Menu
▾
▴
snort-inline-users — The goal of this list is to help users debug/use snort_inline
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(15) |
Jun
(23) |
Jul
(54) |
Aug
(20) |
Sep
(18) |
Oct
(19) |
Nov
(36) |
Dec
(30) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(48) |
Feb
(16) |
Mar
(36) |
Apr
(36) |
May
(45) |
Jun
(47) |
Jul
(93) |
Aug
(29) |
Sep
(28) |
Oct
(42) |
Nov
(45) |
Dec
(53) |
| 2005 |
Jan
(62) |
Feb
(51) |
Mar
(65) |
Apr
(28) |
May
(57) |
Jun
(23) |
Jul
(24) |
Aug
(72) |
Sep
(16) |
Oct
(53) |
Nov
(53) |
Dec
(3) |
| 2006 |
Jan
(56) |
Feb
(6) |
Mar
(15) |
Apr
(14) |
May
(35) |
Jun
(57) |
Jul
(35) |
Aug
(7) |
Sep
(22) |
Oct
(16) |
Nov
(18) |
Dec
(9) |
| 2007 |
Jan
(8) |
Feb
(3) |
Mar
(11) |
Apr
(35) |
May
(6) |
Jun
(10) |
Jul
(26) |
Aug
(4) |
Sep
|
Oct
(29) |
Nov
|
Dec
(7) |
| 2008 |
Jan
(1) |
Feb
(2) |
Mar
(2) |
Apr
(13) |
May
(8) |
Jun
(3) |
Jul
(19) |
Aug
(20) |
Sep
(6) |
Oct
(5) |
Nov
|
Dec
(4) |
| 2009 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(10) |
Jul
(2) |
Aug
(5) |
Sep
|
Oct
(1) |
Nov
|
Dec
(5) |
| 2010 |
Jan
(10) |
Feb
(10) |
Mar
(2) |
Apr
|
May
(7) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2011 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: B. J. B. <bb...@ra...> - 2003-08-22 12:25:26
|
No, it runs with the -Q option, it just appears to accept all packets, regardless of their content. For example, I have a test rule that looks = for the content "testme" in web traffic. If I run snort_inline with out the = -Q, then I see alerts, but if I run it with the -Q, I don't see anything. = If I change the alert to a drop and run it again with -Q, all packets are allowed, including those that should be dropped. I hope this explains = it a little better. B. J. -----Original Message----- From: sno...@li... [mailto:sno...@li...] On Behalf Of Rob McMillen Sent: Wednesday, August 20, 2003 17:46 To: B. J. Bomar Cc: Snort-inline Users Subject: Re: [Snort-inline-users] Working installs on Redhat -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 20 Aug 2003, B. J. Bomar wrote: > Has any one had any success getting snort-inline 2.0.1 up and running = on a > Redhat 7.3, 8, or 9 machine. I have tried multiple times on a bunch = of test > machines here with little to no luck. These have all been "stock" installs. > On Redhat 7.3 and 8, I am able to compile, install, and test = successfully > without -Q. =20 Let me see if I understand this correctly. When you do a snort_inline = -h,=20 you don't see a -Q option. Is this correct? If so, please do the=20 following: make distclean ./configure make=20 make install ** Do not use ./configure --enable-inline. The version that sits on=20 snort-inline.sf.net is configured to enable-inline by default. Guess=20 there is a bug in my autoconf script, because if you give it the=20 - --enable-inline, it sort of disables it. > If I put in the -Q option, the packets go through to userspace, > but no logging or dropping. The same happens if I use the = pre-compiled > binary downloaded from Sourceforge. I can use the binary on Redhat 9, = but > seem to have the same problem as others compiling it. If anyone has gotten > any of these setups to work, please give the rest of us some tips, or > instructions on how you did it. =20 Ahh... This sounds like a different problem. Are you trying to set it = up=20 with a bridge? If so, make your default firewall policy drop (iptables = -P=20 INPUT DROP, iptables -P OUTPUT DROP, iptables -P FORWARD DROP). If you=20 are still able to pass packets via the bridge, you don't have the bridge = firewalling patch in your kernel. You can get the patch from=20 bridge.sf.net. As far as RedHat 9.0, I just started looking at this problem. Seems = that=20 some code has changed in 9.0. Rob -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.76 iQA/AwUBP0P6F/nAyY+9KLjdEQJKCwCgyRJp53d06uU9SIF70qp3FFWKbz4An25p ccG+99F7vJkowilzLxCER52B =3DMoTj -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.net email is sponsored by Dice.com. Did you know that Dice has over 25,000 tech jobs available today? From careers in IT to Engineering to Tech Sales, Dice has tech jobs from the best hiring companies. http://www.dice.com/index.epl?rel_code=3D104 _______________________________________________ Snort-inline-users mailing list Sno...@li... https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
|
From: Sandro P. <se...@gm...> - 2003-08-22 10:31:02
|
Well,
I have to apologize for my previous mail:
It seems configure is broken using the mentioned --enable-inline option. I
played around and found that using that option in fact DISABLES the inline
patch (GIDS is not defined, therefore it compiles). I changed the option in part
in configure.in and get the error again.
Here's the change I made:
AC_ARG_ENABLE(inline,
[ --enable-inline Use the libipq interface for inline snort],
[ CFLAGS="$CFLAGS -DGIDS"
enable_inline="yes"],
enable_inline="no")
I'm now trying the precompiled binary in the hope it will work in the
meantime.
Sorry again for the confusion,
Sandro
> I ran into exactly the same problem with RedHat 9 and the same versions (I
> only added the devel part into the ReHat rpm).
>
> And I found that I made a silly little mistake: I forgot to use
> --enable_inline with configure ;) I should have read the README more
> closely. Using
>
> ./configure --enable_inline
> make
>
> works like a charm :)
>
> HTH,
> Sandro
>
> --
> COMPUTERBILD 15/03: Premium-e-mail-Dienste im Test
> --------------------------------------------------
> 1. GMX TopMail - Platz 1 und Testsieger!
> 2. GMX ProMail - Platz 2 und Preis-Qualitätssieger!
> 3. Arcor - 4. web.de - 5. T-Online - 6. freenet.de - 7. daybyday - 8.
