Menu
▾
▴
snort-inline-users — The goal of this list is to help users debug/use snort_inline
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(15) |
Jun
(23) |
Jul
(54) |
Aug
(20) |
Sep
(18) |
Oct
(19) |
Nov
(36) |
Dec
(30) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(48) |
Feb
(16) |
Mar
(36) |
Apr
(36) |
May
(45) |
Jun
(47) |
Jul
(93) |
Aug
(29) |
Sep
(28) |
Oct
(42) |
Nov
(45) |
Dec
(53) |
| 2005 |
Jan
(62) |
Feb
(51) |
Mar
(65) |
Apr
(28) |
May
(57) |
Jun
(23) |
Jul
(24) |
Aug
(72) |
Sep
(16) |
Oct
(53) |
Nov
(53) |
Dec
(3) |
| 2006 |
Jan
(56) |
Feb
(6) |
Mar
(15) |
Apr
(14) |
May
(35) |
Jun
(57) |
Jul
(35) |
Aug
(7) |
Sep
(22) |
Oct
(16) |
Nov
(18) |
Dec
(9) |
| 2007 |
Jan
(8) |
Feb
(3) |
Mar
(11) |
Apr
(35) |
May
(6) |
Jun
(10) |
Jul
(26) |
Aug
(4) |
Sep
|
Oct
(29) |
Nov
|
Dec
(7) |
| 2008 |
Jan
(1) |
Feb
(2) |
Mar
(2) |
Apr
(13) |
May
(8) |
Jun
(3) |
Jul
(19) |
Aug
(20) |
Sep
(6) |
Oct
(5) |
Nov
|
Dec
(4) |
| 2009 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(10) |
Jul
(2) |
Aug
(5) |
Sep
|
Oct
(1) |
Nov
|
Dec
(5) |
| 2010 |
Jan
(10) |
Feb
(10) |
Mar
(2) |
Apr
|
May
(7) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2011 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: josh <jo...@tk...> - 2003-07-17 14:53:59
|
Hi All, First of all I want to thank all of you who have helped me get snort_inline up and running. I tried to compile snort_inline-2.0.0-1.tar.gz but the resulting executable did not have the -Q flag. I installed a precompiled binary (snort-inline.tgz from snort.org) and was able to run snort with the -Q flag. Snort ran fine for about 15 seconds and then I received the kernel Oops message below. I have the following setup: OS: Debian (unstable) kernel: 2.4.21 (from kernel.org NOT debian kernel) Patches: ebtables-brnf_vs_2.4.21.diff After googling for a while I thought that it might be due to a memory problem. I ran memtest86 on the machine but it did not find any errors. Does anyone have a clue what caused this and more importantly how I can correct the problem. Once again thank you for your time and help. ====================/var/log/kern.log========================================== Jul 17 17:31:17 moe-ids kernel: ip_tables: (C) 2000-2002 Netfilter core team Jul 17 17:31:17 moe-ids kernel: ip_conntrack version 2.1 (4095 buckets, 32760 max) - 292 bytes per conntrack Jul 17 17:31:18 moe-ids kernel: NET4: Ethernet Bridge 008 for NET4.0 Jul 17 17:31:18 moe-ids kernel: Bridge firewalling registered Jul 17 17:31:18 moe-ids kernel: device eth1 entered promiscuous mode Jul 17 17:31:18 moe-ids kernel: eth0: Setting promiscuous mode. Jul 17 17:31:18 moe-ids kernel: device eth0 entered promiscuous mode Jul 17 17:31:19 moe-ids kernel: br0: port 2(eth0) entering learning state Jul 17 17:31:19 moe-ids kernel: br0: port 1(eth1) entering learning state Jul 17 17:31:34 moe-ids kernel: br0: port 2(eth0) entering forwarding state Jul 17 17:31:34 moe-ids kernel: br0: topology change detected, propagating Jul 17 17:31:34 moe-ids kernel: br0: port 1(eth1) entering forwarding state Jul 17 17:31:34 moe-ids kernel: br0: topology change detected, propagating Jul 17 17:32:17 moe-ids kernel: printing eip: Jul 17 17:32:17 moe-ids kernel: c029b208 Jul 17 17:32:17 moe-ids kernel: Oops: 0000 Jul 17 17:32:17 moe-ids kernel: CPU: 0 Jul 17 17:32:17 moe-ids kernel: EIP: 0010:[<c029b208>] Not tainted Jul 17 17:32:17 moe-ids kernel: EFLAGS: 00010246 Jul 17 17:32:17 moe-ids kernel: esi: 00000001 