING:     ## Report this to the AC_PACKAGE_NAME lists.  ##
configure: WARNING:     ## ------------------------------------------ ##
checking for linux/netfilter/nfnetlink_queue.h... yes
checking libnetfilter_queue/libnetfilter_queue.h usability... yes
checking libnetfilter_queue/libnetfilter_queue.h presence... yes
checking for libnetfilter_queue/libnetfilter_queue.h... yes
checking for nfqnl_open in -lnetfilter_queue... no
checking for nfq_set_queue_maxlen in -lnetfilter_queue... no
.................................
---------------------------------------------------------------------
I am using libnetfilter_queue-0.0.12 and libnfnetlink-0.0.16 , The
installation process both are "./configure && make && make install"
I do not have to recompile the kernel,because I see that kernel  already 
support the nfnetfilter_queue feature ( at /boot/config-2.6.20-15   ->
CONFIG_NETFILTER_NETLINK_QUEUE=m) .

what wrong with my installation?  and how can i debug it ?
I think my previous question (Segmentation fault and snort_inline stop 
when using namp  ) may be related to the issue

Best Reagrds

ChunXin

Re: [Snort-inline-users] Snort-inline-users Digest, Vol 16, Issue 4

From: Victor J. <li...@in...> - 2007-10-16 08:18:31

ChunXin wrote:
> I scan my web server with "nmap -sS -O -P0 192.168.1.20" ,
>
> When i disable stickydrop and stickydrop-timeouts feature there will be
> no problem
> buti would like to use sticky function !
> How to do that?
>   
Can you produce a gdb backtrack output? To do so, please make sure core
dumps are enabled:
ulimit -c unlimited

Next, when you have a core file run:
gdb /path/to/your/snort_inline /path/to/the/core

Then type 'bt' and press enter and copy paste the entire output.

Thanks!
Victor

Re: [Snort-inline-users] Snort-inline-users Digest, Vol 16, Issue 4

From: ChunXin <ch...@os...> - 2007-10-16 07:29:12

I scan my web server with "nmap -sS -O -P0 192.168.1.20" ,

When i disable stickydrop and stickydrop-timeouts feature there will be
no problem
buti would like to use sticky function !
How to do that?


Will Metcalf 写道:
> how are you running your nmap scan? I can't seem to reproduce your issue...
>
> Regards,
>
> Will
>
> On 10/15/07, ChunXin <ch...@os...> wrote:
>   
>> I tried this method $B!'(B iptables -A FORWARD -j NFQUEUE  && sonrt_inline -Q -c
>> snort_inline.conf
>>  but  the problem still exists
>>  : (    There are other good suggestions?   Thanks a lot !
>>
>>  ChunXin
>>
>>  sno...@li... $B<LF;(B:
>>  Send Snort-inline-users mailing list submissions to
>>  sno...@li...
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>> or, via email, send a message with subject or body 'help' to
>>  sno...@li...
>>
>> You can reach the person managing the list at
>>  sno...@li...
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Snort-inline-users digest..."
>>
>>
>> Today's Topics:
>>
>>  1. Re: snort_inline-2.6.1.5 problems ?please help me !
>>  (Victor Julien)
>>  2. snort_inline-2.6.1.5 problems
>>  =?GB2312?B?o6xwbGVhc2UgaGVscCBtZSAh?= (ChunXin)
>>  3.
>> =?GB2312?B?UmU6IFtTbm9ydC1pbmxpbmUtdXNlcnNdIHNub3J0X2lubGluZS0yLg==?=
>>  =?GB2312?B?Ni4xLjUgcHJvYmxlbXMgo6xwbGVhc2UgaGVscCBtZSAh?=
>>  (Victor Julien)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Fri, 12 Oct 2007 10:16:13 +0200
>> From: Victor Julien <li...@in...>
>> Subject: Re: [Snort-inline-users] snort_inline-2.6.1.5 problems
>>  ?please help me !
>> To: sno...@li...
>> Message-ID: <470...@in...>
>> Content-Type: text/plain; charset=UTF-8
>>
>> Hi
>>
>> I see you are both using ip_queue
>>
>>
>>  2, And i started my snort_inline by this way : "iptables -A FORWARD -j
>> QUEUE && sonrt_inline -Q -c snort_inline.conf ",
>>
>>
>>
>>  and compiling for nfqueue.
>>
>>
>>
>>  --enable-react --enable-nfnetlink --enable-clamav
>>
>>
>>  I have no idea what the results of this are. So please try removing
>> '--enable-nfnetlink' or use 'iptables -A FORWARD -j NFQUEUE' and try
>> again...
>>
>> Cheers,
>> Victor
>>
>>
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Mon, 15 Oct 2007 19:35:43 +0800
>> From: ChunXin <ch...@os...>
>> Subject: [Snort-inline-users] snort_inline-2.6.1.5 problems
>>  =?GB2312?B?o6xwbGVhc2UgaGVscCBtZSAh?=
>> To: sno...@li...,
>>  wil...@gm...
>> Message-ID: <471...@os...>
>> Content-Type: text/plain; charset="gb2312"
>>
>> I am using snort_inline-2.6.1.5??but I encountered many problems
>>
>>  1, my network topological graph as follow :
>>
>>
>>  {Client (192.168.9.2) nmap}<--->{ snort_inline-2.6.1.5 }<--->{ Server
>> 192.168.1.2 (web) }
>>
>>
>>  2, And i started my snort_inline by this way : "iptables -A FORWARD -j
>>  QUEUE && sonrt_inline -Q -c snort_inline.conf ",
>>  When I use nmap scan web server , The snort_inline always stop and on
>>  the screen showed "Segmentation fault"
>>
>>  I use "strace" check his running status (strace -f -p 5668 ,5668 is pid
>> of snort_inline), when snort_inline stoped,the screen
>>  showed :
>> --------------------------------------------------------------------------------------------------
>>  gettimeofday({1192126318, 360095}, NULL) = 0
>> write(5, "[**] [122:1:0] (portscan) TCP Po"..., 44) = 44
>> write(5, "10/12-02:11:58.360095 192.168.9."..., 49) = 49
>> write(5, "PROTO255 TTL:0 TOS:0x0 ID:0 IpLe"..., 51) = 51
>> write(5, "\n", 1) = 1
>> write(6, "10/12-02:11:58.360095 [**] [122"..., 105) = 105
>> write(3,
>> "ng\16G\237~\5\0\256\0\0\0\256\0\0\0MACDADMACDAD\10\0E\0"...,
>> 190) = 190
>> --- SIGSEGV (Segmentation fault) @ 0 (0) ---
>>
>> -----------------------------------------------------------------------------------------------------
>>
>>  I tracked several times ??every time that like this information , and
>>  the "(portscan)" word never changed!
>> It's a bug of sfportscan !? or I have not done right?
>>
>>
>>  3, my snort_inline-2.6.1.5 configure options as follow :
>>  ./configure --prefix=/usr/local/snort_inline
>> --enable-pthread
>> --enable-stream4udp --enable-dynamicplugin --enable-timestats
>> --enable-perfprofiling --enable-linux-smp-stats --enable-flexresp2
>>  --enable-react --enable-nfnetlink --enable-clamav
>> --with-mysql=/usr/local/mysql
>>  --with-libpcap-includes=/usr/local/libpcap/include
>> --with-libpcap-libraries=/usr/local/libpcap/lib
>>  --with-clamav-includes=/usr/local/clamav/include
>> --with-clamav-defdir=/usr/local/clamav/share/clamav
>>
>> 4 , and i wanna know ,what's the best kernel version for
>> snort_inline-2.6.1.5 ?
>>
>>
>>
>>
>> my snort_inline.conf as follow :
>> -------------------------------------------------------------------
>>
>> ### Network variables
>> var HOME_NET any
>> var HONEYNET any
>> var EXTERNAL_NET any
>> var SMTP_SERVERS any
>> var TELNET_SERVERS any
>> var HTTP_SERVERS any
>> var SQL_SERVERS any
>> var DNS_SERVERS any
>>
>> # Ports you run web servers on
>> ## include somefile.rules
>> var HTTP_PORTS 80
>>
>> # Ports you want to look for SHELLCODE on.
>> var SHELLCODE_PORTS !80
>>
>> # Ports you do oracle attacks on
>> var ORACLE_PORTS 1521
>>
>> #ports you want to look for SSH on
>> var SSH_PORTS 22
>>
>> # AIM servers. AOL has a habit of adding new AIM servers, so instead of
>> # modifying the signatures when they do, we add them to this list of
>> servers.
>> var AIM_SERVERS
>> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
>>
>> ### As of snort_inline 2.2.0 we drop
>> ### packets with bad checksums. We can
>> config checksum_mode: all
>>
>> # Path to your rules files (this can be a relative path)
>> var RULE_PATH /usr/local/snort_inline/etc/snort_rules
>>
>> #
>> config layer2resets: 00:06:76:DD:5F:E3
>>
>> #
>> # Load all dynamic preprocessors from the install path
>> # (same as command line option --dynamic-preprocessor-lib-dir)
>> #
>> dynamicpreprocessor directory
>> /usr/local/snort_inline/lib/snort_dynamicpreprocessor/
>> #
>> # Load a dynamic engine from the install path
>> # (same as command line option --dynamic-engine-lib)
>> #
>> dynamicengine
>> /usr/local/snort_inline/lib/snort_dynamicengine/libsf_engine.so
>> # dynamicdetection file
>> /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so
>> #
>>
>> ### Preprocessors
>> #
>> # The third line tells which sources to never drop, it is very, very
>> important to add your home net
>> # and you dns servers to this list.
>> #
>> #example:
>> preprocessor stickydrop: max_entries 3000,log
>> preprocessor stickydrop-timeouts: sfportscan 3000 , clamav 3000
>> #preprocessor stickydrop-ignorehosts: 192.168.0.0/24 192.168.1.12
>> 192.168.1.13
>> # and you dns servers to this list.
>> #
>> #example:
>> #preprocessor bait-and-switch: max_entries 200,log,insert_before
>> #preprocessor bait-and-switch-ignorehosts: 192.168.1.0/24
>>
>> # Done by IPTables. Iptables assembles fragments when we use connection
>> # tracking; therefore, we don't have to use frag2
>> # preprocessor frag2
>>
>> preprocessor flow: stats_interval 0 hash 2
>> preprocessor frag3_global: max_frags 655360
>> #preprocessor frag3_global: max_frags 65536
>> preprocessor frag3_engine: policy first detect_anomalies
>> #
>>
>> #Stream4 with inline support example
>>
>>
>> preprocessor stream4:
>> disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts
>> #preprocessor stream4:
>> disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts
>> , max_sessions 32768, memcap 36700160
>> #
>> #preprocessor stream4: disable_evasion_alerts, \
>> # stream4inline, \
>> # enforce_state drop, \
>> # memcap 134217728, \
>> # timeout 3600, \
>> # truncate, \
>> # window_size 3000
>>
>> #
>> #preprocessor stream4_reassemble: both, favor_new
>> preprocessor stream4_reassemble
>> #
>> # Example:
>> preprocessor clamav: ports all !22 !443, toclientonly, dbdir
>> /usr/local/clamav/share/clamav, dbreload-time 43200
>> #
>> #clamav: ports all !22 !443, toclientonly, dbdir /usr/share/clamav,
>> dbreload-time 43200
>>
>> preprocessor http_inspect: global \
>> iis_unicode_map unicode.map 1252
>>
>> preprocessor http_inspect_server: server default \
>> profile all ports { 80 8080 8180 } oversize_dir_length 500
>>
>> # sizes exceed the current packet size
>> # no_alert_incomplete - don't alert when a single segment
>> # exceeds the current packet size
>>
>> preprocessor rpc_decode: 111 32771
>>
>> # SID Event description
>> # ----- -------------------
>> # 1 Back Orifice traffic detected
>>
>> preprocessor bo
>>
>> # --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so>
>>
>> preprocessor ftp_telnet: global \
>> encrypted_traffic yes \
>> inspection_type stateful
>>
>> preprocessor ftp_telnet_protocol: telnet \
>> normalize \
>> ayt_attack_thresh 200
>>
>> # Check nDTM commands that set modification time on the file.
>> preprocessor ftp_telnet_protocol: ftp server default \
>> def_max_param_len 100 \
>> alt_max_param_len 200 { CWD } \
>> cmd_validity MODE < char ASBCZ > \
>> cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>> chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
>> telnet_cmds yes \
>> data_chan
>>
>> preprocessor ftp_telnet_protocol: ftp client default \
>> max_resp_len 256 \
>> bounce yes \
>> telnet_cmds yes
>>
>> # --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>
>>
>> preprocessor smtp: \
>> ports { 25 } \
>> inspection_type stateful \
>> normalize cmds \
>> normalize_cmds { EXPN VRFY RCPT } \
>> alt_max_command_line_len 260 { MAIL } \
>> alt_max_command_line_len 300 { RCPT } \
>> alt_max_command_line_len 500 { HELP HELO ETRN } \
>> alt_max_command_line_len 255 { EXPN VRFY }
>>
>>
>> #
>> preprocessor sfportscan: proto { all } \
>> memcap { 10000000 } \
>> sense_level { low }
>>
>> # --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>
>>
>> preprocessor dcerpc: \
>> autodetect \
>> max_frag_size 3000 \
>> memcap 100000
>>