> e-Post
>
>
--
COMPUTERBILD 15/03: Premium-e-mail-Dienste im Test
--------------------------------------------------
1. GMX TopMail - Platz 1 und Testsieger!
2. GMX ProMail - Platz 2 und Preis-Qualitätssieger!
3. Arcor - 4. web.de - 5. T-Online - 6. freenet.de - 7. daybyday - 8. e-Post
|
|
From: Sandro P. <se...@gm...> - 2003-08-22 06:43:36
|
I ran into exactly the same problem with RedHat 9 and the same versions (I only added the devel part into the ReHat rpm). And I found that I made a silly little mistake: I forgot to use --enable_inline with configure ;) I should have read the README more closely. Using ./configure --enable_inline make works like a charm :) HTH, Sandro -- COMPUTERBILD 15/03: Premium-e-mail-Dienste im Test -------------------------------------------------- 1. GMX TopMail - Platz 1 und Testsieger! 2. GMX ProMail - Platz 2 und Preis-Qualitätssieger! 3. Arcor - 4. web.de - 5. T-Online - 6. freenet.de - 7. daybyday - 8. e-Post |
|
From: Rob M. <rv...@ca...> - 2003-08-21 03:03:15
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 20 Aug 2003, B. J. Bomar wrote: > Has any one had any success getting snort-inline 2.0.1 up and running on a > Redhat 7.3, 8, or 9 machine. I have tried multiple times on a bunch of test > machines here with little to no luck. These have all been "stock" installs. > On Redhat 7.3 and 8, I am able to compile, install, and test successfully > without -Q. Let me see if I understand this correctly. When you do a snort_inline -h, you don't see a -Q option. Is this correct? If so, please do the following: make distclean ./configure make make install ** Do not use ./configure --enable-inline. The version that sits on snort-inline.sf.net is configured to enable-inline by default. Guess there is a bug in my autoconf script, because if you give it the - --enable-inline, it sort of disables it. > If I put in the -Q option, the packets go through to userspace, > but no logging or dropping. The same happens if I use the pre-compiled > binary downloaded from Sourceforge. I can use the binary on Redhat 9, but > seem to have the same problem as others compiling it. If anyone has gotten > any of these setups to work, please give the rest of us some tips, or > instructions on how you did it. Ahh... This sounds like a different problem. Are you trying to set it up with a bridge? If so, make your default firewall policy drop (iptables -P INPUT DROP, iptables -P OUTPUT DROP, iptables -P FORWARD DROP). If you are still able to pass packets via the bridge, you don't have the bridge firewalling patch in your kernel. You can get the patch from bridge.sf.net. As far as RedHat 9.0, I just started looking at this problem. Seems that some code has changed in 9.0. Rob -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.76 iQA/AwUBP0P6F/nAyY+9KLjdEQJKCwCgyRJp53d06uU9SIF70qp3FFWKbz4An25p ccG+99F7vJkowilzLxCER52B =MoTj -----END PGP SIGNATURE----- |
|
From: B. J. B. <bb...@ra...> - 2003-08-20 19:42:35
|
Has any one had any success getting snort-inline 2.0.1 up and running on = a Redhat 7.3, 8, or 9 machine. I have tried multiple times on a bunch of = test machines here with little to no luck. These have all been "stock" = installs. On Redhat 7.3 and 8, I am able to compile, install, and test = successfully without -Q. If I put in the -Q option, the packets go through to = userspace, but no logging or dropping. The same happens if I use the pre-compiled binary downloaded from Sourceforge. I can use the binary on Redhat 9, = but seem to have the same problem as others compiling it. If anyone has = gotten any of these setups to work, please give the rest of us some tips, or instructions on how you did it. =20 =20 Thanks, =20 B. J. =20 =20 =20 =20 |
|
From: Rob M. <rv...@ca...> - 2003-08-20 07:29:39
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hmm... This one is going to take a little analysis. Looks like if.h changed between kernels and this is something that libipq uses. I'll have to take a look at it under RedHat 9.0 and see if I can figure out how to fix it. Just out of curiosity, is anyone else having this problem? Anyone been able to successfully compile snort_inline in RedHat 9.0? Thanks in advance, Rob On Tue, 19 Aug 2003, Kirk Winkelman wrote: > Rob, > > Here are the library versions: > > Libnet -> 1.0.2a > libpcap -> 0.7.2 > libipq -> 1.2.7a > > Libnet was downloaded and installed from source, Libpcap was installed > via RPM from Redhat, and Libipq was installed by downloading the > iptables source and running 'make install-devel.' > > Thanks, > Kirk -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.76 iQA/AwUBP0LRdvnAyY+9KLjdEQJubwCdFD46y1njLkhO6P6JA7CkHS18xigAoIMP iG/EFA9ArMvKcZUdeZdF2kaN =W9UK -----END PGP SIGNATURE----- |
|
From: Kirk W. <win...@us...> - 2003-08-19 17:05:41
|
Rob, Here are the library versions: Libnet -> 1.0.2a libpcap -> 0.7.2 libipq -> 1.2.7a Libnet was downloaded and installed from source, Libpcap was installed via RPM from Redhat, and Libipq was installed by downloading the iptables source and running 'make install-devel.' Thanks, Kirk Rob McMillen wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >What versions of libraries are you using? > >libnet >libpcap >libipq <- basically iptables version > >Rob > > > >>>I just ran into the same thing. It appears that the kernel sources >>>have changed with the new versions. I am going to be looking into >>>that in the next couple of days. Unless some one else makes a grand >>>answer, I'll tell you what I find out. >>> >>>Kirk Winkelman wrote: >>> >>> >>> >>>>Hi guys, >>>> >>>>I am trying to compile snort inline with mysql support, and it is >>>>crapping out on the make. the configure --with-mysql completes just >>>>fine, but when I move onto the actual compile, it bombs like this: >>>> >>>>Making all in output-plugins >>>>make[3]: Entering directory >>>>`/root/snort_inline-2.0.1/src/output-plugins' >>>>gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../.. -I../../src >>>>-I/usr/include/pcap -I../../src/output-plugins >>>>-I../../src/detection-plugins -I../../src/preprocessors >>>>-I/usr/include/mysql -DENABLE_MYSQL -I/usr/local/include >>>>-I/usr/include -g -O2 -Wall -DGIDS -D_BSD_SOURCE -D__BSD_SOURCE >>>>-D__FAVOR_BSD -DHAVE_NET_ETHERNET_H -DLIBNET_LIL_ENDIAN -c `test -f >>>>'spo_alert_fast.c' || echo './'`spo_alert_fast.c >>>>In file included from /usr/include/linux/netfilter_ipv4/ip_queue.h:10, >>>> from /usr/local/include/libipq.h:37, >>>> from ../../src/inline.h:7, >>>> from ../../src/snort.h:38, >>>> from spo_alert_fast.c:51: >>>>/usr/include/linux/if.h:59: redefinition of `struct ifmap' >>>>/usr/include/linux/if.h:77: redefinition of `struct ifreq' >>>>/usr/include/linux/if.h:126: redefinition of `struct ifconf' >>>>make[3]: *** [spo_alert_fast.o] Error 1 >>>>make[3]: Leaving directory `/root/snort_inline-2.0.1/src/output-plugins' >>>>make[2]: *** [all-recursive] Error 1 >>>>make[2]: Leaving directory `/root/snort_inline-2.0.1/src' >>>>make[1]: *** [all-recursive] Error 1 >>>>make[1]: Leaving directory `/root/snort_inline-2.0.1' >>>>make: *** [all] Error 2 >>>> >>>>From those messages, I am guessing that the problem is something with >>>>the ip_queue module, but I don't know how to go about figuring this >>>>out. Also, the configure script outputs these two lines: >>>> >>>>checking for ipq_set_mode in -lipq... yes >>>>checking "for libipq.h"... /usr/local/include >>>> >>>>I've also noticed that if I modinfo ip_queue, it reports that the >>>>module is in lib/modules/2.4.20-19.9/kernel/net/ipv4/netfilter/. The >>>>kernel I am currently running is named 2.4.20-19.9custom. There _is_ >>>>an ip_queue module in >>>>/lib/modules/2.4.20-19.9custom/kernel/net/ipv4/netfilter/. Might >>>>there be some kind of version conflict there? >>>> >>>>I am running Redhat 9, btw. Any suggestions would be greatly >>>>appreciated. >>>> >>>>Thanks, >>>>Kirk Winkelman >>>> >>>> >>>> >>>> >>>>------------------------------------------------------- >>>>This SF.Net email sponsored by: Free pre-built ASP.NET sites including >>>>Data Reports, E-commerce, Portals, and Forums are available now. >>>>Download today and enter to win an XBOX or Visual Studio .NET. >>>>http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 >>>> >>>>_______________________________________________ >>>>Snort-inline-users mailing list >>>>Sno...