edi: dbe1f420 ebp: 00000002 esp: de323cd0 Jul 17 17:32:17 moe-ids kernel: ds: 0018 es: 0018 ss: 0018 Jul 17 17:32:17 moe-ids kernel: Process snort_inline (pid: 311, stackpage=de323000) Jul 17 17:32:17 moe-ids kernel: Stack: dbe24540 de323d08 00000002 de5e180c de5e180c de323cf0 e0b49370 80000000 Jul 17 17:32:17 moe-ids kernel: c040fd70 dbe03d80 00000001 de5665f0 00000012 e0b4c085 dbe24540 dbe1f420 Jul 17 17:32:17 moe-ids kernel: 00000001 dbe03d80 e0b4ca41 dbe03d80 00000001 0000000c df2897c0 00000001 Jul 17 17:32:17 moe-ids kernel: Call Trace: [<e0b49370>] [<e0b4c085>] [<e0b4ca41>] [<e0b4cb8c>] [<e0b4d318>] Jul 17 17:32:17 moe-ids kernel: [<e0b4d830>] [<e0b4cc99>] [<c029e7ca>] [<c029e085>] [<c029e53d>] [<c028b755>] Jul 17 17:32:17 moe-ids kernel: [<c028ce3b>] [<e0b46130>] [<e0b46130>] [<c029af98>] [<e0b46130>] [<e0b4a6c0>] Jul 17 17:32:17 moe-ids kernel: [<e0b463fe>] [<e0b46130>] [<c0293755>] [<c029393d>] [<c0293a95>] [<c028d312>] Jul 17 17:32:17 moe-ids kernel: [<c01076ef>] Jul 17 17:32:17 moe-ids kernel: Jul 17 17:32:17 moe-ids kernel: Code: 8b 50 08 85 d2 74 11 f0 ff 8a f0 00 00 00 0f 94 c0 84 c0 75 ============================================================== -- - Josh 94 F8 9F 3E 9A DB 6E FC F8 17 F1 B4 C7 51 CB AA ~. .~ Tk Open Systems =}------------------------------------------------ooO--U--Ooo------------{= - jo...@tk... - tel: +972.58.520.636, http://www.tkos.co.il |
|
From: Sylvain M. <ma...@en...> - 2003-07-17 11:18:11
|
I would use snort_inline in a 'more secure' way. Could be possible to pass 'accept' verdict at ipq without keeping all root acces ? (Reading packet in this context works, but not the verdict set). Sylvain MAURIN |
|
From: Devilscrow Sr <dev...@si...> - 2003-07-17 05:10:56
|
First release of LAk-IPS a compilation of source, binaries, scripts and papers on Intrusion Prevention Systems. Helps you get an IPS started with minimal effort. The scripts use IPTables + snort_inline to get you started. The archive is supported by a paper 'Open Source: Intrusion Prevention System' that runs through an HOWTO on setting up an IPS in the NAT mode. Both the archive and the paper is available for download from the project site on sourceforge.net http://sourceforge.net/projects/lak-ips Credits LAk-IPS is a compilation of sources, binaries and scripts that are required to run an IPS. It uses many binaries & scripts that were originally written by The Honeynet Project for their Honeywall. And also uses one of the finest open source softwares Snort without which LAk-IPS would just be a dream. Love and hate mails welcome.... -dev ............................. ->ACK and you shall receive ------------------------------------------------- Sify Mail - now with Anti-virus protection powered by Trend Micro, USA. Know more at http://mail.sify.com Sify Power mail- a Premium Service from Sify Mail! know more at http://mail.sify.com |
|
From: josh <jo...@tk...> - 2003-07-15 14:36:49
|
Hi All, I solved the problem. It was a stupid mistake on my part. I did not run "make modules; make modules_install" after rebooting the new kernel. I finally installed snort, snort-inline, and a patched kernel, but now I do not have the -Q option when I run snort or snort_inline. Any ideas? > Hi all, > I downloaded the linux 2.4.21 kernel source from kernel.org. I applied > the ebtables-brnf_vs_2.4.21.diff patch to the kernel and installed > iptables-1.2.8 source. > I set the following menu options: > Code Maturity Level