>> # --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>
>>
>> preprocessor dns: \
>> ports { 53 } \
>> enable_rdata_overflow
>>
>>
>> ### Logging alerts of outbound attacks
>> output alert_full: snort_inline-full
>> output alert_fast: snort_inline-fast
>>
>> ### If you want to log the contents of the dropped packets, remove comment
>> #output log_tcpdump: tcpdump.log
>>
>> # Include classification & priority settings
>> include $RULE_PATH/classification.config
>> include $RULE_PATH/reference.config
>>
>> ### The Drop Rules
>> # Enabled
>> include $RULE_PATH/exploit.rules
>> include $RULE_PATH/finger.rules
>> include $RULE_PATH/ftp.rules
>> include $RULE_PATH/telnet.rules
>> include $RULE_PATH/rpc.rules
>> include $RULE_PATH/rservices.rules
>> include $RULE_PATH/dos.rules
>> include $RULE_PATH/ddos.rules
>> include $RULE_PATH/dns.rules
>> include $RULE_PATH/tftp.rules
>> include $RULE_PATH/web-cgi.rules
>> include $RULE_PATH/web-coldfusion.rules
>> include $RULE_PATH/web-iis.rules
>> include $RULE_PATH/web-frontpage.rules
>> include $RULE_PATH/web-misc.rules
>> #include $RULE_PATH/web-client.rules
>> include $RULE_PATH/web-php.rules
>> include $RULE_PATH/sql.rules
>> include $RULE_PATH/x11.rules
>> include $RULE_PATH/icmp.rules
>> include $RULE_PATH/netbios.rules
>> include $RULE_PATH/oracle.rules
>> include $RULE_PATH/mysql.rules
>> include $RULE_PATH/snmp.rules
>> include $RULE_PATH/smtp.rules
>> include $RULE_PATH/imap.rules
>> include $RULE_PATH/pop3.rules
>> include $RULE_PATH/pop2.rules
>> include $RULE_PATH/web-attacks.rules
>> include $RULE_PATH/virus.rules
>> include $RULE_PATH/nntp.rules
>> -------------------------------------------------------------------
>>
>> Best Regards
>>
>> ChunXin
>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>>
>> ------------------------------
>>
>> Message: 3
>> Date: Mon, 15 Oct 2007 14:11:44 +0200
>> From: Victor Julien <li...@in...>
>> Subject: [Snort-inline-users]
>> =?GB2312?B?UmU6IFtTbm9ydC1pbmxpbmUtdXNlcnNdIHNub3J0X2lubGluZS0yLg==?=
>>  =?GB2312?B?Ni4xLjUgcHJvYmxlbXMgo6xwbGVhc2UgaGVscCBtZSAh?=
>> To: sno...@li...
>> Message-ID: <471...@in...>
>> Content-Type: text/plain; charset=GB2312
>>
>> Instead of resending your mail, why don't you try my suggestion from a
>> few days ago and report back on it?
>>
>> ChunXin wrote:
>>
>>
>>  I am using snort_inline-2.6.1.5??but I encountered many problems
>>
>>  1, my network topological graph as follow :
>>
>>
>>  {Client (192.168.9.2) nmap}<--->{ snort_inline-2.6.1.5 }<--->{ Server
>> 192.168.1.2 (web) }
>>
>>
>>  2, And i started my snort_inline by this way : "iptables -A FORWARD -j
>>  QUEUE && sonrt_inline -Q -c snort_inline.conf ",
>>  When I use nmap scan web server , The snort_inline always stop and on
>>  the screen showed "Segmentation fault"
>>
>>  I use "strace" check his running status (strace -f -p 5668 ,5668 is pid
>> of snort_inline), when snort_inline stoped,the screen
>>  showed :
>> --------------------------------------------------------------------------------------------------
>>  gettimeofday({1192126318, 360095}, NULL) = 0
>> write(5, "[**] [122:1:0] (portscan) TCP Po"..., 44) = 44
>> write(5, "10/12-02:11:58.360095 192.168.9."..., 49) = 49
>> write(5, "PROTO255 TTL:0 TOS:0x0 ID:0 IpLe"..., 51) = 51
>> write(5, "\n", 1) = 1
>> write(6, "10/12-02:11:58.360095 [**] [122"..., 105) = 105
>> write(3,
>> "ng\16G\237~\5\0\256\0\0\0\256\0\0\0MACDADMACDAD\10\0E\0"...,
>> 190) = 190
>> --- SIGSEGV (Segmentation fault) @ 0 (0) ---
>>
>> -----------------------------------------------------------------------------------------------------
>>
>>  I tracked several times ??every time that like this information , and
>>  the "(portscan)" word never changed!
>> It's a bug of sfportscan !? or I have not done right?
>>
>>
>>  3, my snort_inline-2.6.1.5 configure options as follow :
>>  ./configure --prefix=/usr/local/snort_inline
>> --enable-pthread
>> --enable-stream4udp --enable-dynamicplugin --enable-timestats
>> --enable-perfprofiling --enable-linux-smp-stats --enable-flexresp2
>>  --enable-react --enable-nfnetlink --enable-clamav
>> --with-mysql=/usr/local/mysql
>>  --with-libpcap-includes=/usr/local/libpcap/include
>> --with-libpcap-libraries=/usr/local/libpcap/lib
>>  --with-clamav-includes=/usr/local/clamav/include
>> --with-clamav-defdir=/usr/local/clamav/share/clamav
>>
>> 4 , and i wanna know ,what's the best kernel version for
>> snort_inline-2.6.1.5 ?
>>
>>
>>
>>
>> my snort_inline.conf as follow :
>> -------------------------------------------------------------------
>>
>> ### Network variables
>> var HOME_NET any
>> var HONEYNET any
>> var EXTERNAL_NET any
>> var SMTP_SERVERS any
>> var TELNET_SERVERS any
>> var HTTP_SERVERS any
>> var SQL_SERVERS any
>> var DNS_SERVERS any
>>
>> # Ports you run web servers on
>> ## include somefile.rules
>> var HTTP_PORTS 80
>>
>> # Ports you want to look for SHELLCODE on.
>> var SHELLCODE_PORTS !80
>>
>> # Ports you do oracle attacks on
>> var ORACLE_PORTS 1521
>>
>> #ports you want to look for SSH on
>> var SSH_PORTS 22
>>
>> # AIM servers. AOL has a habit of adding new AIM servers, so instead of
>> # modifying the signatures when they do, we add them to this list of
>> servers.
>> var AIM_SERVERS
>> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
>>
>> ### As of snort_inline 2.2.0 we drop
>> ### packets with bad checksums. We can
>> config checksum_mode: all
>>
>> # Path to your rules files (this can be a relative path)
>> var RULE_PATH /usr/local/snort_inline/etc/snort_rules
>>
>> #
>> config layer2resets: 00:06:76:DD:5F:E3
>>
>> #
>> # Load all dynamic preprocessors from the install path
>> # (same as command line option --dynamic-preprocessor-lib-dir)
>> #
>> dynamicpreprocessor directory
>> /usr/local/snort_inline/lib/snort_dynamicpreprocessor/
>> #
>> # Load a dynamic engine from the install path
>> # (same as command line option --dynamic-engine-lib)
>> #
>> dynamicengine
>> /usr/local/snort_inline/lib/snort_dynamicengine/libsf_engine.so
>> # dynamicdetection file
>> /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so
>> #
>>
>> ### Preprocessors
>> #
>> # The third line tells which sources to never drop, it is very, very
>> important to add your home net
>> # and you dns servers to this list.
>> #
>> #example:
>> preprocessor stickydrop: max_entries 3000,log
>> preprocessor stickydrop-timeouts: sfportscan 3000 , clamav 3000
>> #preprocessor stickydrop-ignorehosts: 192.168.0.0/24 192.168.1.12
>> 192.168.1.13
>> # and you dns servers to this list.
>> #
>> #example:
>> #preprocessor bait-and-switch: max_entries 200,log,insert_before
>> #preprocessor bait-and-switch-ignorehosts: 192.168.1.0/24
>>
>> # Done by IPTables. Iptables assembles fragments when we use connection
>> # tracking; therefore, we don't have to use frag2
>> # preprocessor frag2
>>
>> preprocessor flow: stats_interval 0 hash 2
>> preprocessor frag3_global: max_frags 655360
>> #preprocessor frag3_global: max_frags 65536
>> preprocessor frag3_engine: policy first detect_anomalies
>> #
>>
>> #Stream4 with inline support example
>>
>>
>> preprocessor stream4:
>> disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts
>> #preprocessor stream4:
>> disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts
>> , max_sessions 32768, memcap 36700160
>> #
>> #preprocessor stream4: disable_evasion_alerts, \
>> # stream4inline, \
>> # enforce_state drop, \
>> # memcap 134217728, \
>> # timeout 3600, \
>> # truncate, \
>> # window_size 3000
>>
>> #
>> #preprocessor stream4_reassemble: both, favor_new
>> preprocessor stream4_reassemble
>> #
>> # Example:
>> preprocessor clamav: ports all !22 !443, toclientonly, dbdir
>> /usr/local/clamav/share/clamav, dbreload-time 43200
>> #
>> #clamav: ports all !22 !443, toclientonly, dbdir /usr/share/clamav,
>> dbreload-time 43200
>>
>> preprocessor http_inspect: global \
>> iis_unicode_map unicode.map 1252
>>
>> preprocessor http_inspect_server: server default \
>> profile all ports { 80 8080 8180 } oversize_dir_length 500
>>
>> # sizes exceed the current packet size
>> # no_alert_incomplete - don't alert when a single segment
>> # exceeds the current packet size
>>
>> preprocessor rpc_decode: 111 32771
>>
>> # SID Event description
>> # ----- -------------------
>> # 1 Back Orifice traffic detected
>>
>> preprocessor bo
>>
>> # --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so>
>>
>> preprocessor ftp_telnet: global \
>> encrypted_traffic yes \
>> inspection_type stateful
>>
>> preprocessor ftp_telnet_protocol: telnet \
>> normalize \
>> ayt_attack_thresh 200
>>
>> # Check nDTM commands that set modification time on the file.
>> preprocessor ftp_telnet_protocol: ftp server default \
>> def_max_param_len 100 \
>> alt_max_param_len 200 { CWD } \
>> cmd_validity MODE < char ASBCZ > \
>> cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>> chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
>> telnet_cmds yes \
>> data_chan
>>
>> preprocessor ftp_telnet_protocol: ftp client default \
>> max_resp_len 256 \
>> bounce yes \
>> telnet_cmds yes
>>
>> # --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>
>>
>> preprocessor smtp: \
>> ports { 25 } \
>> inspection_type stateful \
>> normalize cmds \
>> normalize_cmds { EXPN VRFY RCPT } \
>> alt_max_command_line_len 260 { MAIL } \
>> alt_max_command_line_len 300 { RCPT } \
>> alt_max_command_line_len 500 { HELP HELO ETRN } \
>> alt_max_command_line_len 255 { EXPN VRFY }
>>
>>
>> #
>> preprocessor sfportscan: proto { all } \
>> memcap { 10000000 } \
>> sense_level { low }
>>
>> # --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>
>>
>> preprocessor dcerpc: \
>> autodetect \
>> max_frag_size 3000 \
>> memcap 100000
>>
>> # --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>
>>
>> preprocessor dns: \
>> ports { 53 } \
>> enable_rdata_overflow
>>
>>
>> ### Logging alerts of outbound attacks
>> output alert_full: snort_inline-full
>> output alert_fast: snort_inline-fast
>>
>> ### If you want to log the contents of the dropped packets, remove comment
>> #output log_tcpdump: tcpdump.log
>>
>> # Include classification & priority settings
>> include $RULE_PATH/classification.config
>> include $RULE_PATH/reference.config
>>
>> ### The Drop Rules
>> # Enabled
>> include $RULE_PATH/exploit.rules
>> include $RULE_PATH/finger.rules
>> include $RULE_PATH/ftp.rules
>> include $RULE_PATH/telnet.rules
>> include $RULE_PATH/rpc.rules
>> include $RULE_PATH/rservices.rules
>> include $RULE_PATH/dos.rules
>> include $RULE_PATH/ddos.rules
>> include $RULE_PATH/dns.rules
>> include $RULE_PATH/tftp.rules
>> include $RULE_PATH/web-cgi.rules
>> include $RULE_PATH/web-coldfusion.rules
>> include $RULE_PATH/web-iis.rules
>> include $RULE_PATH/web-frontpage.rules
>> include $RULE_PATH/web-misc.rules
>> #include $RULE_PATH/web-client.rules
>> include $RULE_PATH/web-php.rules
>> include $RULE_PATH/sql.rules
>> include $RULE_PATH/x11.rules
>> include $RULE_PATH/icmp.rules
>> include $RULE_PATH/netbios.rules
>> include $RULE_PATH/oracle.rules
>> include $RULE_PATH/mysql.rules
>> include $RULE_PATH/snmp.rules
>> include $RULE_PATH/smtp.rules
>> include $RULE_PATH/imap.rules
>> include $RULE_PATH/pop3.rules
>> include $RULE_PATH/pop2.rules
>> include $RULE_PATH/web-attacks.rules
>> include $RULE_PATH/virus.rules
>> include $RULE_PATH/nntp.rules
>> -------------------------------------------------------------------
>>
>> Best Regards
>>
>> ChunXin
>>
>> ------------------------------------------------------------------------
>> ____
>> Snort-inline-users mailing list
>> Sno...@li...
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>>
>> End of Snort-inline-users Digest, Vol 16, Issue 4
>> *************************************************
>>
>>
>>
>>