@li... >>>>https://lists.sourceforge.net/lists/listinfo/snort-inline-users >>>> >>>> >>>> >>>> >> >> >> >>------------------------------------------------------- >>This SF.Net email sponsored by: Free pre-built ASP.NET sites including >>Data Reports, E-commerce, Portals, and Forums are available now. >>Download today and enter to win an XBOX or Visual Studio .NET. >>http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 >>_______________________________________________ >>Snort-inline-users mailing list >>Sno...@li... >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> >> >> >> > >-----BEGIN PGP SIGNATURE----- >Version: PGP 6.5.8 >Comment: Made with pgp4pine 1.76 > >iQA/AwUBP0Fr2fnAyY+9KLjdEQIXLACfXsdL68Iw0RxBBzzj4ccarg4QEk8AmwRO >G5bL6ejDKclMAeL9B6ofash9 >=gbf2 >-----END PGP SIGNATURE----- > > > > >------------------------------------------------------- >This SF.Net email sponsored by: Free pre-built ASP.NET sites including >Data Reports, E-commerce, Portals, and Forums are available now. >Download today and enter to win an XBOX or Visual Studio .NET. >http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 >_______________________________________________ >Snort-inline-users mailing list >Sno...@li... >https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > |
|
From: Rob M. <rv...@ca...> - 2003-08-19 00:11:22
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 What versions of libraries are you using? libnet libpcap libipq <- basically iptables version Rob > > I just ran into the same thing. It appears that the kernel sources > > have changed with the new versions. I am going to be looking into > > that in the next couple of days. Unless some one else makes a grand > > answer, I'll tell you what I find out. > > > > Kirk Winkelman wrote: > > > >> Hi guys, > >> > >> I am trying to compile snort inline with mysql support, and it is > >> crapping out on the make. the configure --with-mysql completes just > >> fine, but when I move onto the actual compile, it bombs like this: > >> > >> Making all in output-plugins > >> make[3]: Entering directory > >> `/root/snort_inline-2.0.1/src/output-plugins' > >> gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../.. -I../../src > >> -I/usr/include/pcap -I../../src/output-plugins > >> -I../../src/detection-plugins -I../../src/preprocessors > >> -I/usr/include/mysql -DENABLE_MYSQL -I/usr/local/include > >> -I/usr/include -g -O2 -Wall -DGIDS -D_BSD_SOURCE -D__BSD_SOURCE > >> -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H -DLIBNET_LIL_ENDIAN -c `test -f > >> 'spo_alert_fast.c' || echo './'`spo_alert_fast.c > >> In file included from /usr/include/linux/netfilter_ipv4/ip_queue.h:10, > >> from /usr/local/include/libipq.h:37, > >> from ../../src/inline.h:7, > >> from ../../src/snort.h:38, > >> from spo_alert_fast.c:51: > >> /usr/include/linux/if.h:59: redefinition of `struct ifmap' > >> /usr/include/linux/if.h:77: redefinition of `struct ifreq' > >> /usr/include/linux/if.h:126: redefinition of `struct ifconf' > >> make[3]: *** [spo_alert_fast.o] Error 1 > >> make[3]: Leaving directory `/root/snort_inline-2.0.1/src/output-plugins' > >> make[2]: *** [all-recursive] Error 1 > >> make[2]: Leaving directory `/root/snort_inline-2.0.1/src' > >> make[1]: *** [all-recursive] Error 1 > >> make[1]: Leaving directory `/root/snort_inline-2.0.1' > >> make: *** [all] Error 2 > >> > >> From those messages, I am guessing that the problem is something with > >> the ip_queue module, but I don't know how to go about figuring this > >> out. Also, the configure script outputs these two lines: > >> > >> checking for ipq_set_mode in -lipq... yes > >> checking "for libipq.h"... /usr/local/include > >> > >> I've also noticed that if I modinfo ip_queue, it reports that the > >> module is in lib/modules/2.4.20-19.9/kernel/net/ipv4/netfilter/. The > >> kernel I am currently running is named 2.4.20-19.9custom. There _is_ > >> an ip_queue module in > >> /lib/modules/2.4.20-19.9custom/kernel/net/ipv4/netfilter/. Might > >> there be some kind of version conflict there? > >> > >> I am running Redhat 9, btw. Any suggestions would be greatly > >> appreciated. > >> > >> Thanks, > >> Kirk Winkelman > >> > >> > >> > >> > >> ------------------------------------------------------- > >> This SF.Net email sponsored by: Free pre-built ASP.NET sites including > >> Data Reports, E-commerce, Portals, and Forums are available now. > >> Download today and enter to win an XBOX or Visual Studio .NET. > >> http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 > >> > >> _______________________________________________ > >> Snort-inline-users mailing list > >> Sno...@li... > >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users > >> > >> > > > > > > > > ------------------------------------------------------- > This SF.Net email sponsored by: Free pre-built ASP.NET sites including > Data Reports, E-commerce, Portals, and Forums are available now. > Download today and enter to win an XBOX or Visual Studio .NET. > http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.76 iQA/AwUBP0Fr2fnAyY+9KLjdEQIXLACfXsdL68Iw0RxBBzzj4ccarg4QEk8AmwRO G5bL6ejDKclMAeL9B6ofash9 =gbf2 -----END PGP SIGNATURE----- |
|
From: Kirk W. <win...@us...> - 2003-08-18 18:11:17
|
I just tried compiling snort 2.0.1 (the non-inline version) with mysql support, and it worked perfectly. So the problem has to be something with ip_queue or libnet. I don't know if that helps at all. Kirk Winkelman Dale L. Handy wrote: > I just ran into the same thing. It appears that the kernel sources > have changed with the new versions. I am going to be looking into > that in the next couple of days. Unless some one else makes a grand > answer, I'll tell you what I find out. > > Kirk Winkelman wrote: > >> Hi guys, >> >> I am trying to compile snort inline with mysql support, and it is >> crapping out on the make. the configure --with-mysql completes just >> fine, but when I move onto the actual compile, it bombs like this: >> >> Making all in output-plugins >> make[3]: Entering directory >> `/root/snort_inline-2.0.1/src/output-plugins' >> gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../.. -I../../src >> -I/usr/include/pcap -I../../src/output-plugins >> -I../../src/detection-plugins -I../../src/preprocessors >> -I/usr/include/mysql -DENABLE_MYSQL -I/usr/local/include >> -I/usr/include -g -O2 -Wall -DGIDS -D_BSD_SOURCE -D__BSD_SOURCE >> -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H -DLIBNET_LIL_ENDIAN -c `test -f >> 'spo_alert_fast.c' || echo './'`spo_alert_fast.c >> In file included from /usr/include/linux/netfilter_ipv4/ip_queue.h:10, >> from /usr/local/include/libipq.h:37, >> from ../../src/inline.h:7, >> from ../../src/snort.h:38, >> from spo_alert_fast.c:51: >> /usr/include/linux/if.h:59: redefinition of `struct ifmap' >> /usr/include/linux/if.h:77: redefinition of `struct ifreq' >> /usr/include/linux/if.h:126: redefinition of `struct ifconf' >> make[3]: *** [spo_alert_fast.o] Error 1 >> make[3]: Leaving directory `/root/snort_inline-2.0.1/src/output-plugins' >> make[2]: *** [all-recursive] Error 1 >> make[2]: Leaving directory `/root/snort_inline-2.0.1/src' >> make[1]: *** [all-recursive] Error 1 >> make[1]: Leaving directory `/root/snort_inline-2.0.1' >> make: *** [all] Error 2 >> >> From those messages, I am guessing that the problem is something with >> the ip_queue module, but I don't know how to go about figuring this >> out. Also, the configure script outputs these two lines: >> >> checking for ipq_set_mode in -lipq... yes >> checking "for libipq.h"... /usr/local/include >> >> I've also noticed that if I modinfo ip_queue, it reports that the >> module is in lib/modules/2.4.20-19.9/kernel/net/ipv4/netfilter/. The >> kernel I am currently running is named 2.4.20-19.9custom. There _is_ >> an ip_queue module in >> /lib/modules/2.4.20-19.9custom/kernel/net/ipv4/netfilter/. Might >> there be some kind of version conflict there? >> >> I am running Redhat 9, btw. Any suggestions would be greatly >> appreciated. >> >> Thanks, >> Kirk Winkelman >> >> >> >> >> ------------------------------------------------------- >> This SF.Net email sponsored by: Free pre-built ASP.NET sites including >> Data Reports, E-commerce, Portals, and Forums are available now. >> Download today and enter to win an XBOX or Visual Studio .NET. >> http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 >> >> _______________________________________________ >> Snort-inline-users mailing list >> Sno...@li... >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> >> > |