Options > Prompt for Development and/or incomplete code/drivers > > Network Options > Network packet filtering (replaces ipchains) > IP: Netfilter Configuration > All options > 802.1d Ethernet Bridging > Bridge: ebtables > All options > > I did not see the "Netfilter (firewalling) support" option. I > compiled the kernel and configured snort, and the rc.firewall script. > When I run the rc.firewall script the script is unable to insmod the > ip_queue module. I assume this is the module enabled by the "Netfilter > (firewalling) support" option. What am I missing? > > -- - Josh 94 F8 9F 3E 9A DB 6E FC F8 17 F1 B4 C7 51 CB AA ~. .~ Tk Open Systems =}------------------------------------------------ooO--U--Ooo------------{= - jo...@tk... - tel: +972.58.520.636, http://www.tkos.co.il |
|
From: josh <jo...@tk...> - 2003-07-14 08:27:33
|
Hi all, I downloaded the linux 2.4.21 kernel source from kernel.org. I applied the ebtables-brnf_vs_2.4.21.diff patch to the kernel and installed iptables-1.2.8 source. I set the following menu options: Code Maturity Level Options Prompt for Development and/or incomplete code/drivers Network Options Network packet filtering (replaces ipchains) IP: Netfilter Configuration All options 802.1d Ethernet Bridging Bridge: ebtables All options I did not see the "Netfilter (firewalling) support" option. I compiled the kernel and configured snort, and the rc.firewall script. When I run the rc.firewall script the script is unable to insmod the ip_queue module. I assume this is the module enabled by the "Netfilter (firewalling) support" option. What am I missing? -- - Josh 94 F8 9F 3E 9A DB 6E FC F8 17 F1 B4 C7 51 CB AA ~. .~ Tk Open Systems =}------------------------------------------------ooO--U--Ooo------------{= - jo...@tk... - tel: +972.58.520.636, http://www.tkos.co.il |
|
From: Rob M. <rv...@ca...> - 2003-07-12 14:58:41
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ravi, There is a snort_inline.conf in the etc directory of the source. Where did you see drop.conf? I want to know so I can change what ever doc you saw this in. Also, please see my previous e-mail about compilation, and get back to me if you still do not get a -Q. Rob On Fri, 11 Jul 2003, Ravi wrote: > Dear All, > Please bear with this newbie question.I have downloaded snort inline > latest source code and installed onto my machine. > 1)insmod ip_queue.o > 2)compiled and installed LibNet > 3)added iptables command to direct to port 80 > 4)I have configured with --enable-inline option,make and make install etc > When completed installation, The README.INLINE says to run > snort_inline -QDc ../etc/drop.conf -l /var/log/snort > But I dint find drop.conf as well the option -Q is not identified as a > valid option. > Should I get iptables code and compile it eventhough i have a lkm with me? > Thanks in advance for the help. > Regards > Ravi > > -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.76 iQA/AwUBPxAhqPnAyY+9KLjdEQLEqACglekklEGEuefMz3lWKGZzT1GgPEQAnjqD SEuCMslatuN1du6IAPd3Nr6h =fmLv -----END PGP SIGNATURE----- |
|
From: Rob M. <rv...@ca...> - 2003-07-12 14:55:37