Re: [Snort-inline-users] Snort-inline-users Digest, Vol 16, Issue 4

From: ChunXin <ch...@os...> - 2007-10-16 07:23:22

When I disable stickydrop and stickydrop-timeouts feature , there will
be no problem ,
But I would like to use this sticky function !

How to do that?



Will Metcalf 写道:
> how are you running your nmap scan? I can't seem to reproduce your issue...
>
> Regards,
>
> Will
>
> On 10/15/07, ChunXin <ch...@os...> wrote:
>   
>> I tried this method $B!'(B iptables -A FORWARD -j NFQUEUE  && sonrt_inline -Q -c
>> snort_inline.conf
>>  but  the problem still exists
>>  : (    There are other good suggestions?   Thanks a lot !
>>
>>  ChunXin
>>
>>  sno...@li... $B<LF;(B:
>>  Send Snort-inline-users mailing list submissions to
>>  sno...@li...
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>> or, via email, send a message with subject or body 'help' to
>>  sno...@li...
>>
>> You can reach the person managing the list at
>>  sno...@li...
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Snort-inline-users digest..."
>>
>>
>> Today's Topics:
>>
>>  1. Re: snort_inline-2.6.1.5 problems ?please help me !
>>  (Victor Julien)
>>  2. snort_inline-2.6.1.5 problems
>>  =?GB2312?B?o6xwbGVhc2UgaGVscCBtZSAh?= (ChunXin)
>>  3.
>> =?GB2312?B?UmU6IFtTbm9ydC1pbmxpbmUtdXNlcnNdIHNub3J0X2lubGluZS0yLg==?=
>>  =?GB2312?B?Ni4xLjUgcHJvYmxlbXMgo6xwbGVhc2UgaGVscCBtZSAh?=
>>  (Victor Julien)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Fri, 12 Oct 2007 10:16:13 +0200
>> From: Victor Julien <li...@in...>
>> Subject: Re: [Snort-inline-users] snort_inline-2.6.1.5 problems
>>  ?please help me !
>> To: sno...@li...
>> Message-ID: <470...@in...>
>> Content-Type: text/plain; charset=UTF-8
>>
>> Hi
>>
>> I see you are both using ip_queue
>>
>>
>>  2, And i started my snort_inline by this way : "iptables -A FORWARD -j
>> QUEUE && sonrt_inline -Q -c snort_inline.conf ",
>>
>>
>>
>>  and compiling for nfqueue.
>>
>>
>>
>>  --enable-react --enable-nfnetlink --enable-clamav
>>
>>
>>  I have no idea what the results of this are. So please try removing
>> '--enable-nfnetlink' or use 'iptables -A FORWARD -j NFQUEUE' and try
>> again...
>>
>> Cheers,
>> Victor
>>
>>
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Mon, 15 Oct 2007 19:35:43 +0800
>> From: ChunXin <ch...@os...>
>> Subject: [Snort-inline-users] snort_inline-2.6.1.5 problems
>>  =?GB2312?B?o6xwbGVhc2UgaGVscCBtZSAh?=
>> To: sno...@li...,
>>  wil...@gm...
>> Message-ID: <471...@os...>
>> Content-Type: text/plain; charset="gb2312"
>>
>> I am using snort_inline-2.6.1.5??but I encountered many problems
>>
>>  1, my network topological graph as follow :
>>
>>
>>  {Client (192.168.9.2) nmap}<--->{ snort_inline-2.6.1.5 }<--->{ Server
>> 192.168.1.2 (web) }
>>
>>
>>  2, And i started my snort_inline by this way : "iptables -A FORWARD -j
>>  QUEUE && sonrt_inline -Q -c snort_inline.conf ",
>>  When I use nmap scan web server , The snort_inline always stop and on
>>  the screen showed "Segmentation fault"
>>
>>  I use "strace" check his running status (strace -f -p 5668 ,5668 is pid
>> of snort_inline), when snort_inline stoped,the screen
>>  showed :
>> --------------------------------------------------------------------------------------------------
>>  gettimeofday({1192126318, 360095}, NULL) = 0
>> write(5, "[**] [122:1:0] (portscan) TCP Po"..., 44) = 44
>> write(5, "10/12-02:11:58.360095 192.168.9."..., 49) = 49
>> write(5, "PROTO255 TTL:0 TOS:0x0 ID:0 IpLe"..., 51) = 51
>> write(5, "\n", 1) = 1
>> write(6, "10/12-02:11:58.360095 [**] [122"..., 105) = 105
>> write(3,
>> "ng\16G\237~\5\0\256\0\0\0\256\0\0\0MACDADMACDAD\10\0E\0"...,
>> 190) = 190
>> --- SIGSEGV (Segmentation fault) @ 0 (0) ---
>>
>> -----------------------------------------------------------------------------------------------------
>>
>>  I tracked several times ??every time that like this information , and
>>  the "(portscan)" word never changed!
>> It's a bug of sfportscan !? or I have not done right?
>>
>>
>>  3, my snort_inline-2.6.1.5 configure options as follow :
>>  ./configure --prefix=/usr/local/snort_inline
>> --enable-pthread
>> --enable-stream4udp --enable-dynamicplugin --enable-timestats
>> --enable-perfprofiling --enable-linux-smp-stats --enable-flexresp2
>>  --enable-react --enable-nfnetlink --enable-clamav
>> --with-mysql=/usr/local/mysql
>>  --with-libpcap-includes=/usr/local/libpcap/include
>> --with-libpcap-libraries=/usr/local/libpcap/lib
>>  --with-clamav-includes=/usr/local/clamav/include
>> --with-clamav-defdir=/usr/local/clamav/share/clamav
>>
>> 4 , and i wanna know ,what's the best kernel version for
>> snort_inline-2.6.1.5 ?
>>
>>
>>
>>
>> my snort_inline.conf as follow :
>> -------------------------------------------------------------------
>>
>> ### Network variables
>> var HOME_NET any
>> var HONEYNET any
>> var EXTERNAL_NET any
>> var SMTP_SERVERS any
>> var TELNET_SERVERS any
>> var HTTP_SERVERS any
>> var SQL_SERVERS any
>> var DNS_SERVERS any
>>
>> # Ports you run web servers on
>> ## include somefile.rules
>> var HTTP_PORTS 80
>>
>> # Ports you want to look for SHELLCODE on.
>> var SHELLCODE_PORTS !80
>>
>> # Ports you do oracle attacks on
>> var ORACLE_PORTS 1521
>>
>> #ports you want to look for SSH on
>> var SSH_PORTS 22
>>
>> # AIM servers. AOL has a habit of adding new AIM servers, so instead of
>> # modifying the signatures when they do, we add them to this list of
>> servers.
>> var AIM_SERVERS
>> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
>>
>> ### As of snort_inline 2.2.0 we drop
>> ### packets with bad checksums. We can
>> config checksum_mode: all
>>
>> # Path to your rules files (this can be a relative path)
>> var RULE_PATH /usr/local/snort_inline/etc/snort_rules
>>
>> #
>> config layer2resets: 00:06:76:DD:5F:E3
>>
>> #
>> # Load all dynamic preprocessors from the install path
>> # (same as command line option --dynamic-preprocessor-lib-dir)
>> #
>> dynamicpreprocessor directory
>> /usr/local/snort_inline/lib/snort_dynamicpreprocessor/
>> #
>> # Load a dynamic engine from the install path
>> # (same as command line option --dynamic-engine-lib)
>> #
>> dynamicengine
>> /usr/local/snort_inline/lib/snort_dynamicengine/libsf_engine.so
>> # dynamicdetection file
>> /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so
>> #
>>
>> ### Preprocessors
>> #
>> # The third line tells which sources to never drop, it is very, very
>> important to add your home net
>> # and you dns servers to this list.
>> #
>> #example:
>> preprocessor stickydrop: max_entries 3000,log
>> preprocessor stickydrop-timeouts: sfportscan 3000 , clamav 3000
>> #preprocessor stickydrop-ignorehosts: 192.168.0.0/24 192.168.1.12
>> 192.168.1.13
>> # and you dns servers to this list.
>> #
>> #example:
>> #preprocessor bait-and-switch: max_entries 200,log,insert_before
>> #preprocessor bait-and-switch-ignorehosts: 192.168.1.0/24
>>
>> # Done by IPTables. Iptables assembles fragments when we use connection
>> # tracking; therefore, we don't have to use frag2
>> # preprocessor frag2
>>
>> preprocessor flow: stats_interval 0 hash 2
>> preprocessor frag3_global: max_frags 655360
>> #preprocessor frag3_global: max_frags 65536
>> preprocessor frag3_engine: policy first detect_anomalies
>> #
>>
>> #Stream4 with inline support example
>>
>>
>> preprocessor stream4:
>> disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts
>> #preprocessor stream4:
>> disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts
>> , max_sessions 32768, memcap 36700160
>> #
>> #preprocessor stream4: disable_evasion_alerts, \
>> # stream4inline, \
>> # enforce_state drop, \
>> # memcap 134217728, \
>> # timeout 3600, \
>> # truncate, \
>> # window_size 3000
>>
>> #
>> #preprocessor stream4_reassemble: both, favor_new
>> preprocessor stream4_reassemble
>> #
>> # Example:
>> preprocessor clamav: ports all !22 !443, toclientonly, dbdir
>> /usr/local/clamav/share/clamav, dbreload-time 43200
>> #
>> #clamav: ports all !22 !443, toclientonly, dbdir /usr/share/clamav,
>> dbreload-time 43200
>>
>> preprocessor http_inspect: global \
>> iis_unicode_map unicode.map 1252
>>
>> preprocessor http_inspect_server: server default \
>> profile all ports { 80 8080 8180 } oversize_dir_length 500
>>
>> # sizes exceed the current packet size
>> # no_alert_incomplete - don't alert when a single segment
>> # exceeds the current packet size
>>
>> preprocessor rpc_decode: 111 32771
>>
>> # SID Event description
>> # ----- -------------------
>> # 1 Back Orifice traffic detected
>>
>> preprocessor bo
>>
>> # --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so>
>>
>> preprocessor ftp_telnet: global \
>> encrypted_traffic yes \
>> inspection_type stateful
>>
>> preprocessor ftp_telnet_protocol: telnet \
>> normalize \
>> ayt_attack_thresh 200
>>
>> # Check nDTM commands that set modification time on the file.
>> preprocessor ftp_telnet_protocol: ftp server default \
>> def_max_param_len 100 \
>> alt_max_param_len 200 { CWD } \
>> cmd_validity MODE < char ASBCZ > \
>> cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>> chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
>> telnet_cmds yes \
>> data_chan
>>
>> preprocessor ftp_telnet_protocol: ftp client default \
>> max_resp_len 256 \
>> bounce yes \
>> telnet_cmds yes
>>
>> # --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>
>>
>> preprocessor smtp: \
>> ports { 25 } \
>> inspection_type stateful \
>> normalize cmds \
>> normalize_cmds { EXPN VRFY RCPT } \
>> alt_max_command_line_len 260 { MAIL } \
>> alt_max_command_line_len 300 { RCPT } \
>> alt_max_command_line_len 500 { HELP HELO ETRN } \
>> alt_max_command_line_len 255 { EXPN VRFY }
>>
>>
>> #
>> preprocessor sfportscan: proto { all } \
>> memcap { 10000000 } \
>> sense_level { low }
>>
>> # --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>
>>
>> preprocessor dcerpc: \
>> autodetect \
>> max_frag_size 3000 \
>> memcap 100000
>>
>> # --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>
>>
>> preprocessor dns: \
>> ports { 53 } \
>> enable_rdata_overflow
>>
>>
>> ### Logging alerts of outbound attacks
>> output alert_full: snort_inline-full
>> output alert_fast: snort_inline-fast
>>
>> ### If you want to log the contents of the dropped packets, remove comment
>> #output log_tcpdump: tcpdump.log
>>
>> # Include classification & priority settings
>> include $RULE_PATH/classification.config
>> include $RULE_PATH/reference.config
>>
>> ### The Drop Rules
>> # Enabled
>> include $RULE_PATH/exploit.rules
>> include $RULE_PATH/finger.rules
>> include $RULE_PATH/ftp.rules
>> include $RULE_PATH/telnet.rules
>> include $RULE_PATH/rpc.rules
>> include $RULE_PATH/rservices.rules
>> include $RULE_PATH/dos.rules
>> include $RULE_PATH/ddos.rules
>> include $RULE_PATH/dns.rules
>> include $RULE_PATH/tftp.rules
>> include $RULE_PATH/web-cgi.rules
>> include $RULE_PATH/web-coldfusion.rules
>> include $RULE_PATH/web-iis.rules
>> include $RULE_PATH/web-frontpage.rules
>> include $RULE_PATH/web-misc.rules
>> #include $RULE_PATH/web-client.rules
>> include $RULE_PATH/web-php.rules
>> include $RULE_PATH/sql.rules
>> include $RULE_PATH/x11.rules
>> include $RULE_PATH/icmp.rules
>> include $RULE_PATH/netbios.rules
>> include $RULE_PATH/oracle.rules
>> include $RULE_PATH/mysql.rules
>> include $RULE_PATH/snmp.rules
>> include $RULE_PATH/smtp.rules
>> include $RULE_PATH/imap.rules
>> include $RULE_PATH/pop3.rules
>> include $RULE_PATH/pop2.rules
>> include $RULE_PATH/web-attacks.rules
>> include $RULE_PATH/virus.rules
>> include $RULE_PATH/nntp.rules
>> -------------------------------------------------------------------
>>
>> Best Regards
>>
>> ChunXin
>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>>
>> ------------------------------
>>
>> Message: 3
>> Date: Mon, 15 Oct 2007 14:11:44 +0200
>> From: Victor Julien <li...@in...>
>> Subject: [Snort-inline-users]
>> =?GB2312?B?UmU6IFtTbm9ydC1pbmxpbmUtdXNlcnNdIHNub3J0X2lubGluZS0yLg==?=
>>  =?GB2312?B?Ni4xLjUgcHJvYmxlbXMgo6xwbGVhc2UgaGVscCBtZSAh?=
>> To: sno...@li...
>> Message-ID: <471...@in...>
>> Content-Type: text/plain; charset=GB2312
>>
>> Instead of resending your mail, why don't you try my suggestion from a
>> few days ago and report back on it?
>>
>> ChunXin wrote:
>>
>>
>>  I am using snort_inline-2.6.1.5??but I encountered many problems
>>
>>  1, my network topological graph as follow :
>>
>>
>>  {Client (192.168.9.2) nmap}<--->{ snort_inline-2.6.1.5 }<--->{ Server
>> 192.168.1.2 (web) }
>>
>>
>>  2, And i started my snort_inline by this way : "iptables -A FORWARD -j
>>  QUEUE && sonrt_inline -Q -c snort_inline.conf ",
>>  When I use nmap scan web server , The snort_inline always stop and on
>>  the screen showed "Segmentation fault"
>>
>>  I use "strace" check his running status (strace -f -p 5668 ,5668 is pid
>> of snort_inline), when snort_inline stoped,the screen
>>  showed :
>> --------------------------------------------------------------------------------------------------
>>  gettimeofday({1192126318, 360095}, NULL) = 0
>> write(5, "[**] [122:1:0] (portscan) TCP Po"..., 44) = 44
>> write(5, "10/12-02:11:58.360095 192.168.9."..., 49) = 49
>> write(5, "PROTO255 TTL:0 TOS:0x0 ID:0 IpLe"..., 51) = 51
>> write(5, "\n", 1) = 1
>> write(6, "10/12-02:11:58.360095 [**] [122"..., 105) = 105
>> write(3,
>> "ng\16G\237~\5\0\256\0\0\0\256\0\0\0MACDADMACDAD\10\0E\0"...,
>> 190) = 190
>> --- SIGSEGV (Segmentation fault) @ 0 (0) ---
>>
>> -----------------------------------------------------------------------------------------------------
>>
>>  I tracked several times ??every time that like this information , and
>>  the "(portscan)" word never changed!
>> It's a bug of sfportscan !? or I have not done right?
>>
>>
>>  3, my snort_inline-2.6.1.5 configure options as follow :
>>  ./configure --prefix=/usr/local/snort_inline
>> --enable-pthread
>> --enable-stream4udp --enable-dynamicplugin --enable-timestats
>> --enable-perfprofiling --enable-linux-smp-stats --enable-flexresp2
>>  --enable-react --enable-nfnetlink --enable-clamav
>> --with-mysql=/usr/local/mysql
>>  --with-libpcap-includes=/usr/local/libpcap/include
>> --with-libpcap-libraries=/usr/local/libpcap/lib
>>  --with-clamav-includes=/usr/local/clamav/include
>> --with-clamav-defdir=/usr/local/clamav/share/clamav
>>
>> 4 , and i wanna know ,what's the best kernel version for
>> snort_inline-2.6.1.5 ?
>>
>>
>>
>>
>> my snort_inline.conf as follow :
>> -------------------------------------------------------------------
>>
>> ### Network variables
>> var HOME_NET any
>> var HONEYNET any
>> var EXTERNAL_NET any
>> var SMTP_SERVERS any
>> var TELNET_SERVERS any
>> var HTTP_SERVERS any
>> var SQL_SERVERS any
>> var DNS_SERVERS any
>>
>> # Ports you run web servers on
>> ## include somefile.rules
>> var HTTP_PORTS 80
>>
>> # Ports you want to look for SHELLCODE on.
>> var SHELLCODE_PORTS !80
>>
>> # Ports you do oracle attacks on
>> var ORACLE_PORTS 1521
>>
>> #ports you want to look for SSH on
>> var SSH_PORTS 22
>>
>> # AIM servers. AOL has a habit of adding new AIM servers, so instead of
>> # modifying the signatures when they do, we add them to this list of
>> servers.
>> var AIM_SERVERS
>> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
>>
>> ### As of snort_inline 2.2.0 we drop
>> ### packets with bad checksums. We can
>> config checksum_mode: all
>>
>> # Path to your rules files (this can be a relative path)
>> var RULE_PATH /usr/local/snort_inline/etc/snort_rules
>>
>> #
>> config layer2resets: 00:06:76:DD:5F:E3
>>
>> #
>> # Load all dynamic preprocessors from the install path
>> # (same as command line option --dynamic-preprocessor-lib-dir)
>> #
>> dynamicpreprocessor directory
>> /usr/local/snort_inline/lib/snort_dynamicpreprocessor/
>> #
>> # Load a dynamic engine from the install path
>> # (same as command line option --dynamic-engine-lib)
>> #
>> dynamicengine
>> /usr/local/snort_inline/lib/snort_dynamicengine/libsf_engine.so
>> # dynamicdetection file
>> /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so
>> #
>>
>> ### Preprocessors
>> #
>> # The third line tells which sources to never drop, it is very, very
>> important to add your home net
>> # and you dns servers to this list.
>> #
>> #example:
>> preprocessor stickydrop: max_entries 3000,log
>> preprocessor stickydrop-timeouts: sfportscan 3000 , clamav 3000
>> #preprocessor stickydrop-ignorehosts: 192.168.0.0/24 192.168.1.12
>> 192.168.1.13
>> # and you dns servers to this list.
>> #
>> #example:
>> #preprocessor bait-and-switch: max_entries 200,log,insert_before
>> #preprocessor bait-and-switch-ignorehosts: 192.168.1.0/24
>>
>> # Done by IPTables. Iptables assembles fragments when we use connection
>> # tracking; therefore, we don't have to use frag2
>> # preprocessor frag2
>>
>> preprocessor flow: stats_interval 0 hash 2
>> preprocessor frag3_global: max_frags 655360
>> #preprocessor frag3_global: max_frags 65536
>> preprocessor frag3_engine: policy first detect_anomalies
>> #
>>
>> #Stream4 with inline support example
>>
>>
>> preprocessor stream4:
>> disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts
>> #preprocessor stream4:
>> disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts
>> , max_sessions 32768, memcap 36700160
>> #
>> #preprocessor stream4: disable_evasion_alerts, \
>> # stream4inline, \
>> # enforce_state drop, \
>> # memcap 134217728, \
>> # timeout 3600, \
>> # truncate, \
>> # window_size 3000
>>
>> #
>> #preprocessor stream4_reassemble: both, favor_new
>> preprocessor stream4_reassemble
>> #
>> # Example:
>> preprocessor clamav: ports all !22 !443, toclientonly, dbdir
>> /usr/local/clamav/share/clamav, dbreload-time 43200
>> #
>> #clamav: ports all !22 !443, toclientonly, dbdir /usr/share/clamav,
>> dbreload-time 43200
>>
>> preprocessor http_inspect: global \
>> iis_unicode_map unicode.map 1252
>>
>> preprocessor http_inspect_server: server default \
>> profile all ports { 80 8080 8180 } oversize_dir_length 500
>>
>> # sizes exceed the current packet size
>> # no_alert_incomplete - don't alert when a single segment
>> # exceeds the current packet size
>>
>> preprocessor rpc_decode: 111 32771
>>
>> # SID Event description
>> # ----- -------------------
>> # 1 Back Orifice traffic detected
>>
>> preprocessor bo
>>
>> # --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so>
>>
>> preprocessor ftp_telnet: global \
>> encrypted_traffic yes \
>> inspection_type stateful
>>
>> preprocessor ftp_telnet_protocol: telnet \
>> normalize \
>> ayt_attack_thresh 200
>>
>> # Check nDTM commands that set modification time on the file.
>> preprocessor ftp_telnet_protocol: ftp server default \
>> def_max_param_len 100 \
>> alt_max_param_len 200 { CWD } \
>> cmd_validity MODE < char ASBCZ > \
>> cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>> chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
>> telnet_cmds yes \
>> data_chan
>>
>> preprocessor ftp_telnet_protocol: ftp client default \
>> max_resp_len 256 \
>> bounce yes \
>> telnet_cmds yes
>>
>> # --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>
>>
>> preprocessor smtp: \
>> ports { 25 } \
>> inspection_type stateful \
>> normalize cmds \
>> normalize_cmds { EXPN VRFY RCPT } \
>> alt_max_command_line_len 260 { MAIL } \
>> alt_max_command_line_len 300 { RCPT } \
>> alt_max_command_line_len 500 { HELP HELO ETRN } \
>> alt_max_command_line_len 255 { EXPN VRFY }
>>
>>
>> #
>> preprocessor sfportscan: proto { all } \
>> memcap { 10000000 } \
>> sense_level { low }
>>
>> # --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>
>>
>> preprocessor dcerpc: \
>> autodetect \
>> max_frag_size 3000 \
>> memcap 100000
>>
>> # --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>
>>
>> preprocessor dns: \
>> ports { 53 } \
>> enable_rdata_overflow
>>
>>
>> ### Logging alerts of outbound attacks
>> output alert_full: snort_inline-full
>> output alert_fast: snort_inline-fast
>>
>> ### If you want to log the contents of the dropped packets, remove comment
>> #output log_tcpdump: tcpdump.log
>>
>> # Include classification & priority settings
>> include $RULE_PATH/classification.config
>> include $RULE_PATH/reference.config
>>
>> ### The Drop Rules
>> # Enabled
>> include $RULE_PATH/exploit.rules
>> include $RULE_PATH/finger.rules
>> include $RULE_PATH/ftp.rules
>> include $RULE_PATH/telnet.rules
>> include $RULE_PATH/rpc.rules
>> include $RULE_PATH/rservices.rules
>> include $RULE_PATH/dos.rules
>> include $RULE_PATH/ddos.rules
>> include $RULE_PATH/dns.rules
>> include $RULE_PATH/tftp.rules
>> include $RULE_PATH/web-cgi.rules
>> include $RULE_PATH/web-coldfusion.rules
>> include $RULE_PATH/web-iis.rules
>> include $RULE_PATH/web-frontpage.rules
>> include $RULE_PATH/web-misc.rules
>> #include $RULE_PATH/web-client.rules
>> include $RULE_PATH/web-php.rules
>> include $RULE_PATH/sql.rules
>> include $RULE_PATH/x11.rules
>> include $RULE_PATH/icmp.rules
>> include $RULE_PATH/netbios.rules
>> include $RULE_PATH/oracle.rules
>> include $RULE_PATH/mysql.rules
>> include $RULE_PATH/snmp.rules
>> include $RULE_PATH/smtp.rules
>> include $RULE_PATH/imap.rules
>> include $RULE_PATH/pop3.rules
>> include $RULE_PATH/pop2.rules
>> include $RULE_PATH/web-attacks.rules
>> include $RULE_PATH/virus.rules
>> include $RULE_PATH/nntp.rules
>> -------------------------------------------------------------------
>>
>> Best Regards
>>
>> ChunXin
>>
>> ------------------------------------------------------------------------
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc.
>> Still grepping through log files to find problems? Stop.
>> Now Search log events and configuration files using AJAX and a browser.
>> Download your FREE copy of Splunk now >> http://get.splunk.com/
>> ------------------------------------------------------------------------
>>
>> __