|
From: Dale L. H. <dh...@ni...> - 2003-08-17 04:28:31
|
I just ran into the same thing. It appears that the kernel sources have changed with the new versions. I am going to be looking into that in the next couple of days. Unless some one else makes a grand answer, I'll tell you what I find out. Kirk Winkelman wrote: > Hi guys, > > I am trying to compile snort inline with mysql support, and it is > crapping out on the make. the configure --with-mysql completes just > fine, but when I move onto the actual compile, it bombs like this: > > Making all in output-plugins > make[3]: Entering directory `/root/snort_inline-2.0.1/src/output-plugins' > gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../.. -I../../src > -I/usr/include/pcap -I../../src/output-plugins > -I../../src/detection-plugins -I../../src/preprocessors > -I/usr/include/mysql -DENABLE_MYSQL -I/usr/local/include > -I/usr/include -g -O2 -Wall -DGIDS -D_BSD_SOURCE -D__BSD_SOURCE > -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H -DLIBNET_LIL_ENDIAN -c `test -f > 'spo_alert_fast.c' || echo './'`spo_alert_fast.c > In file included from /usr/include/linux/netfilter_ipv4/ip_queue.h:10, > from /usr/local/include/libipq.h:37, > from ../../src/inline.h:7, > from ../../src/snort.h:38, > from spo_alert_fast.c:51: > /usr/include/linux/if.h:59: redefinition of `struct ifmap' > /usr/include/linux/if.h:77: redefinition of `struct ifreq' > /usr/include/linux/if.h:126: redefinition of `struct ifconf' > make[3]: *** [spo_alert_fast.o] Error 1 > make[3]: Leaving directory `/root/snort_inline-2.0.1/src/output-plugins' > make[2]: *** [all-recursive] Error 1 > make[2]: Leaving directory `/root/snort_inline-2.0.1/src' > make[1]: *** [all-recursive] Error 1 > make[1]: Leaving directory `/root/snort_inline-2.0.1' > make: *** [all] Error 2 > > From those messages, I am guessing that the problem is something with > the ip_queue module, but I don't know how to go about figuring this > out. Also, the configure script outputs these two lines: > > checking for ipq_set_mode in -lipq... yes > checking "for libipq.h"... /usr/local/include > > I've also noticed that if I modinfo ip_queue, it reports that the > module is in lib/modules/2.4.20-19.9/kernel/net/ipv4/netfilter/. The > kernel I am currently running is named 2.4.20-19.9custom. There _is_ > an ip_queue module in > /lib/modules/2.4.20-19.9custom/kernel/net/ipv4/netfilter/. Might there > be some kind of version conflict there? > > I am running Redhat 9, btw. Any suggestions would be greatly appreciated. > > Thanks, > Kirk Winkelman > > > > > ------------------------------------------------------- > This SF.Net email sponsored by: Free pre-built ASP.NET sites including > Data Reports, E-commerce, Portals, and Forums are available now. > Download today and enter to win an XBOX or Visual Studio .NET. > http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > -- "The trouble with doing something right the first time is that nobody appreciates how difficult it was." -- Dale L. Handy, P.E. dh...@ni... http://www.nitrodata.com |
|
From: Kirk W. <win...@us...> - 2003-08-16 15:18:27
|
Hi guys,
I am trying to compile snort inline with mysql support, and it is
crapping out on the make. the configure --with-mysql completes just
fine, but when I move onto the actual compile, it bombs like this:
Making all in output-plugins
make[3]: Entering directory `/root/snort_inline-2.0.1/src/output-plugins'
gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../.. -I../../src
-I/usr/include/pcap -I../../src/output-plugins
-I../../src/detection-plugins -I../../src/preprocessors
-I/usr/include/mysql -DENABLE_MYSQL -I/usr/local/include -I/usr/include
-g -O2 -Wall -DGIDS -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD
-DHAVE_NET_ETHERNET_H -DLIBNET_LIL_ENDIAN -c `test -f 'spo_alert_fast.c'
|| echo './'`spo_alert_fast.c
In file included from /usr/include/linux/netfilter_ipv4/ip_queue.h:10,
from /usr/local/include/libipq.h:37,
from ../../src/inline.h:7,
from ../../src/snort.h:38,
from spo_alert_fast.c:51:
/usr/include/linux/if.h:59: redefinition of `struct ifmap'
/usr/include/linux/if.h:77: redefinition of `struct ifreq'
/usr/include/linux/if.h:126: redefinition of `struct ifconf'
make[3]: *** [spo_alert_fast.o] Error 1
make[3]: Leaving directory `/root/snort_inline-2.0.1/src/output-plugins'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/root/snort_inline-2.0.1/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/root/snort_inline-2.0.1'
make: *** [all] Error 2
From those messages, I am guessing that the problem is something with
the ip_queue module, but I don't know how to go about figuring this out.
Also, the configure script outputs these two lines:
checking for ipq_set_mode in -lipq... yes
checking "for libipq.h"... /usr/local/include
I've also noticed that if I modinfo ip_queue, it reports that the module
is in lib/modules/2.4.20-19.9/kernel/net/ipv4/netfilter/. The kernel I
am currently running is named 2.4.20-19.9custom. There _is_ an ip_queue
module in /lib/modules/2.4.20-19.9custom/kernel/net/ipv4/netfilter/.
Might there be some kind of version conflict there?
I am running Redhat 9, btw. Any suggestions would be greatly appreciated.
Thanks,
Kirk Winkelman
|
|
From: B. J. B. <bb...@ra...> - 2003-08-14 19:45:25
|
Hello all. I am trying to get snort-inline-bin to work on a bastion firewall with the -Q option to no avail. I have compiled and installed "regular" snort, and downloaded snort-inline-bin. The following is the = only rule I have active. =20 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Test drop web"; flow:to_server,established; uricontent:"testme"; nocase;) To test that the rule works, I run "snort-inline -Ddc = /etc/snort/snort.conf" and see the following entry in the alert log. =20 [**] [1:0:0] Test drop web [**] [Priority: 0]=20 08/14-13:19:06.296571 209.234.67.66:2448 -> 209.234.67.122:80 TCP TTL:128 TOS:0x0 ID:36356 IpLen:20 DgmLen:236 DF ***AP*** Seq: 0xF09A21DA Ack: 0x2D444467 Win: 0xFAF0 TcpLen: 20 Looks good so far. I then do an "insmod ip_queue" which loads up = properly. After that, I put the following firewall rule in. =20 -A INPUT -p tcp -m tcp --dport 80 -m state --state = NEW,RELATED,ESTABLISHED -j QUEUE =20 Trying to go to the website fails, which is expected since snort-inline = is not running with -Q. Ok so far so good. If I then kill the running snort-inline process and restart it with "snort-inline -QDdc /etc/snort/snort.conf" the website then comes up, = but I don't see anything in the alert log. If I change the rule from alert to drop, the website still comes up and still is not logged. If I run it = with -v instead of -D, I see the packets all of the packets on port 80. =20 =20 It seems to me that snort-inline is accepting traffic from ip_queue, but = not doing anything with it. I am currently running this on a stock RedHat 9 install with snort, and snort-inline 2.0.1. Any help would be greatly appreciated. =20 B. J. =20 =20 =20 =20 |
|
From: Rob M. <rv...@ca...> - 2003-08-07 23:53:03
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Bones,
Checkout bridge.sf.net to see how to apply the bridge firewalling
patch to your existing kernel.
Rob
On Thu, 7 Aug 2003, Bones wrote:
> Does anyone have any documentaion on how to install iptables with bridge
> support under redhat 8, or any newer version of redhat?
>
> I cant use 7.3 since it does not support much of the hardware on my
> server (RAID controller is the big deal).
>
> Everything else seems to be working fine; but since I dont have bridge
> support iptables is just defaulting to allow in bridge mode.
>
> Bones.....
>
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: Free pre-built ASP.NET sites including
> Data Reports, E-commerce, Portals, and Forums are available now.
> Download today and enter to win an XBOX or Visual Studio .NET.