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ravi, The snort_inline package on sourceforge does not require the - --enable-inline flag. I made this configure enable it by default. Actually typing enable-inline may be causing problems. Try: ./configure make make install and see if you get a -Q option. I haven't gotten around to installing it on RedHat 9.0, but I've been told there are some problems compiling from source. Anyone seeing such problems? Thanks, Rob On Fri, 11 Jul 2003, Ravi wrote: > Hi Stephan, > I downloaded snort_inline-2.0.0-1. > "configure --enable-inline" > After completion of make install,I looked for option Q ,it dint give me > option -Q > Ravi -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.76 iQA/AwUBPxAhDvnAyY+9KLjdEQJ4QgCg9m40LkoHCATyzFIKv7t2de5RF1QAnirU 0NiPUp4L6G245EOErbPqs26x =RGsX -----END PGP SIGNATURE----- |
|
From: Stephan S. <ss...@as...> - 2003-07-11 14:28:42
|
That's weird. Here is the configure call which I use. In the latest version of snort inline, you don't need to give --enable-inline. It should do not harm though if you give it. ./configure --with-libipq-libraries=<libipq/lib> --with-libnet-libraries=<libnet/lib> \ --with-libpcap-libraries=<libpcap/lib> --with-libpcap-includes=<libpcap/include> Are you sure you are not accidentally calling a pre-installed version of snort instead of your new inline snort binary ? Stephan > Hi Stephan, > I downloaded snort_inline-2.0.0-1. > "configure --enable-inline" > After completion of make install,I looked for option Q ,it dint give me > option -Q > Ravi > -- Stephan Scholz <ss...@as...> | Development Astaro AG | www.astaro.com | Phone +49-721-490069-0 | Fax -55 Visit Astaro at: - Linux Tag, booth E8, Karlsruhe, Jul. 10-13, 2003 - LinuxWorld Expo, San Francisco, Aug. 5-7, 2003 - Systems 2003, IT-Security Area, hall B2, booth 326, Munich, Oct. 20-24, 2003 - Infosecurity Netherlands, hall 3, booth C40, Utrecht, Nov. 11-12, 2003 - Infosecurity France, Paris, Nov. 26-27, 2003 |
|
From: Ravi <ra...@ro...> - 2003-07-11 14:22:08
|
Hi Stephan, I downloaded snort_inline-2.0.0-1. "configure --enable-inline" After completion of make install,I looked for option Q ,it dint give me option -Q Ravi Stephan Scholz wrote: > Hi Ravi, > > which source package are you using ? I use snort_inline-2.0.0-1-src > and it works fine. > Concerning the config file: drop.conf is not included in the tarball. > However, you can use etc/snort_inline.conf or create your own config file. > > Stephan > >> Dear All, >> Please bear with this newbie question.I have downloaded snort inline >> latest source code and installed onto my machine. >> 1)insmod ip_queue.o >> 2)compiled and installed LibNet >> 3)added iptables command to direct to port 80 >> 4)I have configured with --enable-inline option,make and make install etc >> When completed installation, The README.INLINE says to run >> snort_inline -QDc ../etc/drop.conf -l /var/log/snort >> But I dint find drop.conf as well the option -Q is not identified as a >> valid option. >> Should I get iptables code and compile it eventhough i have a lkm with >> me? >> Thanks in advance for the help. >> Regards >> Ravi >> > > -- The views presented in this mail are completely mine. The company is not responsible for whatsoever. ------------------------------------------------------------------------ Ravi Kumar CH Rendezvous On Chip (i) Pvt Ltd Hyderabad, India Ph: +91-40-2335 1214 / 1175 / 1184 ROC home page <http://www.roc.co.in> |
|
From: Stephan S. <ss...@as...> - 2003-07-11 14:09:44
|