Re: [Snort-inline-users] Snort-inline-users Digest, Vol 16, Issue 4

From: ChunXin <ch...@os...> - 2007-10-16 01:09:13

I scan my web server with "nmap -sS -O -P0 192.168.1.20" ,

Will Metcalf 写道:
> how are you running your nmap scan? I can't seem to reproduce your issue...
>
> Regards,
>
> Will
>
> On 10/15/07, ChunXin <ch...@os...> wrote:
>   
>> I tried this method $B!'(B iptables -A FORWARD -j NFQUEUE  && sonrt_inline -Q -c
>> snort_inline.conf
>>  but  the problem still exists
>>  : (    There are other good suggestions?   Thanks a lot !
>>
>>  ChunXin
>>
>>  sno...@li... $B<LF;(B:
>>  Send Snort-inline-users mailing list submissions to
>>  sno...@li...
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>> or, via email, send a message with subject or body 'help' to
>>  sno...@li...
>>
>> You can reach the person managing the list at
>>  sno...@li...
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Snort-inline-users digest..."
>>
>>
>> Today's Topics:
>>
>>  1. Re: snort_inline-2.6.1.5 problems ?please help me !
>>  (Victor Julien)
>>  2. snort_inline-2.6.1.5 problems
>>  =?GB2312?B?o6xwbGVhc2UgaGVscCBtZSAh?= (ChunXin)
>>  3.
>> =?GB2312?B?UmU6IFtTbm9ydC1pbmxpbmUtdXNlcnNdIHNub3J0X2lubGluZS0yLg==?=
>>  =?GB2312?B?Ni4xLjUgcHJvYmxlbXMgo6xwbGVhc2UgaGVscCBtZSAh?=
>>  (Victor Julien)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Fri, 12 Oct 2007 10:16:13 +0200
>> From: Victor Julien <li...@in...>
>> Subject: Re: [Snort-inline-users] snort_inline-2.6.1.5 problems
>>  ?please help me !
>> To: sno...@li...
>> Message-ID: <470...@in...>
>> Content-Type: text/plain; charset=UTF-8
>>
>> Hi
>>
>> I see you are both using ip_queue
>>
>>
>>  2, And i started my snort_inline by this way : "iptables -A FORWARD -j
>> QUEUE && sonrt_inline -Q -c snort_inline.conf ",
>>
>>
>>
>>  and compiling for nfqueue.
>>
>>
>>
>>  --enable-react --enable-nfnetlink --enable-clamav
>>
>>
>>  I have no idea what the results of this are. So please try removing
>> '--enable-nfnetlink' or use 'iptables -A FORWARD -j NFQUEUE' and try
>> again...
>>
>> Cheers,
>> Victor
>>
>>
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Mon, 15 Oct 2007 19:35:43 +0800
>> From: ChunXin <ch...@os...>
>> Subject: [Snort-inline-users] snort_inline-2.6.1.5 problems
>>  =?GB2312?B?o6xwbGVhc2UgaGVscCBtZSAh?=
>> To: sno...@li...,
>>  wil...@gm...
>> Message-ID: <471...@os...>
>> Content-Type: text/plain; charset="gb2312"
>>
>> I am using snort_inline-2.6.1.5??but I encountered many problems
>>
>>  1, my network topological graph as follow :
>>
>>
>>  {Client (192.168.9.2) nmap}<--->{ snort_inline-2.6.1.5 }<--->{ Server
>> 192.168.1.2 (web) }
>>
>>
>>  2, And i started my snort_inline by this way : "iptables -A FORWARD -j
>>  QUEUE && sonrt_inline -Q -c snort_inline.conf ",
>>  When I use nmap scan web server , The snort_inline always stop and on
>>  the screen showed "Segmentation fault"
>>
>>  I use "strace" check his running status (strace -f -p 5668 ,5668 is pid
>> of snort_inline), when snort_inline stoped,the screen
>>  showed :
>> --------------------------------------------------------------------------------------------------
>>  gettimeofday({1192126318, 360095}, NULL) = 0
>> write(5, "[**] [122:1:0] (portscan) TCP Po"..., 44) = 44
>> write(5, "10/12-02:11:58.360095 192.168.9."..., 49) = 49
>> write(5, "PROTO255 TTL:0 TOS:0x0 ID:0 IpLe"..., 51) = 51
>> write(5, "\n", 1) = 1
>> write(6, "10/12-02:11:58.360095 [**] [122"..., 105) = 105
>> write(3,
>> "ng\16G\237~\5\0\256\0\0\0\256\0\0\0MACDADMACDAD\10\0E\0"...,
>> 190) = 190
>> --- SIGSEGV (Segmentation fault) @ 0 (0) ---
>>
>> -----------------------------------------------------------------------------------------------------
>>
>>  I tracked several times ??every time that like this information , and
>>  the "(portscan)" word never changed!
>> It's a bug of sfportscan !? or I have not done right?
>>
>>
>>  3, my snort_inline-2.6.1.5 configure options as follow :
>>  ./configure --prefix=/usr/local/snort_inline
>> --enable-pthread
>> --enable-stream4udp --enable-dynamicplugin --enable-timestats
>> --enable-perfprofiling --enable-linux-smp-stats --enable-flexresp2
>>  --enable-react --enable-nfnetlink --enable-clamav
>> --with-mysql=/usr/local/mysql
>>  --with-libpcap-includes=/usr/local/libpcap/include
>> --with-libpcap-libraries=/usr/local/libpcap/lib
>>  --with-clamav-includes=/usr/local/clamav/include
>> --with-clamav-defdir=/usr/local/clamav/share/clamav
>>
>> 4 , and i wanna know ,what's the best kernel version for
>> snort_inline-2.6.1.5 ?
>>
>>
>>
>>
>> my snort_inline.conf as follow :
>> -------------------------------------------------------------------
>>
>> ### Network variables
>> var HOME_NET any
>> var HONEYNET any
>> var EXTERNAL_NET any
>> var SMTP_SERVERS any
>> var TELNET_SERVERS any
>> var HTTP_SERVERS any
>> var SQL_SERVERS any
>> var DNS_SERVERS any
>>
>> # Ports you run web servers on
>> ## include somefile.rules
>> var HTTP_PORTS 80
>>
>> # Ports you want to look for SHELLCODE on.
>> var SHELLCODE_PORTS !80
>>
>> # Ports you do oracle attacks on
>> var ORACLE_PORTS 1521
>>
>> #ports you want to look for SSH on
>> var SSH_PORTS 22
>>
>> # AIM servers. AOL has a habit of adding new AIM servers, so instead of
>> # modifying the signatures when they do, we add them to this list of
>> servers.
>> var AIM_SERVERS
>> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
>>
>> ### As of snort_inline 2.2.0 we drop
>> ### packets with bad checksums. We can
>> config checksum_mode: all
>>
>> # Path to your rules files (this can be a relative path)
>> var RULE_PATH /usr/local/snort_inline/etc/snort_rules
>>
>> #
>> config layer2resets: 00:06:76:DD:5F:E3
>>
>> #
>> # Load all dynamic preprocessors from the install path
>> # (same as command line option --dynamic-preprocessor-lib-dir)
>> #
>> dynamicpreprocessor directory
>> /usr/local/snort_inline/lib/snort_dynamicpreprocessor/
>> #
>> # Load a dynamic engine from the install path
>> # (same as command line option --dynamic-engine-lib)
>> #
>> dynamicengine
>> /usr/local/snort_inline/lib/snort_dynamicengine/libsf_engine.so
>> # dynamicdetection file
>> /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so
>> #
>>
>> ### Preprocessors
>> #
>> # The third line tells which sources to never drop, it is very, very
>> important to add your home net
>> # and you dns servers to this list.
>> #
>> #example:
>> preprocessor stickydrop: max_entries 3000,log
>> preprocessor stickydrop-timeouts: sfportscan 3000 , clamav 3000
>> #preprocessor stickydrop-ignorehosts: 192.168.0.0/24 192.168.1.12
>> 192.168.1.13
>> # and you dns servers to this list.
>> #
>> #example:
>> #preprocessor bait-and-switch: max_entries 200,log,insert_before
>> #preprocessor bait-and-switch-ignorehosts: 192.168.1.0/24
>>
>> # Done by IPTables. Iptables assembles fragments when we use connection
>> # tracking; therefore, we don't have to use frag2
>> # preprocessor frag2
>>
>> preprocessor flow: stats_interval 0 hash 2
>> preprocessor frag3_global: max_frags 655360
>> #preprocessor frag3_global: max_frags 65536
>> preprocessor frag3_engine: policy first detect_anomalies
>> #
>>
>> #Stream4 with inline support example
>>
>>
>> preprocessor stream4:
>> disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts
>> #preprocessor stream4:
>> disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts
>> , max_sessions 32768, memcap 36700160
>> #
>> #preprocessor stream4: disable_evasion_alerts, \
>> # stream4inline, \
>> # enforce_state drop, \
>> # memcap 134217728, \
>> # timeout 3600, \
>> # truncate, \
>> # window_size 3000
>>
>> #
>> #preprocessor stream4_reassemble: both, favor_new
>> preprocessor stream4_reassemble
>> #
>> # Example:
>> preprocessor clamav: ports all !22 !443, toclientonly, dbdir
>> /usr/local/clamav/share/clamav, dbreload-time 43200
>> #
>> #clamav: ports all !22 !443, toclientonly, dbdir /usr/share/clamav,
>> dbreload-time 43200
>>
>> preprocessor http_inspect: global \
>> iis_unicode_map unicode.map 1252
>>
>> preprocessor http_inspect_server: server default \
>> profile all ports { 80 8080 8180 } oversize_dir_length 500
>>
>> # sizes exceed the current packet size
>> # no_alert_incomplete - don't alert when a single segment
>> # exceeds the current packet size
>>
>> preprocessor rpc_decode: 111 32771
>>
>> # SID Event description
>> # ----- -------------------
>> # 1 Back Orifice traffic detected
>>
>> preprocessor bo
>>
>> # --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so>
>>
>> preprocessor ftp_telnet: global \
>> encrypted_traffic yes \
>> inspection_type stateful
>>
>> preprocessor ftp_telnet_protocol: telnet \
>> normalize \
>> ayt_attack_thresh 200
>>
>> # Check nDTM commands that set modification time on the file.
>> preprocessor ftp_telnet_protocol: ftp server default \
>> def_max_param_len 100 \
>> alt_max_param_len 200 { CWD } \
>> cmd_validity MODE < char ASBCZ > \
>> cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>> chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
>> telnet_cmds yes \
>> data_chan
>>
>> preprocessor ftp_telnet_protocol: ftp client default \
>> max_resp_len 256 \
>> bounce yes \
>> telnet_cmds yes
>>
>> # --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>
>>
>> preprocessor smtp: \
>> ports { 25 } \
>> inspection_type stateful \
>> normalize cmds \
>> normalize_cmds { EXPN VRFY RCPT } \
>> alt_max_command_line_len 260 { MAIL } \
>> alt_max_command_line_len 300 { RCPT } \
>> alt_max_command_line_len 500 { HELP HELO ETRN } \
>> alt_max_command_line_len 255 { EXPN VRFY }
>>
>>
>> #
>> preprocessor sfportscan: proto { all } \
>> memcap { 10000000 } \
>> sense_level { low }
>>
>> # --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>
>>
>> preprocessor dcerpc: \
>> autodetect \
>> max_frag_size 3000 \
>> memcap 100000
>>
>> # --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>
>>
>> preprocessor dns: \
>> ports { 53 } \
>> enable_rdata_overflow
>>
>>
>> ### Logging alerts of outbound attacks
>> output alert_full: snort_inline-full
>> output alert_fast: snort_inline-fast
>>
>> ### If you want to log the contents of the dropped packets, remove comment
>> #output log_tcpdump: tcpdump.log
>>
>> # Include classification & priority settings
>> include $RULE_PATH/classification.config
>> include $RULE_PATH/reference.config
>>
>> ### The Drop Rules
>> # Enabled
>> include $RULE_PATH/exploit.rules
>> include $RULE_PATH/finger.rules
>> include $RULE_PATH/ftp.rules
>> include $RULE_PATH/telnet.rules
>> include $RULE_PATH/rpc.rules
>> include $RULE_PATH/rservices.rules
>> include $RULE_PATH/dos.rules
>> include $RULE_PATH/ddos.rules
>> include $RULE_PATH/dns.rules
>> include $RULE_PATH/tftp.rules
>> include $RULE_PATH/web-cgi.rules
>> include $RULE_PATH/web-coldfusion.rules
>> include $RULE_PATH/web-iis.rules
>> include $RULE_PATH/web-frontpage.rules
>> include $RULE_PATH/web-misc.rules
>> #include $RULE_PATH/web-client.rules
>> include $RULE_PATH/web-php.rules
>> include $RULE_PATH/sql.rules
>> include $RULE_PATH/x11.rules
>> include $RULE_PATH/icmp.rules
>> include $RULE_PATH/netbios.rules
>> include $RULE_PATH/oracle.rules
>> include $RULE_PATH/mysql.rules
>> include $RULE_PATH/snmp.rules
>> include $RULE_PATH/smtp.rules
>> include $RULE_PATH/imap.rules
>> include $RULE_PATH/pop3.rules
>> include $RULE_PATH/pop2.rules
>> include $RULE_PATH/web-attacks.rules
>> include $RULE_PATH/virus.rules
>> include $RULE_PATH/nntp.rules
>> -------------------------------------------------------------------
>>
>> Best Regards
>>
>> ChunXin
>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>>
>> ------------------------------
>>
>> Message: 3
>> Date: Mon, 15 Oct 2007 14:11:44 +0200
>> From: Victor Julien <li...@in...>
>> Subject: [Snort-inline-users]
>> =?GB2312?B?UmU6IFtTbm9ydC1pbmxpbmUtdXNlcnNdIHNub3J0X2lubGluZS0yLg==?=
>>  =?GB2312?B?Ni4xLjUgcHJvYmxlbXMgo6xwbGVhc2UgaGVscCBtZSAh?=
>> To: sno...@li...
>> Message-ID: <471...@in...>
>> Content-Type: text/plain; charset=GB2312
>>
>> Instead of resending your mail, why don't you try my suggestion from a
>> few days ago and report back on it?
>>
>> ChunXin wrote:
>>
>>
>>  I am using snort_inline-2.6.1.5??but I encountered many problems
>>
>>  1, my network topological graph as follow :
>>
>>
>>  {Client (192.168.9.2) nmap}<--->{ snort_inline-2.6.1.5 }<--->{ Server
>> 192.168.1.2 (web) }
>>
>>
>>  2, And i started my snort_inline by this way : "iptables -A FORWARD -j
>>  QUEUE && sonrt_inline -Q -c snort_inline.conf ",
>>  When I use nmap scan web server , The snort_inline always stop and on
>>  the screen showed "Segmentation fault"
>>
>>  I use "strace" check his running status (strace -f -p 5668 ,5668 is pid
>> of snort_inline), when snort_inline stoped,the screen
>>  showed :
>> --------------------------------------------------------------------------------------------------
>>  gettimeofday({1192126318, 360095}, NULL) = 0
>> write(5, "[**] [122:1:0] (portscan) TCP Po"..., 44) = 44
>> write(5, "10/12-02:11:58.360095 192.168.9."..., 49) = 49
>> write(5, "PROTO255 TTL:0 TOS:0x0 ID:0 IpLe"..., 51) = 51
>> write(5, "\n", 1) = 1
>> write(6, "10/12-02:11:58.360095 [**] [122"..., 105) = 105
>> write(3,
>> "ng\16G\237~\5\0\256\0\0\0\256\0\0\0MACDADMACDAD\10\0E\0"...,
>> 190) = 190
>> --- SIGSEGV (Segmentation fault) @ 0 (0) ---
>>
>> -----------------------------------------------------------------------------------------------------
>>
>>  I tracked several times ??every time that like this information , and
>>  the "(portscan)" word never changed!
>> It's a bug of sfportscan !? or I have not done right?
>>
>>
>>  3, my snort_inline-2.6.1.5 configure options as follow :
>>  ./configure --prefix=/usr/local/snort_inline
>> --enable-pthread
>> --enable-stream4udp --enable-dynamicplugin --enable-timestats
>> --enable-perfprofiling --enable-linux-smp-stats --enable-flexresp2
>>  --enable-react --enable-nfnetlink --enable-clamav
>> --with-mysql=/usr/local/mysql
>>  --with-libpcap-includes=/usr/local/libpcap/include
>> --with-libpcap-libraries=/usr/local/libpcap/lib
>>  --with-clamav-includes=/usr/local/clamav/include
>> --with-clamav-defdir=/usr/local/clamav/share/clamav
>>
>> 4 , and i wanna know ,what's the best kernel version for
>> snort_inline-2.6.1.5 ?
>>
>>
>>
>>
>> my snort_inline.conf as follow :
>> -------------------------------------------------------------------
>>
>> ### Network variables
>> var HOME_NET any
>> var HONEYNET any
>> var EXTERNAL_NET any
>> var SMTP_SERVERS any
>> var TELNET_SERVERS any
>> var HTTP_SERVERS any
>> var SQL_SERVERS any
>> var DNS_SERVERS any
>>
>> # Ports you run web servers on
>> ## include somefile.rules
>> var HTTP_PORTS 80
>>
>> # Ports you want to look for SHELLCODE on.
>> var SHELLCODE_PORTS !80
>>
>> # Ports you do oracle attacks on
>> var ORACLE_PORTS 1521
>>
>> #ports you want to look for SSH on
>> var SSH_PORTS 22
>>
>> # AIM servers. AOL has a habit of adding new AIM servers, so instead of
>> # modifying the signatures when they do, we add them to this list of
>> servers.
>> var AIM_SERVERS
>> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
>>
>> ### As of snort_inline 2.2.0 we drop
>> ### packets with bad checksums. We can
>> config checksum_mode: all
>>
>> # Path to your rules files (this can be a relative path)
>> var RULE_PATH /usr/local/snort_inline/etc/snort_rules
>>
>> #
>> config layer2resets: 00:06:76:DD:5F:E3
>>
>> #
>> # Load all dynamic preprocessors from the install path
>> # (same as command line option --dynamic-preprocessor-lib-dir)
>> #
>> dynamicpreprocessor directory
>> /usr/local/snort_inline/lib/snort_dynamicpreprocessor/
>> #
>> # Load a dynamic engine from the install path
>> # (same as command line option --dynamic-engine-lib)
>> #
>> dynamicengine
>> /usr/local/snort_inline/lib/snort_dynamicengine/libsf_engine.so
>> # dynamicdetection file
>> /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so
>> #
>>
>> ### Preprocessors
>> #
>> # The third line tells which sources to never drop, it is very, very
>> important to add your home net
>> # and you dns servers to this list.
>> #
>> #example:
>> preprocessor stickydrop: max_entries 3000,log
>> preprocessor stickydrop-timeouts: sfportscan 3000 , clamav 3000
>> #preprocessor stickydrop-ignorehosts: 192.168.0.0/24 192.168.1.12
>> 192.168.1.13
>> # and you dns servers to this list.
>> #
>> #example:
>> #preprocessor bait-and-switch: max_entries 200,log,insert_before
>> #preprocessor bait-and-switch-ignorehosts: 192.168.1.0/24
>>
>> # Done by IPTables. Iptables assembles fragments when we use connection
>> # tracking; therefore, we don't have to use frag2
>> # preprocessor frag2
>>
>> preprocessor flow: stats_interval 0 hash 2
>> preprocessor frag3_global: max_frags 655360
>> #preprocessor frag3_global: max_frags 65536
>> preprocessor frag3_engine: policy first detect_anomalies
>> #
>>
>> #Stream4 with inline support example
>>
>>
>> preprocessor stream4:
>> disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts
>> #preprocessor stream4:
>> disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts
>> , max_sessions 32768, memcap 36700160
>> #
>> #preprocessor stream4: disable_evasion_alerts, \
>> # stream4inline, \
>> # enforce_state drop, \
>> # memcap 134217728, \
>> # timeout 3600, \
>> # truncate, \
>> # window_size 3000
>>
>> #
>> #preprocessor stream4_reassemble: both, favor_new
>> preprocessor stream4_reassemble
>> #
>> # Example:
>> preprocessor clamav: ports all !22 !443, toclientonly, dbdir
>> /usr/local/clamav/share/clamav, dbreload-time 43200
>> #
>> #clamav: ports all !22 !443, toclientonly, dbdir /usr/share/clamav,
>> dbreload-time 43200
>>
>> preprocessor http_inspect: global \
>> iis_unicode_map unicode.map 1252
>>
>> preprocessor http_inspect_server: server default \
>> profile all ports { 80 8080 8180 } oversize_dir_length 500
>>
>> # sizes exceed the current packet size
>> # no_alert_incomplete - don't alert when a single segment
>> # exceeds the current packet size
>>
>> preprocessor rpc_decode: 111 32771
>>
>> # SID Event description
>> # ----- -------------------
>> # 1 Back Orifice traffic detected
>>
>> preprocessor bo
>>
>> # --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so>
>>
>> preprocessor ftp_telnet: global \
>> encrypted_traffic yes \
>> inspection_type stateful
>>
>> preprocessor ftp_telnet_protocol: telnet \
>> normalize \
>> ayt_attack_thresh 200
>>
>> # Check nDTM commands that set modification time on the file.
>> preprocessor ftp_telnet_protocol: ftp server default \
>> def_max_param_len 100 \
>> alt_max_param_len 200 { CWD } \
>> cmd_validity MODE < char ASBCZ > \
>> cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>> chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
>> telnet_cmds yes \
>> data_chan
>>
>> preprocessor ftp_telnet_protocol: ftp client default \
>> max_resp_len 256 \
>> bounce yes \
>> telnet_cmds yes
>>
>> # --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>
>>
>> preprocessor smtp: \
>> ports { 25 } \
>> inspection_type stateful \
>> normalize cmds \
>> normalize_cmds { EXPN VRFY RCPT } \
>> alt_max_command_line_len 260 { MAIL } \
>> alt_max_command_line_len 300 { RCPT } \
>> alt_max_command_line_len 500 { HELP HELO ETRN } \
>> alt_max_command_line_len 255 { EXPN VRFY }
>>
>>
>> #
>> preprocessor sfportscan: proto { all } \
>> memcap { 10000000 } \
>> sense_level { low }
>>
>> # --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>
>>
>> preprocessor dcerpc: \
>> autodetect \
>> max_frag_size 3000 \
>> memcap 100000
>>
>> # --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>
>>
>> preprocessor dns: \
>> ports { 53 } \
>> enable_rdata_overflow
>>
>>
>> ### Logging alerts of outbound attacks
>> output alert_full: snort_inline-full
>> output alert_fast: snort_inline-fast
>>
>> ### If you want to log the contents of the dropped packets, remove comment
>> #output log_tcpdump: tcpdump.log
>>
>> # Include classification & priority settings
>> include $RULE_PATH/classification.config
>> include $RULE_PATH/reference.config
>>
>> ### The Drop Rules
>> # Enabled
>> include $RULE_PATH/exploit.rules
>> include $RULE_PATH/finger.rules
>> include $RULE_PATH/ftp.rules
>> include $RULE_PATH/telnet.rules
>> include $RULE_PATH/rpc.rules
>> include $RULE_PATH/rservices.rules
>> include $RULE_PATH/dos.rules
>> include $RULE_PATH/ddos.rules
>> include $RULE_PATH/dns.rules
>> include $RULE_PATH/tftp.rules
>> include $RULE_PATH/web-cgi.rules
>> include $RULE_PATH/web-coldfusion.rules
>> include $RULE_PATH/web-iis.rules
>> include $RULE_PATH/web-frontpage.rules
>> include $RULE_PATH/web-misc.rules
>> #include $RULE_PATH/web-client.rules
>> include $RULE_PATH/web-php.rules
>> include $RULE_PATH/sql.rules
>> include $RULE_PATH/x11.rules
>> include $RULE_PATH/icmp.rules
>> include $RULE_PATH/netbios.rules
>> include $RULE_PATH/oracle.rules
>> include $RULE_PATH/mysql.rules
>> include $RULE_PATH/snmp.rules
>> include $RULE_PATH/smtp.rules
>> include $RULE_PATH/imap.rules
>> include $RULE_PATH/pop3.rules
>> include $RULE_PATH/pop2.rules
>> include $RULE_PATH/web-attacks.rules
>> include $RULE_PATH/virus.rules
>> include $RULE_PATH/nntp.rules
>> -------------------------------------------------------------------
>>
>> Best Regards
>>
>> ChunXin
>>
>> ------------------------------------------------------------------------
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc.
>> Still grepping through log files to find problems? Stop.
>> Now Search log events and configuration files using AJAX and a browser.
>> Download your FREE copy of Splunk now >> http://get.splunk.com/
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Snort-inline-users mailing list
>> Sno...@li...
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>>
>>
>>
>>
>> ------------------------------
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc.
>> Still grepping through log files to find problems? Stop.
>> Now Search log events and configuration files using AJAX and a browser.
>> Download your FREE copy of Splunk now >> http://get.splunk.com/
>>
>> ------------------------------
>>
>> _______________________________________________
>> Snort-inline-users mailing list
>> Sno...@li...
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>>
>> End of Snort-inline-users Digest, Vol 16, Issue 4
>> *************************************************
>>
>>
>>
>>