> http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Made with pgp4pine 1.76
iQA/AwUBPzLmz/nAyY+9KLjdEQIYeACeMQtfQEqKtVs8XHu6l/sR4ItnnNIAnA4w
A+KCDnpogut7FgfWiqiKQo5V
=e8hx
-----END PGP SIGNATURE-----
|
|
From: Bones <bo...@qu...> - 2003-08-07 22:33:03
|
Does anyone have any documentaion on how to install iptables with bridge support under redhat 8, or any newer version of redhat? I cant use 7.3 since it does not support much of the hardware on my server (RAID controller is the big deal). Everything else seems to be working fine; but since I dont have bridge support iptables is just defaulting to allow in bridge mode. Bones..... |
|
From: pieter c. <pi...@co...> - 2003-08-06 10:38:53
|
We are developing an IPS Best Practice Guide and I am looking for reviewers/contributors. If anybody is interested, please contact me. Regards, Pieter countersnipe.com |
|
From: Stephan S. <ss...@as...> - 2003-08-01 10:59:27
|
Obviously your packets get dropped by netfilter. Make sure you allow all the passthrough traffic (in the FORWARD queue). You also need to enable "Userspace queueing via NETLINK (EXPERIMENTAL)" option in the kernel (it's in Networking->Netfilter config), so that packets are given to snort_inline. Stephan > When I install snort_inline , I can't read packet from iptables. What is wrong. Help me . Thanks. > > redhat 8.0 default kernel libnet-1.0.2a libpcap-0.7.2 > patch -p1 ../bridge-nf-0.0.7-against-2.4.18.diff > cd iptables-1.2.8 > make KERNEL_DIR=../linux-2.4.18-14 > make install KERNEL_DIR=../linux-2.4.18-14 > make install-devel > select the opt > [*] 802.1d Ethernet Bridging > [*] netfilter(firewalling) support > > compile the kernel > ... > reboot > > cd snort_inline-2.0.0 > ./etc/rc.firewall > ./src/snort_inline -Qdc ./etc/snort_inline.conf > > after all > can not communicate through the bridge-pc and snort_inline can't read packet from iptables. > > If I don't select the opt > > [*] netfilter(firewalling) support > can communicate through the bridge-pc > and snort_inline can't read packet from iptables. -- Stephan Scholz <ss...@as...> | Development Astaro AG | www.astaro.com | Phone +49-721-490069-0 | Fax -55 Visit Astaro at: - LinuxWorld Expo, booth 1091, San Francisco, Aug. 5-7, 2003 - CeBIT asia, German Pavilion, Pudong, Shanghai, Sep. 18-23, 2003 - Infosecurity Scandinavia, booth C02:38, Stockholm, Sep. 23-25, 2003 - GITEX, German Pavilion, Dubai, Oct. 19-23, 2003 - Systems 2003, hall B2, booth 326, Munich, Oct. 20-24, 2003 |
|
From: *<w_...@ma...> - 2003-08-01 10:47:45
|
When I install snort_inline , I can't read packet from iptables. What is wrong. Help me . Thanks. redhat 8.0 default kernel libnet-1.0.2a libpcap-0.7.2 patch -p1 ../bridge-nf-0.0.7-against-2.4.18.diff cd iptables-1.2.8 make KERNEL_DIR=../linux-2.4.18-14 make install KERNEL_DIR=../linux-2.4.18-14 make install-devel select the opt [*] 802.1d Ethernet Bridging [*] netfilter(firewalling) support compile the kernel ... reboot cd snort_inline-2.0.0 ./etc/rc.firewall ./src/snort_inline -Qdc ./etc/snort_inline.conf after all can not communicate through the bridge-pc and snort_inline can't read packet from iptables. If I don't select the opt [*] netfilter(firewalling) support can communicate through the bridge-pc and snort_inline can't read packet from iptables. ---------------------------------------------------------------------- ÎÒ´æÔÚ£¬ÒòΪÎÒÊÇÖйúÈË£¡¾´Çë¹Ø×¢ÖлªÍøÐÅÌìÓÊ£¡ ÐÅÌìÓÊÖ®ÊÕ·ÑÓÊ£ºhttp://paymail.china.com ÐÅÌìÓÊÖ®Ãâ·ÑÓÊ£ºhttp://mail.china.com |
|
From: Stephan S. <ss...@as...> - 2003-07-31 07:56:48
|
Hi Ravi, try to trigger a certain rule and see what happens. For example, try a really large ping (rule "ICMP Large ICMP Packet"). Stephan > Now, When I run snort_inline with QDc as options after a minumum editing > of snort_inline.conf (changing Net IDs and rule path ), I could see in > /var/log/messages that snort_inline is successfully running. > But I couldnt find any messages in /var/log/snort/<full or fast> > Is this that no attacks are generated or I dint configure properly? -- Stephan Scholz <ss...@as...> | Development Astaro AG | www.astaro.com | Phone +49-721-490069-0 | Fax -55 Visit Astaro at: - LinuxWorld Expo, booth 1091, San Francisco, Aug. 5-7, 2003 - CeBIT asia, German Pavilion, Pudong, Shanghai, Sep. 18-23, 2003 - Infosecurity Scandinavia, booth C02:38, Stockholm, Sep. 23-25, 2003 - GITEX, German Pavilion, Dubai, Oct. 19-23, 2003 - Systems 2003, hall B2, booth 326, Munich, Oct. 20-24, 2003 |
|
From: Ravi <ra...@ro...> - 2003-07-31 04:54:28
|
yes, it should log to /var/log/snort/snort_inline_full & snot_inline_fast according to snort_inline.conf Regards, Ravi Rob McMillen wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > If you look at snort_inline.conf, where are you logging to? Usually > something like: > > output alert_full: snort_inline-full > output alert_fast: snort_inline-fast > > Rob > > On Wed, 30 Jul 2003, Ravi wrote: > > >>Dear Rob, >>First of all great software on IIPS. >>Thanks for the help extended.Now its showing -Q option, >>I downloaded iptables(this time not depending on the iptables that comes >>with kernel),Libnet,Libpcap and compiled again.It worked. >> >>Now, When I run snort_inline with QDc as options after a minumum editing >>of snort_inline.conf (changing Net IDs and rule path ), I could see in >>/var/log/messages that snort_inline is successfully running. >>But I couldnt find any messages in /var/log/snort/<full or fast> >>Is this that no attacks are generated or I dint configure properly? >>FYI, I have followed readme.inline. >>Followed the readme, is anything remaining to do? >> >>One more query, Which loganalyser is the best available freely? >>I have seen people saying acid is worth using!!. >> >>Thanks in advance, >>Ravi >> >> >>>On Fri, 11 Jul 2003, Ravi wrote: >>> >>> >>> >>>>Dear All, >>>>Please bear with this newbie question.I have downloaded snort inline >>>>latest source code and installed onto my machine. >>>>1)insmod ip_queue.o >>>>2)compiled and installed LibNet >>>>3)added iptables command to direct to port 80 >>>>4)I have configured with --enable-inline option,make and make install etc >>>>When completed installation, The README.INLINE says to run >>>>snort_inline -QDc ../etc/drop.conf -l /var/log/snort >>>>But I dint find drop.conf as well the option -Q is not identified as a >>>>valid option. >>>>Should I get iptables code and compile it eventhough i have a lkm with me? >>>>Thanks in advance for the help. >>>>Regards >>>>Ravi >>>> >>>> >>> >>> >>>-----BEGIN PGP SIGNATURE----- >>>Version: PGP 6.5.8 >>>Comment: Made with pgp4pine 1.76 >>> >>>iQA/AwUBPxAhqPnAyY+9KLjdEQLEqACglekklEGEuefMz3lWKGZzT1GgPEQAnjqD >>>SEuCMslatuN1du6IAPd3Nr6h >>>=fmLv >>>-----END PGP SIGNATURE----- >>> >>> >>> >>> >>>------------------------------------------------------- >>>This SF.Net email sponsored by: Parasoft >>>Error proof Web apps, automate testing & more. >>>Download & eval WebKing and get a free book. >>>www.parasoft.com/bulletproofapps1 >>>_______________________________________________ >>>Snort-inline-users mailing list >>>Sno...