Hi Ravi, which source package are you using ? I use snort_inline-2.0.0-1-src and it works fine. Concerning the config file: drop.conf is not included in the tarball. However, you can use etc/snort_inline.conf or create your own config file. Stephan > Dear All, > Please bear with this newbie question.I have downloaded snort inline > latest source code and installed onto my machine. > 1)insmod ip_queue.o > 2)compiled and installed LibNet > 3)added iptables command to direct to port 80 > 4)I have configured with --enable-inline option,make and make install etc > When completed installation, The README.INLINE says to run > snort_inline -QDc ../etc/drop.conf -l /var/log/snort > But I dint find drop.conf as well the option -Q is not identified as a > valid option. > Should I get iptables code and compile it eventhough i have a lkm with me? > Thanks in advance for the help. > Regards > Ravi > -- Stephan Scholz <ss...@as...> | Development Astaro AG | www.astaro.com | Phone +49-721-490069-0 | Fax -55 Visit Astaro at: - Linux Tag, booth E8, Karlsruhe, Jul. 10-13, 2003 - LinuxWorld Expo, San Francisco, Aug. 5-7, 2003 - Systems 2003, IT-Security Area, hall B2, booth 326, Munich, Oct. 20-24, 2003 - Infosecurity Netherlands, hall 3, booth C40, Utrecht, Nov. 11-12, 2003 - Infosecurity France, Paris, Nov. 26-27, 2003 |
|
From: Jochen V. <jv...@it...> - 2003-07-11 12:37:13
|
hi, i use redhat7.2 and kernel-source-2.4.18-3 if i do an "patch -p1 < /tmp/bridge-nf-0.0.7-against-2.4.18.diff" i get patching file include/linux/netfilter.h Reversed (or previously applied) patch detected! Assume -R? [n] whats the problem? thx for help jo |
|
From: Ravi <ra...@ro...> - 2003-07-11 10:30:54
|
Dear All, Please bear with this newbie question.I have downloaded snort inline latest source code and installed onto my machine. 1)insmod ip_queue.o 2)compiled and installed LibNet 3)added iptables command to direct to port 80 4)I have configured with --enable-inline option,make and make install etc When completed installation, The README.INLINE says to run snort_inline -QDc ../etc/drop.conf -l /var/log/snort But I dint find drop.conf as well the option -Q is not identified as a valid option. Should I get iptables code and compile it eventhough i have a lkm with me? Thanks in advance for the help. Regards Ravi -- The views presented in this mail are completely mine. The company is not responsible for whatsoever. ------------------------------------------------------------------------ Ravi Kumar CH Rendezvous On Chip (i) Pvt Ltd Hyderabad, India Ph: +91-40-2335 1214 / 1175 / 1184 ROC home page <http://www.roc.co.in> |
|
From: Rob M. <rv...@ca...> - 2003-07-10 02:29:08
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Russell,
A quick way to see if snort_inline is getting packets from the
firewall:
First, send all packets to snort_inline:
iptables -F <-- flush all existing rules
iptables -A INPUT -j QUEUE
iptables -A OUTPUT -j QUEUE
iptables -A FORWARD -j QUEUE
insmod ip_queue
Next, bring up snort_inline:
snort_inline -Qvc /etc/snort_inline/snort_inline.conf
The -i eth0 is not required because snort_inline does not get packets from
any interface. It used to be there in order to aid with the pid filename
creation before it was fixed when starting it with the -D flag.
The -v will let you see all the packets that snort_inline gets.
Next, generate some traffic. If you don't see any packets on the screen,
your bridge is not passing packets to the firewall. Since the firewall is
not getting the packets, snort_inline is not seeing them.
Another way to test it is to deny all traffic with the firewall. If your
packets are still getting through, your bridge is working great, but not
handing packets to iptables.