[Snort-inline-users] Mike Potamousis/Poughkeepsie/Contr/IBM is out of the office.

From: Mike P. <mg...@us...> - 2007-10-15 17:41:38

I will be out of the office starting  10/15/2007 and will not return until
10/22/2007.

I will respond to your message when I return.

Re: [Snort-inline-users] Snort-inline-users Digest, Vol 16, Issue 4

From: Will M. <wil...@gm...> - 2007-10-15 16:18:04

how are you running your nmap scan? I can't seem to reproduce your issue...

Regards,

Will

On 10/15/07, ChunXin <ch...@os...> wrote:
>
>
> I tried this method ： iptables -A FORWARD -j NFQUEUE  && sonrt_inline -Q -c
> snort_inline.conf
>  but  the problem still exists
>  : (    There are other good suggestions?   Thanks a lot !
>
>  ChunXin
>
>  sno...@li... 写道:
>  Send Snort-inline-users mailing list submissions to
>  sno...@li...
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> or, via email, send a message with subject or body 'help' to
>  sno...@li...
>
> You can reach the person managing the list at
>  sno...@li...
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-inline-users digest..."
>
>
> Today's Topics:
>
>  1. Re: snort_inline-2.6.1.5 problems ?please help me !
>  (Victor Julien)
>  2. snort_inline-2.6.1.5 problems
>  =?GB2312?B?o6xwbGVhc2UgaGVscCBtZSAh?= (ChunXin)
>  3.
> =?GB2312?B?UmU6IFtTbm9ydC1pbmxpbmUtdXNlcnNdIHNub3J0X2lubGluZS0yLg==?=
>  =?GB2312?B?Ni4xLjUgcHJvYmxlbXMgo6xwbGVhc2UgaGVscCBtZSAh?=
>  (Victor Julien)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 12 Oct 2007 10:16:13 +0200
> From: Victor Julien <li...@in...>
> Subject: Re: [Snort-inline-users] snort_inline-2.6.1.5 problems
>  ?please help me !
> To: sno...@li...
> Message-ID: <470...@in...>
> Content-Type: text/plain; charset=UTF-8
>
> Hi
>
> I see you are both using ip_queue
>
>
>  2, And i started my snort_inline by this way : "iptables -A FORWARD -j
> QUEUE && sonrt_inline -Q -c snort_inline.conf ",
>
>
>
>  and compiling for nfqueue.
>
>
>
>  --enable-react --enable-nfnetlink --enable-clamav
>
>
>  I have no idea what the results of this are. So please try removing
> '--enable-nfnetlink' or use 'iptables -A FORWARD -j NFQUEUE' and try
> again...
>
> Cheers,
> Victor
>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 15 Oct 2007 19:35:43 +0800
> From: ChunXin <ch...@os...>
> Subject: [Snort-inline-users] snort_inline-2.6.1.5 problems
>  =?GB2312?B?o6xwbGVhc2UgaGVscCBtZSAh?=
> To: sno...@li...,
>  wil...@gm...
> Message-ID: <471...@os...>
> Content-Type: text/plain; charset="gb2312"
>
> I am using snort_inline-2.6.1.5??but I encountered many problems
>
>  1, my network topological graph as follow :
>
>
>  {Client (192.168.9.2) nmap}<--->{ snort_inline-2.6.1.5 }<--->{ Server
> 192.168.1.2 (web) }
>
>
>  2, And i started my snort_inline by this way : "iptables -A FORWARD -j
>  QUEUE && sonrt_inline -Q -c snort_inline.conf ",
>  When I use nmap scan web server , The snort_inline always stop and on
>  the screen showed "Segmentation fault"
>
>  I use "strace" check his running status (strace -f -p 5668 ,5668 is pid
> of snort_inline), when snort_inline stoped,the screen
>  showed :
> --------------------------------------------------------------------------------------------------
>  gettimeofday({1192126318, 360095}, NULL) = 0
> write(5, "[**] [122:1:0] (portscan) TCP Po"..., 44) = 44
> write(5, "10/12-02:11:58.360095 192.168.9."..., 49) = 49
> write(5, "PROTO255 TTL:0 TOS:0x0 ID:0 IpLe"..., 51) = 51
> write(5, "\n", 1) = 1
> write(6, "10/12-02:11:58.360095 [**] [122"..., 105) = 105
> write(3,
> "ng\16G\237~\5\0\256\0\0\0\256\0\0\0MACDADMACDAD\10\0E\0"...,
> 190) = 190
> --- SIGSEGV (Segmentation fault) @ 0 (0) ---
>
> -----------------------------------------------------------------------------------------------------
>
>  I tracked several times ??every time that like this information , and
>  the "(portscan)" word never changed!
> It's a bug of sfportscan !? or I have not done right?
>
>
>  3, my snort_inline-2.6.1.5 configure options as follow :
>  ./configure --prefix=/usr/local/snort_inline
> --enable-pthread
> --enable-stream4udp --enable-dynamicplugin --enable-timestats
> --enable-perfprofiling --enable-linux-smp-stats --enable-flexresp2
>  --enable-react --enable-nfnetlink --enable-clamav
> --with-mysql=/usr/local/mysql
>  --with-libpcap-includes=/usr/local/libpcap/include
> --with-libpcap-libraries=/usr/local/libpcap/lib
>  --with-clamav-includes=/usr/local/clamav/include
> --with-clamav-defdir=/usr/local/clamav/share/clamav
>
> 4 , and i wanna know ,what's the best kernel version for
> snort_inline-2.6.1.5 ?
>
>
>
>
> my snort_inline.conf as follow :
> -------------------------------------------------------------------
>
> ### Network variables
> var HOME_NET any
> var HONEYNET any
> var EXTERNAL_NET any
> var SMTP_SERVERS any
> var TELNET_SERVERS any
> var HTTP_SERVERS any
> var SQL_SERVERS any
> var DNS_SERVERS any
>
> # Ports you run web servers on
> ## include somefile.rules
> var HTTP_PORTS 80
>
> # Ports you want to look for SHELLCODE on.
> var SHELLCODE_PORTS !80
>
> # Ports you do oracle attacks on
> var ORACLE_PORTS 1521
>
> #ports you want to look for SSH on
> var SSH_PORTS 22
>
> # AIM servers. AOL has a habit of adding new AIM servers, so instead of
> # modifying the signatures when they do, we add them to this list of
> servers.
> var AIM_SERVERS
> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
>
> ### As of snort_inline 2.2.0 we drop
> ### packets with bad checksums. We can
> config checksum_mode: all
>
> # Path to your rules files (this can be a relative path)
> var RULE_PATH /usr/local/snort_inline/etc/snort_rules
>
> #
> config layer2resets: 00:06:76:DD:5F:E3
>
> #
> # Load all dynamic preprocessors from the install path
> # (same as command line option --dynamic-preprocessor-lib-dir)
> #
> dynamicpreprocessor directory
> /usr/local/snort_inline/lib/snort_dynamicpreprocessor/
> #
> # Load a dynamic engine from the install path
> # (same as command line option --dynamic-engine-lib)
> #
> dynamicengine
> /usr/local/snort_inline/lib/snort_dynamicengine/libsf_engine.so
> # dynamicdetection file
> /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so
> #
>
> ### Preprocessors
> #
> # The third line tells which sources to never drop, it is very, very
> important to add your home net
> # and you dns servers to this list.
> #
> #example:
> preprocessor stickydrop: max_entries 3000,log
> preprocessor stickydrop-timeouts: sfportscan 3000 , clamav 3000
> #preprocessor stickydrop-ignorehosts: 192.168.0.0/24 192.168.1.12
> 192.168.1.13
> # and you dns servers to this list.
> #
> #example:
> #preprocessor bait-and-switch: max_entries 200,log,insert_before
> #preprocessor bait-and-switch-ignorehosts: 192.168.1.0/24
>
> # Done by IPTables. Iptables assembles fragments when we use connection
> # tracking; therefore, we don't have to use frag2
> # preprocessor frag2
>
> preprocessor flow: stats_interval 0 hash 2
> preprocessor frag3_global: max_frags 655360
> #preprocessor frag3_global: max_frags 65536
> preprocessor frag3_engine: policy first detect_anomalies
> #
>
> #Stream4 with inline support example
>
>
> preprocessor stream4:
> disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts
> #preprocessor stream4:
> disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts
> , max_sessions 32768, memcap 36700160
> #
> #preprocessor stream4: disable_evasion_alerts, \
> # stream4inline, \
> # enforce_state drop, \
> # memcap 134217728, \
> # timeout 3600, \
> # truncate, \
> # window_size 3000
>
> #
> #preprocessor stream4_reassemble: both, favor_new
> preprocessor stream4_reassemble
> #
> # Example:
> preprocessor clamav: ports all !22 !443, toclientonly, dbdir
> /usr/local/clamav/share/clamav, dbreload-time 43200
> #
> #clamav: ports all !22 !443, toclientonly, dbdir /usr/share/clamav,
> dbreload-time 43200
>
> preprocessor http_inspect: global \
> iis_unicode_map unicode.map 1252
>
> preprocessor http_inspect_server: server default \
> profile all ports { 80 8080 8180 } oversize_dir_length 500
>
> # sizes exceed the current packet size
> # no_alert_incomplete - don't alert when a single segment
> # exceeds the current packet size
>
> preprocessor rpc_decode: 111 32771
>
> # SID Event description
> # ----- -------------------
> # 1 Back Orifice traffic detected
>
> preprocessor bo
>
> # --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so>
>
> preprocessor ftp_telnet: global \
> encrypted_traffic yes \
> inspection_type stateful
>
> preprocessor ftp_telnet_protocol: telnet \
> normalize \
> ayt_attack_thresh 200
>
> # Check nDTM commands that set modification time on the file.
> preprocessor ftp_telnet_protocol: ftp server default \
> def_max_param_len 100 \
> alt_max_param_len 200 { CWD } \
> cmd_validity MODE < char ASBCZ > \
> cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
> chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
> telnet_cmds yes \
> data_chan
>
> preprocessor ftp_telnet_protocol: ftp client default \
> max_resp_len 256 \
> bounce yes \
> telnet_cmds yes
>
> # --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>
>
> preprocessor smtp: \
> ports { 25 } \
> inspection_type stateful \
> normalize cmds \
> normalize_cmds { EXPN VRFY RCPT } \
> alt_max_command_line_len 260 { MAIL } \
> alt_max_command_line_len 300 { RCPT } \
> alt_max_command_line_len 500 { HELP HELO ETRN } \
> alt_max_command_line_len 255 { EXPN VRFY }
>
>
> #
> preprocessor sfportscan: proto { all } \
> memcap { 10000000 } \
> sense_level { low }
>
> # --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>
>
> preprocessor dcerpc: \
> autodetect \
> max_frag_size 3000 \
> memcap 100000
>
> # --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>
>
> preprocessor dns: \
> ports { 53 } \
> enable_rdata_overflow
>
>
> ### Logging alerts of outbound attacks
> output alert_full: snort_inline-full
> output alert_fast: snort_inline-fast
>
> ### If you want to log the contents of the dropped packets, remove comment
> #output log_tcpdump: tcpdump.log
>
> # Include classification & priority settings
> include $RULE_PATH/classification.config
> include $RULE_PATH/reference.config
>
> ### The Drop Rules
> # Enabled
> include $RULE_PATH/exploit.rules
> include $RULE_PATH/finger.rules
> include $RULE_PATH/ftp.rules
> include $RULE_PATH/telnet.rules
> include $RULE_PATH/rpc.rules
> include $RULE_PATH/rservices.rules
> include $RULE_PATH/dos.rules
> include $RULE_PATH/ddos.rules
> include $RULE_PATH/dns.rules
> include $RULE_PATH/tftp.rules
> include $RULE_PATH/web-cgi.rules
> include $RULE_PATH/web-coldfusion.rules
> include $RULE_PATH/web-iis.rules
> include $RULE_PATH/web-frontpage.rules
> include $RULE_PATH/web-misc.rules
> #include $RULE_PATH/web-client.rules
> include $RULE_PATH/web-php.rules
> include $RULE_PATH/sql.rules
> include $RULE_PATH/x11.rules
> include $RULE_PATH/icmp.rules
> include $RULE_PATH/netbios.rules
> include $RULE_PATH/oracle.rules
> include $RULE_PATH/mysql.rules
> include $RULE_PATH/snmp.rules
> include $RULE_PATH/smtp.rules
> include $RULE_PATH/imap.rules
> include $RULE_PATH/pop3.rules
> include $RULE_PATH/pop2.rules
> include $RULE_PATH/web-attacks.rules
> include $RULE_PATH/virus.rules
> include $RULE_PATH/nntp.rules
> -------------------------------------------------------------------
>
> Best Regards
>
> ChunXin
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 3
> Date: Mon, 15 Oct 2007 14:11:44 +0200
> From: Victor Julien <li...@in...>
> Subject: [Snort-inline-users]
> =?GB2312?B?UmU6IFtTbm9ydC1pbmxpbmUtdXNlcnNdIHNub3J0X2lubGluZS0yLg==?=
>  =?GB2312?B?Ni4xLjUgcHJvYmxlbXMgo6xwbGVhc2UgaGVscCBtZSAh?=
> To: sno...@li...
> Message-ID: <471...@in...>
> Content-Type: text/plain; charset=GB2312
>
> Instead of resending your mail, why don't you try my suggestion from a
> few days ago and report back on it?
>
> ChunXin wrote:
>
>
>  I am using snort_inline-2.6.1.5??but I encountered many problems
>
>  1, my network topological graph as follow :
>
>
>  {Client (192.168.9.2) nmap}<--->{ snort_inline-2.6.1.5 }<--->{ Server
> 192.168.1.2 (web) }
>
>
>  2, And i started my snort_inline by this way : "iptables -A FORWARD -j
>  QUEUE && sonrt_inline -Q -c snort_inline.conf ",
>  When I use nmap scan web server , The snort_inline always stop and on
>  the screen showed "Segmentation fault"
>
>  I use "strace" check his running status (strace -f -p 5668 ,5668 is pid
> of snort_inline), when snort_inline stoped,the screen
>  showed :
> --------------------------------------------------------------------------------------------------
>  gettimeofday({1192126318, 360095}, NULL) = 0
> write(5, "[**] [122:1:0] (portscan) TCP Po"..., 44) = 44
> write(5, "10/12-02:11:58.360095 192.168.9."..., 49) = 49
> write(5, "PROTO255 TTL:0 TOS:0x0 ID:0 IpLe"..., 51) = 51
> write(5, "\n", 1) = 1
> write(6, "10/12-02:11:58.360095 [**] [122"..., 105) = 105
> write(3,
> "ng\16G\237~\5\0\256\0\0\0\256\0\0\0MACDADMACDAD\10\0E\0"...,
> 190) = 190
> --- SIGSEGV (Segmentation fault) @ 0 (0) ---
>
> -----------------------------------------------------------------------------------------------------
>
>  I tracked several times ??every time that like this information , and
>  the "(portscan)" word never changed!
> It's a bug of sfportscan !? or I have not done right?
>
>
>  3, my snort_inline-2.6.1.5 configure options as follow :
>  ./configure --prefix=/usr/local/snort_inline
> --enable-pthread
> --enable-stream4udp --enable-dynamicplugin --enable-timestats
> --enable-perfprofiling --enable-linux-smp-stats --enable-flexresp2
>  --enable-react --enable-nfnetlink --enable-clamav
> --with-mysql=/usr/local/mysql
>  --with-libpcap-includes=/usr/local/libpcap/include
> --with-libpcap-libraries=/usr/local/libpcap/lib
>  --with-clamav-includes=/usr/local/clamav/include
> --with-clamav-defdir=/usr/local/clamav/share/clamav
>
> 4 , and i wanna know ,what's the best kernel version for
> snort_inline-2.6.1.5 ?
>
>
>
>
> my snort_inline.conf as follow :
> -------------------------------------------------------------------
>
> ### Network variables
> var HOME_NET any
> var HONEYNET any
> var EXTERNAL_NET any
> var SMTP_SERVERS any
> var TELNET_SERVERS any
> var HTTP_SERVERS any
> var SQL_SERVERS any
> var DNS_SERVERS any
>
> # Ports you run web servers on
> ## include somefile.rules
> var HTTP_PORTS 80
>
> # Ports you want to look for SHELLCODE on.
> var SHELLCODE_PORTS !80
>
> # Ports you do oracle attacks on
> var ORACLE_PORTS 1521
>
> #ports you want to look for SSH on
> var SSH_PORTS 22
>
> # AIM servers. AOL has a habit of adding new AIM servers, so instead of
> # modifying the signatures when they do, we add them to this list of
> servers.
> var AIM_SERVERS
> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
>
> ### As of snort_inline 2.2.0 we drop
> ### packets with bad checksums. We can
> config checksum_mode: all
>
> # Path to your rules files (this can be a relative path)
> var RULE_PATH /usr/local/snort_inline/etc/snort_rules
>
> #
> config layer2resets: 00:06:76:DD:5F:E3
>
> #
> # Load all dynamic preprocessors from the install path
> # (same as command line option --dynamic-preprocessor-lib-dir)
> #
> dynamicpreprocessor directory
> /usr/local/snort_inline/lib/snort_dynamicpreprocessor/
> #
> # Load a dynamic engine from the install path
> # (same as command line option --dynamic-engine-lib)
> #
> dynamicengine
> /usr/local/snort_inline/lib/snort_dynamicengine/libsf_engine.so
> # dynamicdetection file
> /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so
> #
>
> ### Preprocessors
> #
> # The third line tells which sources to never drop, it is very, very
> important to add your home net
> # and you dns servers to this list.
> #
> #example:
> preprocessor stickydrop: max_entries 3000,log
> preprocessor stickydrop-timeouts: sfportscan 3000 , clamav 3000
> #preprocessor stickydrop-ignorehosts: 192.168.0.0/24 192.168.1.12
> 192.168.1.13
> # and you dns servers to this list.
> #
> #example:
> #preprocessor bait-and-switch: max_entries 200,log,insert_before
> #preprocessor bait-and-switch-ignorehosts: 192.168.1.0/24
>
> # Done by IPTables. Iptables assembles fragments when we use connection
> # tracking; therefore, we don't have to use frag2
> # preprocessor frag2
>
> preprocessor flow: stats_interval 0 hash 2
> preprocessor frag3_global: max_frags 655360
> #preprocessor frag3_global: max_frags 65536
> preprocessor frag3_engine: policy first detect_anomalies
> #
>
> #Stream4 with inline support example
>
>
> preprocessor stream4:
> disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts
> #preprocessor stream4:
> disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts
> , max_sessions 32768, memcap 36700160
> #
> #preprocessor stream4: disable_evasion_alerts, \
> # stream4inline, \
> # enforce_state drop, \
> # memcap 134217728, \
> # timeout 3600, \
> # truncate, \
> # window_size 3000
>
> #
> #preprocessor stream4_reassemble: both, favor_new
> preprocessor stream4_reassemble
> #
> # Example:
> preprocessor clamav: ports all !22 !443, toclientonly, dbdir
> /usr/local/clamav/share/clamav, dbreload-time 43200
> #
> #clamav: ports all !22 !443, toclientonly, dbdir /usr/share/clamav,
> dbreload-time 43200
>
> preprocessor http_inspect: global \
> iis_unicode_map unicode.map 1252
>
> preprocessor http_inspect_server: server default \
> profile all ports { 80 8080 8180 } oversize_dir_length 500
>
> # sizes exceed the current packet size
> # no_alert_incomplete - don't alert when a single segment
> # exceeds the current packet size
>
> preprocessor rpc_decode: 111 32771
>
> # SID Event description
> # ----- -------------------
> # 1 Back Orifice traffic detected
>
> preprocessor bo
>
> # --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so>
>
> preprocessor ftp_telnet: global \
> encrypted_traffic yes \
> inspection_type stateful
>
> preprocessor ftp_telnet_protocol: telnet \
> normalize \
> ayt_attack_thresh 200
>
> # Check nDTM commands that set modification time on the file.
> preprocessor ftp_telnet_protocol: ftp server default \
> def_max_param_len 100 \
> alt_max_param_len 200 { CWD } \
> cmd_validity MODE < char ASBCZ > \
> cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
> chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
> telnet_cmds yes \
> data_chan
>
> preprocessor ftp_telnet_protocol: ftp client default \
> max_resp_len 256 \
> bounce yes \
> telnet_cmds yes
>
> # --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>
>
> preprocessor smtp: \
> ports { 25 } \
> inspection_type stateful \
> normalize cmds \
> normalize_cmds { EXPN VRFY RCPT } \
> alt_max_command_line_len 260 { MAIL } \
> alt_max_command_line_len 300 { RCPT } \
> alt_max_command_line_len 500 { HELP HELO ETRN } \
> alt_max_command_line_len 255 { EXPN VRFY }
>
>
> #
> preprocessor sfportscan: proto { all } \
> memcap { 10000000 } \
> sense_level { low }
>
> # --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>
>
> preprocessor dcerpc: \
> autodetect \
> max_frag_size 3000 \
> memcap 100000
>
> # --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>
>
> preprocessor dns: \
> ports { 53 } \
> enable_rdata_overflow
>
>
> ### Logging alerts of outbound attacks
> output alert_full: snort_inline-full
> output alert_fast: snort_inline-fast
>
> ### If you want to log the contents of the dropped packets, remove comment
> #output log_tcpdump: tcpdump.log
>
> # Include classification & priority settings
> include $RULE_PATH/classification.config
> include $RULE_PATH/reference.config
>
> ### The Drop Rules
> # Enabled
> include $RULE_PATH/exploit.rules
> include $RULE_PATH/finger.rules
> include $RULE_PATH/ftp.rules
> include $RULE_PATH/telnet.rules
> include $RULE_PATH/rpc.rules
> include $RULE_PATH/rservices.rules
> include $RULE_PATH/dos.rules
> include $RULE_PATH/ddos.rules
> include $RULE_PATH/dns.rules
> include $RULE_PATH/tftp.rules
> include $RULE_PATH/web-cgi.rules
> include $RULE_PATH/web-coldfusion.rules
> include $RULE_PATH/web-iis.rules
> include $RULE_PATH/web-frontpage.rules
> include $RULE_PATH/web-misc.rules
> #include $RULE_PATH/web-client.rules
> include $RULE_PATH/web-php.rules
> include $RULE_PATH/sql.rules
> include $RULE_PATH/x11.rules
> include $RULE_PATH/icmp.rules
> include $RULE_PATH/netbios.rules
> include $RULE_PATH/oracle.rules
> include $RULE_PATH/mysql.rules
> include $RULE_PATH/snmp.rules
> include $RULE_PATH/smtp.rules
> include $RULE_PATH/imap.rules
> include $RULE_PATH/pop3.rules
> include $RULE_PATH/pop2.rules
> include $RULE_PATH/web-attacks.rules
> include $RULE_PATH/virus.rules
> include $RULE_PATH/nntp.rules
> -------------------------------------------------------------------
>
> Best Regards
>
> ChunXin
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
>
>
>
> ------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
>
> ------------------------------
>
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
> End of Snort-inline-users Digest, Vol 16, Issue 4
> *************************************************
>
>
>