@li... >>>https://lists.sourceforge.net/lists/listinfo/snort-inline-users >>> >> >> > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.8 > Comment: Made with pgp4pine 1.76 > > iQA/AwUBPygp9PnAyY+9KLjdEQK76wCg/rx8ymr33YW2qi8p5GVgu/CaIrYAoJfg > i3YZ8ZEIqv9F+IR0fMdUv8eT > =XXUl > -----END PGP SIGNATURE----- > > > > > ------------------------------------------------------- > This SF.Net email sponsored by: Free pre-built ASP.NET sites including > Data Reports, E-commerce, Portals, and Forums are available now. > Download today and enter to win an XBOX or Visual Studio .NET. > http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > -- The views presented in this mail are completely mine. The company is not responsible for whatsoever. ------------------------------------------------------------------------ Ravi Kumar CH Rendezvous On Chip (i) Pvt Ltd Hyderabad, India Ph: +91-40-2335 1214 / 1175 / 1184 ROC home page <http://www.roc.co.in> |
|
From: Rob M. <rv...@ca...> - 2003-07-30 20:25:47
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you look at snort_inline.conf, where are you logging to? Usually something like: output alert_full: snort_inline-full output alert_fast: snort_inline-fast Rob On Wed, 30 Jul 2003, Ravi wrote: > Dear Rob, > First of all great software on IIPS. > Thanks for the help extended.Now its showing -Q option, > I downloaded iptables(this time not depending on the iptables that comes > with kernel),Libnet,Libpcap and compiled again.It worked. > > Now, When I run snort_inline with QDc as options after a minumum editing > of snort_inline.conf (changing Net IDs and rule path ), I could see in > /var/log/messages that snort_inline is successfully running. > But I couldnt find any messages in /var/log/snort/<full or fast> > Is this that no attacks are generated or I dint configure properly? > FYI, I have followed readme.inline. > Followed the readme, is anything remaining to do? > > One more query, Which loganalyser is the best available freely? > I have seen people saying acid is worth using!!. > > Thanks in advance, > Ravi > > > > > On Fri, 11 Jul 2003, Ravi wrote: > > > > > >>Dear All, > >>Please bear with this newbie question.I have downloaded snort inline > >>latest source code and installed onto my machine. > >>1)insmod ip_queue.o > >>2)compiled and installed LibNet > >>3)added iptables command to direct to port 80 > >>4)I have configured with --enable-inline option,make and make install etc > >>When completed installation, The README.INLINE says to run > >>snort_inline -QDc ../etc/drop.conf -l /var/log/snort > >>But I dint find drop.conf as well the option -Q is not identified as a > >>valid option. > >>Should I get iptables code and compile it eventhough i have a lkm with me? > >>Thanks in advance for the help. > >>Regards > >>Ravi > >> > >> > > > > > > -----BEGIN PGP SIGNATURE----- > > Version: PGP 6.5.8 > > Comment: Made with pgp4pine 1.76 > > > > iQA/AwUBPxAhqPnAyY+9KLjdEQLEqACglekklEGEuefMz3lWKGZzT1GgPEQAnjqD > > SEuCMslatuN1du6IAPd3Nr6h > > =fmLv > > -----END PGP SIGNATURE----- > > > > > > > > > > ------------------------------------------------------- > > This SF.Net email sponsored by: Parasoft > > Error proof Web apps, automate testing & more. > > Download & eval WebKing and get a free book. > > www.parasoft.com/bulletproofapps1 > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.76 iQA/AwUBPygp9PnAyY+9KLjdEQK76wCg/rx8ymr33YW2qi8p5GVgu/CaIrYAoJfg i3YZ8ZEIqv9F+IR0fMdUv8eT =XXUl -----END PGP SIGNATURE----- |
|
From: Ravi <ra...@ro...> - 2003-07-30 11:22:30
|
Dear Rob, First of all great software on IIPS. Thanks for the help extended.Now its showing -Q option, I downloaded iptables(this time not depending on the iptables that comes with kernel),Libnet,Libpcap and compiled again.It worked. Now, When I run snort_inline with QDc as options after a minumum editing of snort_inline.conf (changing Net IDs and rule path ), I could see in /var/log/messages that snort_inline is successfully running. But I couldnt find any messages in /var/log/snort/<full or fast> Is this that no attacks are generated or I dint configure properly? FYI, I have followed readme.inline. Followed the readme, is anything remaining to do? One more query, Which loganalyser is the best available freely? I have seen people saying acid is worth using!!. Thanks in advance, Ravi > > On Fri, 11 Jul 2003, Ravi wrote: > > >>Dear All, >>Please bear with this newbie question.I have downloaded snort inline >>latest source code and installed onto my machine. >>1)insmod ip_queue.o >>2)compiled and installed LibNet >>3)added iptables command to direct to port 80 >>4)I have configured with --enable-inline option,make and make install etc >>When completed installation, The README.INLINE says to run >>snort_inline -QDc ../etc/drop.conf -l /var/log/snort >>But I dint find drop.conf as well the option -Q is not identified as a >>valid option. >>Should I get iptables code and compile it eventhough i have a lkm with me? >>Thanks in advance for the help. >>Regards >>Ravi >> >> > > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.8 > Comment: Made with pgp4pine 1.76 > > iQA/AwUBPxAhqPnAyY+9KLjdEQLEqACglekklEGEuefMz3lWKGZzT1GgPEQAnjqD > SEuCMslatuN1du6IAPd3Nr6h > =fmLv > -----END PGP SIGNATURE----- > > > > > ------------------------------------------------------- > This SF.Net email sponsored by: Parasoft > Error proof Web apps, automate testing & more. > Download & eval WebKing and get a free book. > www.parasoft.com/bulletproofapps1 > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > -- The views presented in this mail are completely mine. The company is not responsible for whatsoever. ------------------------------------------------------------------------ Ravi Kumar CH Rendezvous On Chip (i) Pvt Ltd Hyderabad, India Ph: +91-40-2335 1214 / 1175 / 1184 ROC home page <http://www.roc.co.in> |
|
From: Rob M. <rv...@ca...> - 2003-07-29 19:30:18
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All,
Just updated snort_inline to use the latest release of snort (2.0.1).
http://sourceforge.net/projects/snort-inline/
There are no core snort_inline changes to the new release. However, snort
changed the way it does something that could change the way snort_inline
works:
Very important!!! in snort-2.0.1, "If the packet has an invalid checksum
marked, throw that traffic away as no end host should accept it."
This is bad for snort_inline!!! because some servers actually accept these
packets. To disable this so all specified packets are dropped no matter
what the checksum is, add this to your snort_inline.conf file:
config checksum_mode: none
If you apply the snort_inline-2.0.1 patch, run
./configure
make clean
./configure
in order to get the autoconf scripts to kick off and generate your new
configure script.