Hope this helps,
Rob
On Wed, 9 Jul 2003, Russell Mosley wrote:
> I've done all that and am not getting anything to drop. However the bridge
> works perfectly. Is it possible that I don't have the kernel right and the
> bridge will work but snort-inline will not?
>
> Russell
>
>
>
> -----Original Message-----
> From: sno...@li...
> [mailto:sno...@li...] On Behalf Of pieter
> Sent: Tuesday, July 08, 2003 6:09 PM
> To: Russell Mosley
> Cc: sno...@li...
> Subject: Re: [Snort-inline-users] Snort-Inline as an IPS
>
> Hello Russel,
>
> This is how we start SNIL. You need the -Q option for inline to work.
>
> snort -D -d -c ${CONFIG_FILE} -Q -i eth0 -l ${SNORT_LOG}
>
> Also, make sure you have ip_queue loaded to pass all data to SNIL and
> that you have changed your rules to have "drop|sdrop|reject" actions in
> stead of "log|alert...."
>
> You will have to fiddle the honeynet rules as they are designed to keep
> bad guys in, not out so the pre defined vars are not too logical out of
> the box.
>
> As for documentation, I think there is an inline document under the docs
> dir in the SNIL patched Snort source tree that informs you of most of
> the relevant stuff.
>
> Cheers,
> Pieter
>
> Russell Mosley wrote:
>
> >Hey all,
> >
> >I used to use Hogwash and am now trying to get Snort-Inline working to drop
> >based on certain rules in the rule base. I am using RedHat8 and the
> >Honeynet.org Snort-Inline toolkit (downloaded about two weeks ago). It
> >seems to be designed to drop malicious stuff from the honeynet out and I
> >want to do the opposite (or both!) However, I cannot seem to get it to
> >work. Running just snort-inline -i eth0 after starting up a bridge will
> >display traffic from both interfaces, and the bridge is passing traffic (to
> >my PC.) The problem is, I cannot get it to log/drop anything..? Is there
> a
> >howto somewhere on how to set this up as an IPS and not just for a
> honeynet?
> >Let me know if anyone can help me out. I will be at SANSFIRE in DC next
> >week as well. Thanks!
> >
> >Russell
> >
> >
> >
> >
> >-------------------------------------------------------
> >This SF.Net email sponsored by: Parasoft
> >Error proof Web apps, automate testing & more.
> >Download & eval WebKing and get a free book.
> >www.parasoft.com/bulletproofapps
> >_______________________________________________
> >Snort-inline-users mailing list
> >Sno...@li...
> >https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >
> >
>
>
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: Parasoft
> Error proof Web apps, automate testing & more.
> Download & eval WebKing and get a free book.
> www.parasoft.com/bulletproofapps
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: Parasoft
> Error proof Web apps, automate testing & more.
> Download & eval WebKing and get a free book.
> www.parasoft.com/bulletproofapps
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Made with pgp4pine 1.76
iQA/AwUBPwzPHvnAyY+9KLjdEQI4IQCgkbGTvQ2/AkMXVCPlBziiQbKhhO8An2xS
lZmF5qCE2DLe9Ny3KUHNxj91
=M2uI
-----END PGP SIGNATURE-----
|
|
From: pieter c. <pi...@co...> - 2003-07-09 13:59:25
|
Also, what you can try is to turn your bridge code on, make sure you
have your ip_queue module loaded and that you have a target like
iptables -A FORWARD -j QUEUE
to make sure that all traffic that wants to go through the device gets
sent to SNIL in userspace.
If you have that target loaded and SNIL NOT running, then your machine
should drop all traffic. If it does not do it, then it might be that
your br-nf code is not loaded/ not working as supposed to.
Cheers,
Pieter
On Wed, 2003-07-09 at 14:34, Russell Mosley wrote:
> I've done all that and am not getting anything to drop. However the bridge
> works perfectly. Is it possible that I don't have the kernel right and the
> bridge will work but snort-inline will not?