[Snort-inline-users] =?GB2312?B?UmU6IFtTbm9ydC1pbmxpbmUtdXNlcnNdIHNub3J0X2lubGluZS0yLg==?= =?GB2312?B?Ni4xLjUgcHJvYmxlbXMgo6xwbGVhc2UgaGVscCBtZSAh?=

From: Victor J. <li...@in...> - 2007-10-15 12:16:51

Instead of resending your mail, why don't you try my suggestion from a
few days ago and report back on it?

ChunXin wrote:
> I am using snort_inline-2.6.1.5，but I encountered many problems
>
>  1, my network topological graph as follow :
>
>
>  {Client (192.168.9.2) nmap}<--->{ snort_inline-2.6.1.5 }<--->{ Server  192.168.1.2 (web) }
>
>
>  2, And i started my snort_inline by this way : "iptables -A FORWARD -j
>  QUEUE && sonrt_inline -Q -c snort_inline.conf ",
>  When I use nmap scan web server , The snort_inline always stop and on
>  the screen showed "Segmentation fault"
>
>  I use "strace" check his running status (strace -f -p 5668 ,5668 is pid
> of snort_inline), when snort_inline stoped,the screen
>  showed :
> --------------------------------------------------------------------------------------------------
>  gettimeofday({1192126318, 360095}, NULL) = 0
> write(5, "[**] [122:1:0] (portscan) TCP Po"..., 44) = 44
> write(5, "10/12-02:11:58.360095 192.168.9."..., 49) = 49
> write(5, "PROTO255 TTL:0 TOS:0x0 ID:0 IpLe"..., 51) = 51
> write(5, "\n", 1) = 1
> write(6, "10/12-02:11:58.360095 [**] [122"..., 105) = 105
> write(3, "ng\16G\237~\5\0\256\0\0\0\256\0\0\0MACDADMACDAD\10\0E\0"...,
> 190) = 190
> --- SIGSEGV (Segmentation fault) @ 0 (0) ---
>
> -----------------------------------------------------------------------------------------------------
>
>  I tracked several times ，every time that like this information , and
>  the "(portscan)" word never changed!
> It's a bug of sfportscan !? or I have not done right?
>
>
>  3, my snort_inline-2.6.1.5 configure options as follow :
>  ./configure --prefix=/usr/local/snort_inline --enable-pthread
> --enable-stream4udp --enable-dynamicplugin --enable-timestats
> --enable-perfprofiling --enable-linux-smp-stats --enable-flexresp2
>  --enable-react --enable-nfnetlink --enable-clamav
> --with-mysql=/usr/local/mysql
>  --with-libpcap-includes=/usr/local/libpcap/include
> --with-libpcap-libraries=/usr/local/libpcap/lib
>  --with-clamav-includes=/usr/local/clamav/include
> --with-clamav-defdir=/usr/local/clamav/share/clamav
>
> 4 , and i wanna know ,what's the best kernel version for snort_inline-2.6.1.5 ?
>
>
>
>
> my snort_inline.conf as follow :
> -------------------------------------------------------------------
>
> ### Network variables
> var HOME_NET any
> var HONEYNET any
> var EXTERNAL_NET any
> var SMTP_SERVERS any
> var TELNET_SERVERS any
> var HTTP_SERVERS any
> var SQL_SERVERS any
> var DNS_SERVERS any
>
> # Ports you run web servers on
> ## include somefile.rules
> var HTTP_PORTS 80
>
> # Ports you want to look for SHELLCODE on.
> var SHELLCODE_PORTS !80
>
> # Ports you do oracle attacks on
> var ORACLE_PORTS 1521
>
> #ports you want to look for SSH on
> var SSH_PORTS 22
>
> # AIM servers. AOL has a habit of adding new AIM servers, so instead of
> # modifying the signatures when they do, we add them to this list of
> servers.
> var AIM_SERVERS
> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
>
> ### As of snort_inline 2.2.0 we drop
> ### packets with bad checksums. We can
> config checksum_mode: all
>
> # Path to your rules files (this can be a relative path)
> var RULE_PATH /usr/local/snort_inline/etc/snort_rules
>
> #
> config layer2resets: 00:06:76:DD:5F:E3
>
> #
> # Load all dynamic preprocessors from the install path
> # (same as command line option --dynamic-preprocessor-lib-dir)
> #
> dynamicpreprocessor directory
> /usr/local/snort_inline/lib/snort_dynamicpreprocessor/
> #
> # Load a dynamic engine from the install path
> # (same as command line option --dynamic-engine-lib)
> #
> dynamicengine
> /usr/local/snort_inline/lib/snort_dynamicengine/libsf_engine.so
> # dynamicdetection file
> /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so
> #
>
> ### Preprocessors
> #
> # The third line tells which sources to never drop, it is very, very
> important to add your home net
> # and you dns servers to this list.
> #
> #example:
> preprocessor stickydrop: max_entries 3000,log
> preprocessor stickydrop-timeouts: sfportscan 3000 , clamav 3000
> #preprocessor stickydrop-ignorehosts: 192.168.0.0/24 192.168.1.12
> 192.168.1.13
> # and you dns servers to this list.
> #
> #example:
> #preprocessor bait-and-switch: max_entries 200,log,insert_before
> #preprocessor bait-and-switch-ignorehosts: 192.168.1.0/24
>
> # Done by IPTables. Iptables assembles fragments when we use connection
> # tracking; therefore, we don't have to use frag2
> # preprocessor frag2
>
> preprocessor flow: stats_interval 0 hash 2
> preprocessor frag3_global: max_frags 655360
> #preprocessor frag3_global: max_frags 65536
> preprocessor frag3_engine: policy first detect_anomalies
> #
>
> #Stream4 with inline support example
>
>
> preprocessor stream4:
> disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts
> #preprocessor stream4:
> disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts
> , max_sessions 32768, memcap 36700160
> #
> #preprocessor stream4: disable_evasion_alerts, \
> # stream4inline, \
> # enforce_state drop, \
> # memcap 134217728, \
> # timeout 3600, \
> # truncate, \
> # window_size 3000
>
> #
> #preprocessor stream4_reassemble: both, favor_new
> preprocessor stream4_reassemble
> #
> # Example:
> preprocessor clamav: ports all !22 !443, toclientonly, dbdir
> /usr/local/clamav/share/clamav, dbreload-time 43200
> #
> #clamav: ports all !22 !443, toclientonly, dbdir /usr/share/clamav,
> dbreload-time 43200
>
> preprocessor http_inspect: global \
> iis_unicode_map unicode.map 1252
>
> preprocessor http_inspect_server: server default \
> profile all ports { 80 8080 8180 } oversize_dir_length 500
>
> # sizes exceed the current packet size
> # no_alert_incomplete - don't alert when a single segment
> # exceeds the current packet size
>
> preprocessor rpc_decode: 111 32771
>
> # SID Event description
> # ----- -------------------
> # 1 Back Orifice traffic detected
>
> preprocessor bo
>
> # --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so>
>
> preprocessor ftp_telnet: global \
> encrypted_traffic yes \
> inspection_type stateful
>
> preprocessor ftp_telnet_protocol: telnet \
> normalize \
> ayt_attack_thresh 200
>
> # Check nDTM commands that set modification time on the file.
> preprocessor ftp_telnet_protocol: ftp server default \
> def_max_param_len 100 \
> alt_max_param_len 200 { CWD } \
> cmd_validity MODE < char ASBCZ > \
> cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
> chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
> telnet_cmds yes \
> data_chan
>
> preprocessor ftp_telnet_protocol: ftp client default \
> max_resp_len 256 \
> bounce yes \
> telnet_cmds yes
>
> # --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>
>
> preprocessor smtp: \
> ports { 25 } \
> inspection_type stateful \
> normalize cmds \
> normalize_cmds { EXPN VRFY RCPT } \
> alt_max_command_line_len 260 { MAIL } \
> alt_max_command_line_len 300 { RCPT } \
> alt_max_command_line_len 500 { HELP HELO ETRN } \
> alt_max_command_line_len 255 { EXPN VRFY }
>
>
> #
> preprocessor sfportscan: proto { all } \
> memcap { 10000000 } \
> sense_level { low }
>
> # --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>
>
> preprocessor dcerpc: \
> autodetect \
> max_frag_size 3000 \
> memcap 100000
>
> # --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>
>
> preprocessor dns: \
> ports { 53 } \
> enable_rdata_overflow
>
>
> ### Logging alerts of outbound attacks
> output alert_full: snort_inline-full
> output alert_fast: snort_inline-fast
>
> ### If you want to log the contents of the dropped packets, remove comment
> #output log_tcpdump: tcpdump.log
>
> # Include classification & priority settings
> include $RULE_PATH/classification.config
> include $RULE_PATH/reference.config
>
> ### The Drop Rules
> # Enabled
> include $RULE_PATH/exploit.rules
> include $RULE_PATH/finger.rules
> include $RULE_PATH/ftp.rules
> include $RULE_PATH/telnet.rules
> include $RULE_PATH/rpc.rules
> include $RULE_PATH/rservices.rules
> include $RULE_PATH/dos.rules
> include $RULE_PATH/ddos.rules
> include $RULE_PATH/dns.rules
> include $RULE_PATH/tftp.rules
> include $RULE_PATH/web-cgi.rules
> include $RULE_PATH/web-coldfusion.rules
> include $RULE_PATH/web-iis.rules
> include $RULE_PATH/web-frontpage.rules
> include $RULE_PATH/web-misc.rules
> #include $RULE_PATH/web-client.rules
> include $RULE_PATH/web-php.rules
> include $RULE_PATH/sql.rules
> include $RULE_PATH/x11.rules
> include $RULE_PATH/icmp.rules
> include $RULE_PATH/netbios.rules
> include $RULE_PATH/oracle.rules
> include $RULE_PATH/mysql.rules
> include $RULE_PATH/snmp.rules
> include $RULE_PATH/smtp.rules
> include $RULE_PATH/imap.rules
> include $RULE_PATH/pop3.rules
> include $RULE_PATH/pop2.rules
> include $RULE_PATH/web-attacks.rules
> include $RULE_PATH/virus.rules
> include $RULE_PATH/nntp.rules
> -------------------------------------------------------------------
>
> Best Regards 
>
> ChunXin
>   
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