** YOU DO NOT NEED TO RUN ./configure --enable-inline **
Thanks,
Rob
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Made with pgp4pine 1.76
iQA/AwUBPybAXPnAyY+9KLjdEQKlkgCfZPps9Xvy0C1jtj4uqcf8SdMR+UQAoIuL
rUKz5s5gvELUAH5NMhY/wAZB
=IjfF
-----END PGP SIGNATURE-----
|
|
From: Brian T. <ad...@zi...> - 2003-07-29 03:00:24
|
Thanks for your input Pieter - your paper looks good > Appologies that the previous link asked for authentication. Here is a > direct link to the file that requires no authentication. > > http://countersnipe.com/downloads/case_studies/APD_Performance_eval.pdf > > Regards, > Pieter > > On Mon, 2003-07-28 at 16:57, pieter claassen wrote: > >> We have done some performance tests with snort-inline recently. The >> paper is available on our website at >> http://countersnipe.com/downloads/case_studies/ >> >> The good news is that we seem to able to squeeze about 500 Mbit/sec + >> out of the box with Dual Xeon processors. Kudos to the Snort and >> Inline patch coders! >> >> Pieter >> >> >> On Mon, 2003-07-28 at 05:33, Jed Haile wrote: >> >> > I know of snort-inline being used with a large (carefully tuned) >> > ruleset on a 1.2 ghz pentium 3 on a T-3 with a large number of >> > concurrent users (maybe a couple thousand). It works very well there. >> > That is the largest load I know of an inline snort box handling. I >> also >> > know of inline snort being used in front of some very busy web servers >> > with very little trouble. I have also experimented with 100 megabit >> > loads, and it looked good, but the test was not true traffic. >> > >> > It will depend largely on how well your box is configured, how many >> > rules of what sort, what sort of output logging you are doing, and how >> > many users in/out of the network you will be handling. Lots of >> > variables. >> > >> > Hope this is some help... >> > >> > Jed >> > >> > On Sunday, July 27, 2003, at 02:21 PM, Brian Toovey wrote: >> > >> > > Hey Rob (or anyone) >> > > >> > > Do you have any stats on inline's maximum throughput? I am >> sure >> > > its >> > > dependent upon how many rulesets you have, but I dont have a high >> > > speed network to test on >> > > >> > > Brian >> > > >> > >> -----BEGIN PGP SIGNED MESSAGE----- >> > >> Hash: SHA1 >> > >> >> > >> hmm.. Looks like tcp is doing its job by resending packets that >> are >> > >> lost >> > >> :(. Can you give additional information about your system? >> > >> >> > >> uname -a >> > >> snort_inline configuration >> > >> how are you sending packets to snort_inline >> > >> what other rules are you using >> > >> etc. >> > >> >> > >> Thanks, >> > >> >> > >> Rob >> > >> >> > >> On Sun, 27 Jul 2003, josh wrote: >> > >> >> > >>> Hi List, >> > >>> I want to drop all mail with a certain pattern of text, say >> > >>> "abcdefg". I >> > >>> am aware that this may not be the best way to filter mail, but for >> my >> > >>> purposes this is acceptable. I put the following rule in >> > >>> /etc/snort/rules/local.rules >> > >>> >> > >>> drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"Spam mail"; >> > >>> content:"abcdefg"; >> > >>> nocase; flow:to_server,established; classtype:misc-activity; rev:1 >> ;) >> > >>> >> > >>> (Note: the actual rule is one line) >> > >>> >> > >>> When I send a message with the text "abcdefg" I see the dropped >> > >>> packet >> > >>> in /var/log/snort/alerts. The message though still gets sent with >> the >> > >>> "abcdefg" text in the message body. Messages with the "abcdefg" >> > >>> content >> > >>> in the body take several minutes to be sent while regular message >> are >> > >>> sent immidiately. I am running snort_inline-2.0.0-1. The mail >> server >> > >>> is >> > >>> Sendmail 8.12.9. Does anybody know why the message is being sent? >> > >>> >> > >>> >> > >> >> > >> -----BEGIN PGP SIGNATURE----- >> > >> Version: PGP 6.5.8 >> > >> Comment: Made with pgp4pine 1.76 >> > >> >> > >> iQA/AwUBPyQgufnAyY+9KLjdEQK21wCfRycao8S8rs2VDS35AFdKGXkgxtMAn3MD >> > >> Oqev0t4TH+EKCQlvvu2t8wQf >> > >> =tsbl >> > >> -----END PGP SIGNATURE----- >> > >> >> > >> >> > >> >> > >> >> > >> ------------------------------------------------------- >> > >> This SF.Net email sponsored by: Free pre-built ASP.NET sites >> including >> > >> Data Reports, E-commerce, Portals, and Forums are available now. >> > >> Download today and enter to win an XBOX or Visual Studio .NET. >> > >> http://aspnet.click-url.com/go/psa00100003ave/ >> > >> direct;at.aspnet_072303_01/01 >> > >> _______________________________________________ >> > >> Snort-inline-users mailing list >> > >> Sno...@li... >> > >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> > >> >> > > >> > > >> > > Brian Toovey >> > > Zion Network Security >> > > 3223 NE 40th St >> > > Ft Lauderdale, FL 33308 >> > > >> > > >> > > >> > > ------------------------------------------------------- >> > > This SF.Net email sponsored by: Free pre-built ASP.NET sites >> including >> > > Data Reports, E-commerce, Portals, and Forums are available now. >> > > Download today and enter to win an XBOX or Visual Studio .NET. >> > > http://aspnet.click-url.com/go/psa00100003ave/ >> > > direct;at.aspnet_072303_01/01 >> > > _______________________________________________ >> > > Snort-inline-users mailing list >> > > Sno...@li... >> > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> > > >> > >> > >> > >> > >> > >> > ------------------------------------------------------- >> > This SF.Net email sponsored by: Free pre-built ASP.NET sites including >> > Data Reports, E-commerce, Portals, and Forums are available now. >> > Download today and enter to win an XBOX or Visual Studio .NET. >> > http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 >> > _______________________________________________ >> > Snort-inline-users mailing list >> > Sno...@li... >> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> >> >> >> -- >> Pieter Claassen >> CounterSnipe Technologies >> www.countersnipe.com >> >> >> Highview House >> Charles Square >> Bracknell >> Berskhire >> RG12 1DF >> >> >> Tel: +44(0) 1344 390 530 >> Fax: +44(0) 1344 390 700 >> Mobile: +44 (0) 776 6656 924 >> email: pi...@co... > > -- > Pieter Claassen > CounterSnipe Technologies > www.countersnipe.com > > > Highview House > Charles Square > Bracknell > Berskhire > RG12 1DF > > > Tel: +44(0) 1344 390 530 > Fax: +44(0) 1344 390 700 > Mobile: +44 (0) 776 6656 924 > email: pi...@co... > > Brian Toovey Zion Network Security 3223 NE 40th St Ft Lauderdale, FL 33308 |
|
From: pieter c. <pi...@co...> - 2003-07-28 17:18:47
|
Appologies that the previous link asked for authentication. Here is a direct link to the file that requires no authentication. http://countersnipe.com/downloads/case_studies/APD_Performance_eval.pdf Regards, Pieter On Mon, 2003-07-28 at 16:57, pieter claassen wrote: > We have done some performance tests with snort-inline recently. The > paper is available on our website at > http://countersnipe.com/downloads/case_studies/ > > The good news is that we seem to able to squeeze about 500 Mbit/sec + > out of the box with Dual Xeon processors. Kudos to the Snort and > Inline patch coders! > > Pieter > > > On Mon, 2003-07-28 at 05:33, Jed Haile wrote: > > > I know of snort-inline being used with a large (carefully tuned) > > ruleset on a 1.2 ghz pentium 3 on a T-3 with a large number of > > concurrent users (maybe a couple thousand). It works very well there. > > That is the largest load I know of an inline snort box handling. I also > > know of inline snort being used in front of some very busy web servers > > with very little trouble. I have also experimented with 100 megabit > > loads, and it looked good, but the test was not true traffic. > > > > It will depend largely on how well your box is configured, how many > > rules of what sort, what sort of output logging you are doing, and how > > many users in/out of the network you will be handling. Lots of > > variables. > > > > Hope this is some help... > > > > Jed > > > > On Sunday, July 27, 2003, at 02:21 PM, Brian Toovey wrote: > > > > > Hey Rob (or anyone) > > > > > > Do you have any stats on inline's maximum throughput? I am sure > > > its > > > dependent upon how many rulesets you have, but I dont have a high > > > speed network to test on > > > > > > Brian > > > > > >> -----BEGIN PGP SIGNED MESSAGE----- > > >> Hash: SHA1 > > >> > > >> hmm.. Looks like tcp is doing its job by resending packets that are > > >> lost > > >> :(. Can you give additional information