>
> Russell
>
>
>
> -----Original Message-----
> From: sno...@li...
> [mailto:sno...@li...] On Behalf Of pieter
> Sent: Tuesday, July 08, 2003 6:09 PM
> To: Russell Mosley
> Cc: sno...@li...
> Subject: Re: [Snort-inline-users] Snort-Inline as an IPS
>
> Hello Russel,
>
> This is how we start SNIL. You need the -Q option for inline to work.
>
> snort -D -d -c ${CONFIG_FILE} -Q -i eth0 -l ${SNORT_LOG}
>
> Also, make sure you have ip_queue loaded to pass all data to SNIL and
> that you have changed your rules to have "drop|sdrop|reject" actions in
> stead of "log|alert...."
>
> You will have to fiddle the honeynet rules as they are designed to keep
> bad guys in, not out so the pre defined vars are not too logical out of
> the box.
>
> As for documentation, I think there is an inline document under the docs
> dir in the SNIL patched Snort source tree that informs you of most of
> the relevant stuff.
>
> Cheers,
> Pieter
>
> Russell Mosley wrote:
>
> >Hey all,
> >
> >I used to use Hogwash and am now trying to get Snort-Inline working to drop
> >based on certain rules in the rule base. I am using RedHat8 and the
> >Honeynet.org Snort-Inline toolkit (downloaded about two weeks ago). It
> >seems to be designed to drop malicious stuff from the honeynet out and I
> >want to do the opposite (or both!) However, I cannot seem to get it to
> >work. Running just snort-inline -i eth0 after starting up a bridge will
> >display traffic from both interfaces, and the bridge is passing traffic (to
> >my PC.) The problem is, I cannot get it to log/drop anything..? Is there
> a
> >howto somewhere on how to set this up as an IPS and not just for a
> honeynet?
> >Let me know if anyone can help me out. I will be at SANSFIRE in DC next
> >week as well. Thanks!
> >
> >Russell
> >
> >
> >
> >
> >-------------------------------------------------------
> >This SF.Net email sponsored by: Parasoft
> >Error proof Web apps, automate testing & more.
> >Download & eval WebKing and get a free book.
> >www.parasoft.com/bulletproofapps
> >_______________________________________________
> >Snort-inline-users mailing list
> >Sno...@li...
> >https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >
> >
>
>
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: Parasoft
> Error proof Web apps, automate testing & more.
> Download & eval WebKing and get a free book.
> www.parasoft.com/bulletproofapps
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: Parasoft
> Error proof Web apps, automate testing & more.
> Download & eval WebKing and get a free book.
> www.parasoft.com/bulletproofapps
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
--
Pieter Claassen
CounterSnipe Technologies
www.countersnipe.com
Highview House
Charles Square
Bracknell
Berskhire
RG12 1DF
Tel: +44(0) 1344 390 530
Fax: +44(0) 1344 390 700
Mobile: +44 (0) 776 6656 924
email: pi...@co...
|
|
From: Stephan S. <ss...@as...> - 2003-07-09 13:40:53
|
Have you applied the kernel patch that passes bridge mode packets to netfilter ? You can find it at: http://bridge.sourceforge.net/download.html for example select bridge-nf-0.0.7-against-2.4.19.diff Stephan > I've done all that and am not getting anything to drop. However the bridge > works perfectly. Is it possible that I don't have the kernel right and the > bridge will work but snort-inline will not? -- Stephan Scholz <ss...@as...> | Development Astaro AG | www.astaro.com | Phone +49-721-490069-0 | Fax -55 Visit Astaro at: - Linux Tag, booth E8, Karlsruhe, Jul. 10-13, 2003 - LinuxWorld Expo, San Francisco, Aug. 5-7, 2003 - Systems 2003, IT-Security Area, hall B2, booth 326, Munich, Oct. 20-24, 2003 - Infosecurity Netherlands, hall 3, booth C40, Utrecht, Nov. 11-12, 2003 - Infosecurity France, Paris, Nov. 26-27, 2003 |
|
From: Russell M. <rm...@dy...> - 2003-07-09 13:33:12
|
I've done all that and am not getting anything to drop. However the =
bridge
works perfectly. Is it possible that I don't have the kernel right and =
the
bridge will work but snort-inline will not? =20
Russell
-----Original Message-----
From: sno...@li...