[Snort-inline-users] snort_inline-2.6.1.5 problems =?GB2312?B?o6xwbGVhc2UgaGVscCBtZSAh?=

From: ChunXin <ch...@os...> - 2007-10-15 11:36:14

I am using snort_inline-2.6.1.5，but I encountered many problems

 1, my network topological graph as follow :


 {Client (192.168.9.2) nmap}<--->{ snort_inline-2.6.1.5 }<--->{ Server  192.168.1.2 (web) }


 2, And i started my snort_inline by this way : "iptables -A FORWARD -j
 QUEUE && sonrt_inline -Q -c snort_inline.conf ",
 When I use nmap scan web server , The snort_inline always stop and on
 the screen showed "Segmentation fault"

 I use "strace" check his running status (strace -f -p 5668 ,5668 is pid
of snort_inline), when snort_inline stoped,the screen
 showed :
--------------------------------------------------------------------------------------------------
 gettimeofday({1192126318, 360095}, NULL) = 0
write(5, "[**] [122:1:0] (portscan) TCP Po"..., 44) = 44
write(5, "10/12-02:11:58.360095 192.168.9."..., 49) = 49
write(5, "PROTO255 TTL:0 TOS:0x0 ID:0 IpLe"..., 51) = 51
write(5, "\n", 1) = 1
write(6, "10/12-02:11:58.360095 [**] [122"..., 105) = 105
write(3, "ng\16G\237~\5\0\256\0\0\0\256\0\0\0MACDADMACDAD\10\0E\0"...,
190) = 190
--- SIGSEGV (Segmentation fault) @ 0 (0) ---

-----------------------------------------------------------------------------------------------------

 I tracked several times ，every time that like this information , and
 the "(portscan)" word never changed!
It's a bug of sfportscan !? or I have not done right?


 3, my snort_inline-2.6.1.5 configure options as follow :
 ./configure --prefix=/usr/local/snort_inline --enable-pthread
--enable-stream4udp --enable-dynamicplugin --enable-timestats
--enable-perfprofiling --enable-linux-smp-stats --enable-flexresp2
 --enable-react --enable-nfnetlink --enable-clamav
--with-mysql=/usr/local/mysql
 --with-libpcap-includes=/usr/local/libpcap/include
--with-libpcap-libraries=/usr/local/libpcap/lib
 --with-clamav-includes=/usr/local/clamav/include
--with-clamav-defdir=/usr/local/clamav/share/clamav

4 , and i wanna know ,what's the best kernel version for snort_inline-2.6.1.5 ?




my snort_inline.conf as follow :
-------------------------------------------------------------------

### Network variables
var HOME_NET any
var HONEYNET any
var EXTERNAL_NET any
var SMTP_SERVERS any
var TELNET_SERVERS any
var HTTP_SERVERS any
var SQL_SERVERS any
var DNS_SERVERS any

# Ports you run web servers on
## include somefile.rules
var HTTP_PORTS 80

# Ports you want to look for SHELLCODE on.
var SHELLCODE_PORTS !80

# Ports you do oracle attacks on
var ORACLE_PORTS 1521

#ports you want to look for SSH on
var SSH_PORTS 22

# AIM servers. AOL has a habit of adding new AIM servers, so instead of
# modifying the signatures when they do, we add them to this list of
servers.
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]

### As of snort_inline 2.2.0 we drop
### packets with bad checksums. We can
config checksum_mode: all

# Path to your rules files (this can be a relative path)
var RULE_PATH /usr/local/snort_inline/etc/snort_rules

#
config layer2resets: 00:06:76:DD:5F:E3

#
# Load all dynamic preprocessors from the install path
# (same as command line option --dynamic-preprocessor-lib-dir)
#
dynamicpreprocessor directory
/usr/local/snort_inline/lib/snort_dynamicpreprocessor/
#
# Load a dynamic engine from the install path
# (same as command line option --dynamic-engine-lib)
#
dynamicengine
/usr/local/snort_inline/lib/snort_dynamicengine/libsf_engine.so
# dynamicdetection file
/usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so
#

### Preprocessors
#
# The third line tells which sources to never drop, it is very, very
important to add your home net
# and you dns servers to this list.
#
#example:
preprocessor stickydrop: max_entries 3000,log
preprocessor stickydrop-timeouts: sfportscan 3000 , clamav 3000
#preprocessor stickydrop-ignorehosts: 192.168.0.0/24 192.168.1.12
192.168.1.13
# and you dns servers to this list.
#
#example:
#preprocessor bait-and-switch: max_entries 200,log,insert_before
#preprocessor bait-and-switch-ignorehosts: 192.168.1.0/24

# Done by IPTables. Iptables assembles fragments when we use connection
# tracking; therefore, we don't have to use frag2
# preprocessor frag2

preprocessor flow: stats_interval 0 hash 2
preprocessor frag3_global: max_frags 655360
#preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
#

#Stream4 with inline support example


preprocessor stream4:
disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts
#preprocessor stream4:
disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts
, max_sessions 32768, memcap 36700160
#
#preprocessor stream4: disable_evasion_alerts, \
# stream4inline, \
# enforce_state drop, \
# memcap 134217728, \
# timeout 3600, \
# truncate, \
# window_size 3000

#
#preprocessor stream4_reassemble: both, favor_new
preprocessor stream4_reassemble
#
# Example:
preprocessor clamav: ports all !22 !443, toclientonly, dbdir
/usr/local/clamav/share/clamav, dbreload-time 43200
#
#clamav: ports all !22 !443, toclientonly, dbdir /usr/share/clamav,
dbreload-time 43200

preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500

# sizes exceed the current packet size
# no_alert_incomplete - don't alert when a single segment
# exceeds the current packet size

preprocessor rpc_decode: 111 32771

# SID Event description
# ----- -------------------
# 1 Back Orifice traffic detected

preprocessor bo

# --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so>

preprocessor ftp_telnet: global \
encrypted_traffic yes \
inspection_type stateful

preprocessor ftp_telnet_protocol: telnet \
normalize \
ayt_attack_thresh 200

# Check nDTM commands that set modification time on the file.
preprocessor ftp_telnet_protocol: ftp server default \
def_max_param_len 100 \
alt_max_param_len 200 { CWD } \
cmd_validity MODE < char ASBCZ > \
cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
telnet_cmds yes \
data_chan

preprocessor ftp_telnet_protocol: ftp client default \
max_resp_len 256 \
bounce yes \
telnet_cmds yes

# --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>

preprocessor smtp: \
ports { 25 } \
inspection_type stateful \
normalize cmds \
normalize_cmds { EXPN VRFY RCPT } \
alt_max_command_line_len 260 { MAIL } \
alt_max_command_line_len 300 { RCPT } \
alt_max_command_line_len 500 { HELP HELO ETRN } \
alt_max_command_line_len 255 { EXPN VRFY }


#
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }

# --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>

preprocessor dcerpc: \
autodetect \
max_frag_size 3000 \
memcap 100000

# --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>

preprocessor dns: \
ports { 53 } \
enable_rdata_overflow


### Logging alerts of outbound attacks
output alert_full: snort_inline-full
output alert_fast: snort_inline-fast

### If you want to log the contents of the dropped packets, remove comment
#output log_tcpdump: tcpdump.log

# Include classification & priority settings
include $RULE_PATH/classification.config
include $RULE_PATH/reference.config

### The Drop Rules
# Enabled
include $RULE_PATH/exploit.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
#include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/nntp.rules
-------------------------------------------------------------------

Best Regards 

ChunXin

Re: [Snort-inline-users] =?utf-8?q?snort=5Finline-2=2E6=2E1=2E5_probl?= =?utf-8?q?ems_=EF=BC=8Cplease_help_me_!?=

From: Victor J. <li...@in...> - 2007-10-12 08:21:28

Hi

I see you are both using ip_queue
> 2, And i started my snort_inline by this way : "iptables -A FORWARD -j
> QUEUE && sonrt_inline -Q -c snort_inline.conf ",
>
>   
and compiling for nfqueue.

> --enable-react --enable-nfnetlink --enable-clamav
>   

I have no idea what the results of this are. So please try removing
'--enable-nfnetlink' or use 'iptables -A FORWARD -j NFQUEUE' and try
again...

Cheers,
Victor

Re: [Snort-inline-users] =?iso-2022-jp?b?c25vcnRfaW5saW5lLTIuNi4xLjUg?= =?iso-2022-jp?b?cHJvYmxlbXMgGyRCISQbKEJwbGVhc2UgaGVscCBtZSAh?=

From: ChunXin <ch...@os...> - 2007-10-12 04:57:45

my snort_inline.conf as follow :
-------------------------------------------------------------------

### Network variables
var HOME_NET any
var HONEYNET any
var EXTERNAL_NET any
var SMTP_SERVERS any
var TELNET_SERVERS any
var HTTP_SERVERS any
var SQL_SERVERS any
var DNS_SERVERS any

# Ports you run web servers on
## include somefile.rules
var HTTP_PORTS 80

# Ports you want to look for SHELLCODE on.
var SHELLCODE_PORTS !80

# Ports you do oracle attacks on
var ORACLE_PORTS 1521

#ports you want to look for SSH on
var SSH_PORTS 22

# AIM servers. AOL has a habit of adding new AIM servers, so instead of
# modifying the signatures when they do, we add them to this list of
servers.
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]

### As of snort_inline 2.2.0 we drop
### packets with bad checksums. We can
config checksum_mode: all

# Path to your rules files (this can be a relative path)
var RULE_PATH /usr/local/snort_inline/etc/snort_rules

#
config layer2resets: 00:06:76:DD:5F:E3

#
# Load all dynamic preprocessors from the install path
# (same as command line option --dynamic-preprocessor-lib-dir)
#
dynamicpreprocessor directory
/usr/local/snort_inline/lib/snort_dynamicpreprocessor/
#
# Load a dynamic engine from the install path
# (same as command line option --dynamic-engine-lib)
#
dynamicengine
/usr/local/snort_inline/lib/snort_dynamicengine/libsf_engine.so
# dynamicdetection file
/usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so
#

### Preprocessors
#
# The third line tells which sources to never drop, it is very, very
important to add your home net
# and you dns servers to this list.
#
#example:
preprocessor stickydrop: max_entries 3000,log
preprocessor stickydrop-timeouts: sfportscan 3000 , clamav 3000
#preprocessor stickydrop-ignorehosts: 192.168.0.0/24 192.168.1.12
192.168.1.13
# and you dns servers to this list.
#
#example:
#preprocessor bait-and-switch: max_entries 200,log,insert_before
#preprocessor bait-and-switch-ignorehosts: 192.168.1.0/24

# Done by IPTables. Iptables assembles fragments when we use connection
# tracking; therefore, we don't have to use frag2
# preprocessor frag2

preprocessor flow: stats_interval 0 hash 2
preprocessor frag3_global: max_frags 655360
#preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
#

#Stream4 with inline support example


preprocessor stream4:
disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts
#preprocessor stream4:
disable_evasion_alerts,stream4inline,enforce_state,midstream_drop_alerts
, max_sessions 32768, memcap 36700160
#
#preprocessor stream4: disable_evasion_alerts, \
# stream4inline, \
# enforce_state drop, \
# memcap 134217728, \
# timeout 3600, \
# truncate, \
# window_size 3000

#
#preprocessor stream4_reassemble: both, favor_new
preprocessor stream4_reassemble
#
# Example:
preprocessor clamav: ports all !22 !443, toclientonly, dbdir
/usr/local/clamav/share/clamav, dbreload-time 43200
#
#clamav: ports all !22 !443, toclientonly, dbdir /usr/share/clamav,
dbreload-time 43200

preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500

# sizes exceed the current packet size
# no_alert_incomplete - don't alert when a single segment
# exceeds the current packet size

preprocessor rpc_decode: 111 32771

# SID Event description
# ----- -------------------
# 1 Back Orifice traffic detected

preprocessor bo

# --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so>

preprocessor ftp_telnet: global \
encrypted_traffic yes \
inspection_type stateful

preprocessor ftp_telnet_protocol: telnet \
normalize \
ayt_attack_thresh 200

# Check nDTM commands that set modification time on the file.
preprocessor ftp_telnet_protocol: ftp server default \
def_max_param_len 100 \
alt_max_param_len 200 { CWD } \
cmd_validity MODE < char ASBCZ > \
cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
telnet_cmds yes \
data_chan

preprocessor ftp_telnet_protocol: ftp client default \
max_resp_len 256 \
bounce yes \
telnet_cmds yes

# --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>

preprocessor smtp: \
ports { 25 } \
inspection_type stateful \
normalize cmds \
normalize_cmds { EXPN VRFY RCPT } \
alt_max_command_line_len 260 { MAIL } \
alt_max_command_line_len 300 { RCPT } \
alt_max_command_line_len 500 { HELP HELO ETRN } \
alt_max_command_line_len 255 { EXPN VRFY }


#
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }

# --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>

preprocessor dcerpc: \
autodetect \
max_frag_size 3000 \
memcap 100000

# --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>

preprocessor dns: \
ports { 53 } \
enable_rdata_overflow


### Logging alerts of outbound attacks
output alert_full: snort_inline-full
output alert_fast: snort_inline-fast

### If you want to log the contents of the dropped packets, remove comment
#output log_tcpdump: tcpdump.log

# Include classification & priority settings
include $RULE_PATH/classification.config
include $RULE_PATH/reference.config

### The Drop Rules
# Enabled
include $RULE_PATH/exploit.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
#include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/nntp.rules
-------------------------------------------------------------------