about your system? > > >> > > >> uname -a > > >> snort_inline configuration > > >> how are you sending packets to snort_inline > > >> what other rules are you using > > >> etc. > > >> > > >> Thanks, > > >> > > >> Rob > > >> > > >> On Sun, 27 Jul 2003, josh wrote: > > >> > > >>> Hi List, > > >>> I want to drop all mail with a certain pattern of text, say > > >>> "abcdefg". I > > >>> am aware that this may not be the best way to filter mail, but for my > > >>> purposes this is acceptable. I put the following rule in > > >>> /etc/snort/rules/local.rules > > >>> > > >>> drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"Spam mail"; > > >>> content:"abcdefg"; > > >>> nocase; flow:to_server,established; classtype:misc-activity; rev:1 ;) > > >>> > > >>> (Note: the actual rule is one line) > > >>> > > >>> When I send a message with the text "abcdefg" I see the dropped > > >>> packet > > >>> in /var/log/snort/alerts. The message though still gets sent with the > > >>> "abcdefg" text in the message body. Messages with the "abcdefg" > > >>> content > > >>> in the body take several minutes to be sent while regular message are > > >>> sent immidiately. I am running snort_inline-2.0.0-1. The mail server > > >>> is > > >>> Sendmail 8.12.9. Does anybody know why the message is being sent? > > >>> > > >>> > > >> > > >> -----BEGIN PGP SIGNATURE----- > > >> Version: PGP 6.5.8 > > >> Comment: Made with pgp4pine 1.76 > > >> > > >> iQA/AwUBPyQgufnAyY+9KLjdEQK21wCfRycao8S8rs2VDS35AFdKGXkgxtMAn3MD > > >> Oqev0t4TH+EKCQlvvu2t8wQf > > >> =tsbl > > >> -----END PGP SIGNATURE----- > > >> > > >> > > >> > > >> > > >> ------------------------------------------------------- > > >> This SF.Net email sponsored by: Free pre-built ASP.NET sites including > > >> Data Reports, E-commerce, Portals, and Forums are available now. > > >> Download today and enter to win an XBOX or Visual Studio .NET. > > >> http://aspnet.click-url.com/go/psa00100003ave/ > > >> direct;at.aspnet_072303_01/01 > > >> _______________________________________________ > > >> Snort-inline-users mailing list > > >> Sno...@li... > > >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > >> > > > > > > > > > Brian Toovey > > > Zion Network Security > > > 3223 NE 40th St > > > Ft Lauderdale, FL 33308 > > > > > > > > > > > > ------------------------------------------------------- > > > This SF.Net email sponsored by: Free pre-built ASP.NET sites including > > > Data Reports, E-commerce, Portals, and Forums are available now. > > > Download today and enter to win an XBOX or Visual Studio .NET. > > > http://aspnet.click-url.com/go/psa00100003ave/ > > > direct;at.aspnet_072303_01/01 > > > _______________________________________________ > > > Snort-inline-users mailing list > > > Sno...@li... > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > > > > > > > > > > ------------------------------------------------------- > > This SF.Net email sponsored by: Free pre-built ASP.NET sites including > > Data Reports, E-commerce, Portals, and Forums are available now. > > Download today and enter to win an XBOX or Visual Studio .NET. > > http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > -- > Pieter Claassen > CounterSnipe Technologies > www.countersnipe.com > > > Highview House > Charles Square > Bracknell > Berskhire > RG12 1DF > > > Tel: +44(0) 1344 390 530 > Fax: +44(0) 1344 390 700 > Mobile: +44 (0) 776 6656 924 > email: pi...@co... -- Pieter Claassen CounterSnipe Technologies www.countersnipe.com Highview House Charles Square Bracknell Berskhire RG12 1DF Tel: +44(0) 1344 390 530 Fax: +44(0) 1344 390 700 Mobile: +44 (0) 776 6656 924 email: pi...@co... |
|
From: pieter c. <pi...@co...> - 2003-07-28 16:19:23
|
We have done some performance tests with snort-inline recently. The paper is available on our website at http://countersnipe.com/downloads/case_studies/ The good news is that we seem to able to squeeze about 500 Mbit/sec + out of the box with Dual Xeon processors. Kudos to the Snort and Inline patch coders! Pieter On Mon, 2003-07-28 at 05:33, Jed Haile wrote: > I know of snort-inline being used with a large (carefully tuned) > ruleset on a 1.2 ghz pentium 3 on a T-3 with a large number of > concurrent users (maybe a couple thousand). It works very well there. > That is the largest load I know of an inline snort box handling. I also > know of inline snort being used in front of some very busy web servers > with very little trouble. I have also experimented with 100 megabit > loads, and it looked good, but the test was not true traffic. > > It will depend largely on how well your box is configured, how many > rules of what sort, what sort of output logging you are doing, and how > many users in/out of the network you will be handling. Lots of > variables. > > Hope this is some help... > > Jed > > On Sunday, July 27, 2003, at 02:21 PM, Brian Toovey wrote: > > > Hey Rob (or anyone) > > > > Do you have any stats on inline's maximum throughput? I am sure > > its > > dependent upon how many rulesets you have, but I dont have a high > > speed network to test on > > > > Brian > > > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> hmm.. Looks like tcp is doing its job by resending packets that are > >> lost > >> :(. Can you give additional information about your system? > >> > >> uname -a > >> snort_inline configuration > >> how are you sending packets to snort_inline > >> what other rules are you using > >> etc. > >> > >> Thanks, > >> > >> Rob > >> > >> On Sun, 27 Jul 2003, josh wrote: > >> > >>> Hi List, > >>> I want to drop all mail with a certain pattern of text, say > >>> "abcdefg". I > >>> am aware that this may not be the best way to filter mail, but for my > >>> purposes this is acceptable. I put the following rule in > >>> /etc/snort/rules/local.rules > >>> > >>> drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"Spam mail"; > >>> content:"abcdefg"; > >>> nocase; flow:to_server,established; classtype:misc-activity; rev:1 ;) > >>> > >>> (Note: the actual rule is one line) > >>> > >>> When I send a message with the text "abcdefg" I see the dropped > >>> packet > >>> in /var/log/snort/alerts. The message though still gets sent with the > >>> "abcdefg" text in the message body. Messages with the "abcdefg" > >>> content > >>> in the body take several minutes to be sent while regular message are > >>> sent immidiately. I am running snort_inline-2.0.0-1. The mail server > >>> is > >>> Sendmail 8.12.9. Does anybody know why the message is being sent? > >>> > >>> > >> > >> -----BEGIN PGP SIGNATURE----- > >> Version: PGP 6.5.8 > >> Comment: Made with pgp4pine 1.76 > >> > >> iQA/AwUBPyQgufnAyY+9KLjdEQK21wCfRycao8S8rs2VDS35AFdKGXkgxtMAn3MD > >> Oqev0t4TH+EKCQlvvu2t8wQf > >> =tsbl > >> -----END PGP SIGNATURE----- > >> > >> > >> > >> > >> ------------------------------------------------------- > >> This SF.Net email sponsored by: Free pre-built ASP.NET sites including > >> Data Reports, E-commerce, Portals, and Forums are available now. > >> Download today and enter to win an XBOX or Visual Studio .NET. > >> http://aspnet.click-url.com/go/psa00100003ave/ > >> direct;at.aspnet_072303_01/01 > >> _______________________________________________ > >> Snort-inline-users mailing list > >> Sno...@li... > >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users > >> > > > > > > Brian Toovey > > Zion Network Security > > 3223 NE 40th St > > Ft Lauderdale, FL 33308 > > > > > > > > ------------------------------------------------------- > > This SF.Net email sponsored by: Free pre-built ASP.NET sites including > > Data Reports, E-commerce, Portals, and Forums are available now. > > Download today and enter to win an XBOX or Visual Studio .NET. > > http://aspnet.click-url.com/go/psa00100003ave/ > > direct;at.aspnet_072303_01/01 > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > > > ------------------------------------------------------- > This SF.Net email sponsored by: Free pre-built ASP.NET sites including > Data Reports, E-commerce, Portals, and Forums are available now. > Download today and enter to win an XBOX or Visual Studio .NET. > http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users -- Pieter Claassen CounterSnipe Technologies www.countersnipe.com Highview House Charles Square Bracknell Berskhire RG12 1DF Tel: +44(0) 1344 390 530 Fax: +44(0) 1344 390 700 Mobile: +44 (0) 776 6656 924 email: pi...@co... |
133 messages has been excluded from this view by a project administrator.