Will Metcalf 写道:
> send your snort_inline.conf please....
>
> Regards,
>
> Will
>
> On 10/11/07, ChunXin <ch...@os...> wrote:
>   
>> I am using snort_inline-2.6.1.5，but I encountered many problems
>>
>> 1, my network topological graph as follow :
>>
>>
>> {Client (192.168.9.2) nmap}<--->{ snort_inline-2.6.1.5 }<--->{ Server
>> 192.168.1.2 (web) }
>>
>>
>> 2, And i started my snort_inline by this way : "iptables -A FORWARD -j
>> QUEUE && sonrt_inline -Q -c snort_inline.conf ",
>> When I use nmap scan web server , The snort_inline always stop and on
>> the screen showed "Segmentation fault"
>>
>> I use "strace" check his running status (strace -f -p 5668 ,5668 is pid
>> of snort_inline), when snort_inline stoped,the screen
>> showed :
>> --------------------------------------------------------------------------------------------------
>> gettimeofday({1192126318, 360095}, NULL) = 0
>> write(5, "[**] [122:1:0] (portscan) TCP Po"..., 44) = 44
>> write(5, "10/12-02:11:58.360095 192.168.9."..., 49) = 49
>> write(5, "PROTO255 TTL:0 TOS:0x0 ID:0 IpLe"..., 51) = 51
>> write(5, "\n", 1) = 1
>> write(6, "10/12-02:11:58.360095 [**] [122"..., 105) = 105
>> write(3, "ng\16G\237~\5\0\256\0\0\0\256\0\0\0MACDADMACDAD\10\0E\0"...,
>> 190) = 190
>> --- SIGSEGV (Segmentation fault) @ 0 (0) ---
>>
>> -----------------------------------------------------------------------------------------------------
>>
>> I tracked several times ，every time that like this information , and
>> the "(portscan)" word never changed!
>> It's a bug of sfportscan !? or I have not done right?
>>
>>
>> 3, my snort_inline-2.6.1.5 configure options as follow :
>> ./configure --prefix=/usr/local/snort_inline --enable-pthread
>> --enable-stream4udp --enable-dynamicplugin --enable-timestats
>> --enable-perfprofiling --enable-linux-smp-stats --enable-flexresp2
>> --enable-react --enable-nfnetlink --enable-clamav
>> --with-mysql=/usr/local/mysql
>> --with-libpcap-includes=/usr/local/libpcap/include
>> --with-libpcap-libraries=/usr/local/libpcap/lib
>> --with-clamav-includes=/usr/local/clamav/include
>> --with-clamav-defdir=/usr/local/clamav/share/clamav
>>
>> Best Regards
>>
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc.
>> Still grepping through log files to find problems?  Stop.
>> Now Search log events and configuration files using AJAX and a browser.
>> Download your FREE copy of Splunk now >> http://get.splunk.com/
>> _______________________________________________
>> Snort-inline-users mailing list
>> Sno...@li...
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>>

Re: [Snort-inline-users] =?iso-2022-jp?b?c25vcnRfaW5saW5lLTIuNi4xLjUg?= =?iso-2022-jp?b?cHJvYmxlbXMgGyRCISQbKEJwbGVhc2UgaGVscCBtZSAh?=

From: ChunXin <ch...@os...> - 2007-10-12 04:50:09

Attachments: snort_inline.conf

See attchment ,it's my snort_inline.conf file

Regards

ChunXin

Will Metcalf 写道:
> send your snort_inline.conf please....
>
> Regards,
>
> Will
>
> On 10/11/07, ChunXin <ch...@os...> wrote:
>   
>> I am using snort_inline-2.6.1.5，but I encountered many problems
>>
>> 1, my network topological graph as follow :
>>
>>
>> {Client (192.168.9.2) nmap}<--->{ snort_inline-2.6.1.5 }<--->{ Server
>> 192.168.1.2 (web) }
>>
>>
>> 2, And i started my snort_inline by this way : "iptables -A FORWARD -j
>> QUEUE && sonrt_inline -Q -c snort_inline.conf ",
>> When I use nmap scan web server , The snort_inline always stop and on
>> the screen showed "Segmentation fault"
>>
>> I use "strace" check his running status (strace -f -p 5668 ,5668 is pid
>> of snort_inline), when snort_inline stoped,the screen
>> showed :
>> --------------------------------------------------------------------------------------------------
>> gettimeofday({1192126318, 360095}, NULL) = 0
>> write(5, "[**] [122:1:0] (portscan) TCP Po"..., 44) = 44
>> write(5, "10/12-02:11:58.360095 192.168.9."..., 49) = 49
>> write(5, "PROTO255 TTL:0 TOS:0x0 ID:0 IpLe"..., 51) = 51
>> write(5, "\n", 1) = 1
>> write(6, "10/12-02:11:58.360095 [**] [122"..., 105) = 105
>> write(3, "ng\16G\237~\5\0\256\0\0\0\256\0\0\0MACDADMACDAD\10\0E\0"...,
>> 190) = 190
>> --- SIGSEGV (Segmentation fault) @ 0 (0) ---
>>
>> -----------------------------------------------------------------------------------------------------
>>
>> I tracked several times ，every time that like this information , and
>> the "(portscan)" word never changed!
>> It's a bug of sfportscan !? or I have not done right?
>>
>>
>> 3, my snort_inline-2.6.1.5 configure options as follow :
>> ./configure --prefix=/usr/local/snort_inline --enable-pthread
>> --enable-stream4udp --enable-dynamicplugin --enable-timestats
>> --enable-perfprofiling --enable-linux-smp-stats --enable-flexresp2
>> --enable-react --enable-nfnetlink --enable-clamav
>> --with-mysql=/usr/local/mysql
>> --with-libpcap-includes=/usr/local/libpcap/include
>> --with-libpcap-libraries=/usr/local/libpcap/lib
>> --with-clamav-includes=/usr/local/clamav/include
>> --with-clamav-defdir=/usr/local/clamav/share/clamav
>>
>> Best Regards
>>
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc.
>> Still grepping through log files to find problems?  Stop.
>> Now Search log events and configuration files using AJAX and a browser.
>> Download your FREE copy of Splunk now >> http://get.splunk.com/
>> _______________________________________________
>> Snort-inline-users mailing list
>> Sno...@li...
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>>

Re: [Snort-inline-users] =?iso-2022-jp?b?c25vcnRfaW5saW5lLTIuNi4xLjUg?= =?iso-2022-jp?b?cHJvYmxlbXMgGyRCISQbKEJwbGVhc2UgaGVscCBtZSAh?=

From: Will M. <wil...@gm...> - 2007-10-12 03:03:27

send your snort_inline.conf please....

Regards,

Will

On 10/11/07, ChunXin <ch...@os...> wrote:
> I am using snort_inline-2.6.1.5，but I encountered many problems
>
> 1, my network topological graph as follow :
>
>
> {Client (192.168.9.2) nmap}<--->{ snort_inline-2.6.1.5 }<--->{ Server
> 192.168.1.2 (web) }
>
>
> 2, And i started my snort_inline by this way : "iptables -A FORWARD -j
> QUEUE && sonrt_inline -Q -c snort_inline.conf ",
> When I use nmap scan web server , The snort_inline always stop and on
> the screen showed "Segmentation fault"
>
> I use "strace" check his running status (strace -f -p 5668 ,5668 is pid
> of snort_inline), when snort_inline stoped,the screen
> showed :
> --------------------------------------------------------------------------------------------------
> gettimeofday({1192126318, 360095}, NULL) = 0
> write(5, "[**] [122:1:0] (portscan) TCP Po"..., 44) = 44
> write(5, "10/12-02:11:58.360095 192.168.9."..., 49) = 49
> write(5, "PROTO255 TTL:0 TOS:0x0 ID:0 IpLe"..., 51) = 51
> write(5, "\n", 1) = 1
> write(6, "10/12-02:11:58.360095 [**] [122"..., 105) = 105
> write(3, "ng\16G\237~\5\0\256\0\0\0\256\0\0\0MACDADMACDAD\10\0E\0"...,
> 190) = 190
> --- SIGSEGV (Segmentation fault) @ 0 (0) ---
>
> -----------------------------------------------------------------------------------------------------
>
> I tracked several times ，every time that like this information , and
> the "(portscan)" word never changed!
> It's a bug of sfportscan !? or I have not done right?
>
>
> 3, my snort_inline-2.6.1.5 configure options as follow :
> ./configure --prefix=/usr/local/snort_inline --enable-pthread
> --enable-stream4udp --enable-dynamicplugin --enable-timestats
> --enable-perfprofiling --enable-linux-smp-stats --enable-flexresp2
> --enable-react --enable-nfnetlink --enable-clamav
> --with-mysql=/usr/local/mysql
> --with-libpcap-includes=/usr/local/libpcap/include
> --with-libpcap-libraries=/usr/local/libpcap/lib
> --with-clamav-includes=/usr/local/clamav/include
> --with-clamav-defdir=/usr/local/clamav/share/clamav
>
> Best Regards
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

[Snort-inline-users] =?utf-8?q?snort=5Finline-2=2E6=2E1=2E5_probl?= =?utf-8?q?ems_=EF=BC=8Cplease_help_me_!?=

From: ChunXin <ch...@os...> - 2007-10-12 01:39:13

I am using snort_inline-2.6.1.5，but I encountered many problems

1, my network topological graph as follow :


{Client (192.168.9.2) nmap}<--->{ snort_inline-2.6.1.5 }<--->{ Server
192.168.1.2 (web) }


2, And i started my snort_inline by this way : "iptables -A FORWARD -j
QUEUE && sonrt_inline -Q -c snort_inline.conf ",
When I use nmap scan web server , The snort_inline always stop and on
the screen showed "Segmentation fault"

I use "strace" check his running status (strace -f -p 5668 ,5668 is pid
of snort_inline), when snort_inline stoped,the screen
showed :
--------------------------------------------------------------------------------------------------
gettimeofday({1192126318, 360095}, NULL) = 0
write(5, "[**] [122:1:0] (portscan) TCP Po"..., 44) = 44
write(5, "10/12-02:11:58.360095 192.168.9."..., 49) = 49
write(5, "PROTO255 TTL:0 TOS:0x0 ID:0 IpLe"..., 51) = 51
write(5, "\n", 1) = 1
write(6, "10/12-02:11:58.360095 [**] [122"..., 105) = 105
write(3, "ng\16G\237~\5\0\256\0\0\0\256\0\0\0MACDADMACDAD\10\0E\0"...,
190) = 190
--- SIGSEGV (Segmentation fault) @ 0 (0) ---

-----------------------------------------------------------------------------------------------------

I tracked several times ，every time that like this information , and
the "(portscan)" word never changed!
It's a bug of sfportscan !? or I have not done right?


3, my snort_inline-2.6.1.5 configure options as follow :
./configure --prefix=/usr/local/snort_inline --enable-pthread
--enable-stream4udp --enable-dynamicplugin --enable-timestats
--enable-perfprofiling --enable-linux-smp-stats --enable-flexresp2
--enable-react --enable-nfnetlink --enable-clamav
--with-mysql=/usr/local/mysql
--with-libpcap-includes=/usr/local/libpcap/include
--with-libpcap-libraries=/usr/local/libpcap/lib
--with-clamav-includes=/usr/local/clamav/include
--with-clamav-defdir=/usr/local/clamav/share/clamav

Best Regards

Re: [Snort-inline-users] Possible memory leak

From: MSN <ms...@vt...> - 2007-10-10 13:41:53

Attachments: snort_inline.conf

DQpzbm9ydF9pbmxpbmUtMi42LjEuNSAgICAgICA2OWE3MGExZjU2NTJkNzE2MzM3NTE0N2E4MmIx
NTE0NA0KDQpXaGF0IGknbSB1c2luZyB0aGUgY29uZmlndXJhdGlvbiBmaWxlIGlzIHRoYXQgYXR0
YWNoZWQgZnJvbSBhYm92ZXMuIGkgZGlkIG5vdCBtb2RpZnkgYXQgYWxsDQphbmQganVzdCBrZWVw
IHRyaWVkIHJ1bm5pbmcgd2l0aCBzYW1lIGFzIG9uZS4gdGhhbmtzIGluIGFkdmFuY2UuDQoNCk1T
TiA6KQ0KDQoNCi0tLS0tIE9yaWdpbmFsIE1lc3NhZ2UgLS0tLS0gDQpGcm9tOiAiVmljdG9yIEp1
bGllbiIgPGxpc3RzQGlubGluaWFjLm5ldD4NClRvOiA8c25vcnQtaW5saW5lLXVzZXJzQGxpc3Rz
LnNvdXJjZWZvcmdlLm5ldD4NClNlbnQ6IFdlZG5lc2RheSwgT2N0b2JlciAxMCwgMjAwNyA5OjI0
IFBNDQpTdWJqZWN0OiBSZTogW1Nub3J0LWlubGluZS11c2Vyc10gUG9zc2libGUgbWVtb3J5IGxl
YWsNCg0KDQo+IE1TTiB3cm90ZToNCj4+IEhpLCBJIGluc3RhbGxlZCBleGFjdCBzYW1lIHBhY2th
Z2VzIGZyb20gc291cmNlZm9yZ2UgZG93bmxvYWQgc2l0ZSB3aXRoIGEgc2FtZSBjb25maWd1cmF0
aW9ucw0KPj4gYW5kIHJ1bm5pbmcgb24gbGludXggMi40LjMwIGtlcm5lbC4gaXQgaXMgd29ya3Mg
ZmluZSBhcyB3ZWxsIGJ1dCBrZWVwIHRha2luZyB0aGUgc3lzdGVtIG1lbW9yeSBzbyBmYXIsDQo+
PiBkb2VzIG5vdCByZWxlYXNlIGFuZCBrZWVwIGluY3JlYXNpbmcgbW9yZSB0aGFuIDMwME0gZm9y
IHRoZSBzbm9ydCBpbmxpbmUgcmVzb3VyY2UuIGFueSBpZGVhcz8NCj4+IHRoYW5rcyBpbiBhZHZh
bmNlLg0KPj4gIA0KPj4gc25vcnRfaW5saW5lIC1RIC1sIC92YXIvbG9ncy9zbm9ydCAtYyAvZXRj
L3Nub3J0L3Nub3J0X2lubGluZS5jb25mDQo+PiAgDQo+PiA1MDkgcm9vdCAgICAgICA5ICAgMCAg
MzE2TSAzMTZNICAxMTY0IFMgICAgIDAuMCA0NC4zICAgMDoyMyBzbm9ydF9pbmxpbmUNCj4+ICAN
Cj4+ICAgDQo+IERlcGVuZGluZyBvbiB5b3VyIGNvbmZpZ3VyYXRpb24gU25vcnRfaW5saW5lIGNh
biB1c2UgYSBsb3Qgb2YgbWVtb3J5Lg0KPiBDYW4geW91IGF0dGFjaCB5b3VyIHNub3J0X2lubGlu
ZS5jb25mPw0KPiANCj4gV2hhdCB2ZXJzaW9uIG9mIHNub3J0X2lubGluZSBhcmUgeW91IHVzaW5n
Pw0KPiANCj4gQ2hlZXJzLA0KPiBWaWN0b3INCj4gDQo+IA0KPiANCj4+ICANCj4+IC1BIEZPUldB
UkQgLWogUVVFVUUNCj4+ICANCj4+ICANCj4+IE1TTiA6KQ0KPj4gLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0K
Pj4gVGhpcyBTRi5uZXQgZW1haWwgaXMgc3BvbnNvcmVkIGJ5OiBTcGx1bmsgSW5jLg0KPj4gU3Rp
bGwgZ3JlcHBpbmcgdGhyb3VnaCBsb2cgZmlsZXMgdG8gZmluZCBwcm9ibGVtcz8gIFN0b3AuDQo+
PiBOb3cgU2VhcmNoIGxvZyBldmVudHMgYW5kIGNvbmZpZ3VyYXRpb24gZmlsZXMgdXNpbmcgQUpB
WCBhbmQgYSBicm93c2VyLg0KPj4gRG93bmxvYWQgeW91ciBGUkVFIGNvcHkgb2YgU3BsdW5rIG5v
dyA+PiBodHRwOi8vZ2V0LnNwbHVuay5jb20vDQo+PiBfX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fXw0KPj4gU25vcnQtaW5saW5lLXVzZXJzIG1haWxpbmcgbGlz
dA0KPj4gU25vcnQtaW5saW5lLXVzZXJzQGxpc3RzLnNvdXJjZWZvcmdlLm5ldA0KPj4gaHR0cHM6
Ly9saXN0cy5zb3VyY2Vmb3JnZS5uZXQvbGlzdHMvbGlzdGluZm8vc25vcnQtaW5saW5lLXVzZXJz
DQo+PiAgIA0KPiANCj4gDQo+IC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCj4gVGhpcyBTRi5uZXQgZW1haWwg
aXMgc3BvbnNvcmVkIGJ5OiBTcGx1bmsgSW5jLg0KPiBTdGlsbCBncmVwcGluZyB0aHJvdWdoIGxv
ZyBmaWxlcyB0byBmaW5kIHByb2JsZW1zPyAgU3RvcC4NCj4gTm93IFNlYXJjaCBsb2cgZXZlbnRz
IGFuZCBjb25maWd1cmF0aW9uIGZpbGVzIHVzaW5nIEFKQVggYW5kIGEgYnJvd3Nlci4NCj4gRG93
bmxvYWQgeW91ciBGUkVFIGNvcHkgb2YgU3BsdW5rIG5vdyA+PiBodHRwOi8vZ2V0LnNwbHVuay5j
b20vDQo+IF9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQo+
IFNub3J0LWlubGluZS11c2VycyBtYWlsaW5nIGxpc3QNCj4gU25vcnQtaW5saW5lLXVzZXJzQGxp
c3RzLnNvdXJjZWZvcmdlLm5ldA0KPiBodHRwczovL2xpc3RzLnNvdXJjZWZvcmdlLm5ldC9saXN0
cy9saXN0aW5mby9zbm9ydC1pbmxpbmUtdXNlcnMNCj4=

Re: [Snort-inline-users] Possible memory leak

From: Victor J. <li...@in...> - 2007-10-10 12:29:21

MSN wrote:
> Hi, I installed exact same packages from sourceforge download site with a same configurations
> and running on linux 2.4.30 kernel. it is works fine as well but keep taking the system memory so far,
> does not release and keep increasing more than 300M for the snort inline resource. any ideas?
> thanks in advance.
>  
> snort_inline -Q -l /var/logs/snort -c /etc/snort/snort_inline.conf
>  
> 509 root       9   0  316M 316M  1164 S     0.0 44.3   0:23 snort_inline
>  
>   
Depending on your configuration Snort_inline can use a lot of memory.
Can you attach your snort_inline.conf?

What version of snort_inline are you using?

Cheers,
Victor



>  
> -A FORWARD -j QUEUE
>  
>  
> MSN :)
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

133 messages has been excluded from this view by a project administrator.

Flat | Threaded

<< < 1 .. 5 6 7 8 9 .. 68 > >> (Page 7 of 68)