[mailto:sno...@li...] On Behalf Of =
pieter
Sent: Tuesday, July 08, 2003 6:09 PM
To: Russell Mosley
Cc: sno...@li...
Subject: Re: [Snort-inline-users] Snort-Inline as an IPS
Hello Russel,
This is how we start SNIL. You need the -Q option for inline to work.
snort -D -d -c ${CONFIG_FILE} -Q -i eth0 -l ${SNORT_LOG}
Also, make sure you have ip_queue loaded to pass all data to SNIL and=20
that you have changed your rules to have "drop|sdrop|reject" actions in=20
stead of "log|alert...."
You will have to fiddle the honeynet rules as they are designed to keep=20
bad guys in, not out so the pre defined vars are not too logical out of=20
the box.
As for documentation, I think there is an inline document under the docs =
dir in the SNIL patched Snort source tree that informs you of most of=20
the relevant stuff.
Cheers,
Pieter
Russell Mosley wrote:
>Hey all,
>
>I used to use Hogwash and am now trying to get Snort-Inline working to =
drop
>based on certain rules in the rule base. I am using RedHat8 and the
>Honeynet.org Snort-Inline toolkit (downloaded about two weeks ago). It
>seems to be designed to drop malicious stuff from the honeynet out and =
I
>want to do the opposite (or both!) However, I cannot seem to get it to
>work. Running just snort-inline -i eth0 after starting up a bridge =
will
>display traffic from both interfaces, and the bridge is passing traffic =
(to
>my PC.) The problem is, I cannot get it to log/drop anything..? Is =
there
a
>howto somewhere on how to set this up as an IPS and not just for a
honeynet?
>Let me know if anyone can help me out. I will be at SANSFIRE in DC =
next
>week as well. Thanks!
>
>Russell
>
>
>
>
>-------------------------------------------------------
>This SF.Net email sponsored by: Parasoft
>Error proof Web apps, automate testing & more.
>Download & eval WebKing and get a free book.
>www.parasoft.com/bulletproofapps
>_______________________________________________
>Snort-inline-users mailing list
>Sno...@li...
>https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> =20
>
-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps
_______________________________________________
Snort-inline-users mailing list
Sno...@li...
https://lists.sourceforge.net/lists/listinfo/snort-inline-users
|
|
From: Stephan S. <ss...@as...> - 2003-07-09 07:19:35
|
Hi josh, you can do that - running snort-inline without bridge mode. Actually it's even easier, because you don't need the kernel patch for passing bridge mode packets to ip_queue. Snort inline does *not* return to the specific chain that has called ip_queue. Therefore you can either chose pass or drop (terminating target). However, you can insert the "-j QUEUE" target into a different netfilter module (for example mangle, or add your own module). Stephan > Hi All, > I want to run snort-inline and my iptables port filtering firewall on > the same machine. I found several example of snort-inline running as a > bridge. I have two questions: > > 1. Is there any reason why snort-inline should not be run on the > same machine as a port filtering firewall? > > 2. When snort-inline is finished with a packet (i.e. does not drop the > packet) does the packet return to the FORWARD,INPUT,OUTPUT chain? > -- Stephan Scholz <ss...@as...> | Development Astaro AG | www.astaro.com | Phone +49-721-490069-0 | Fax -55 Visit Astaro at: - Linux Tag, booth E8, Karlsruhe, Jul. 10-13, 2003 - LinuxWorld Expo, San Francisco, Aug. 5-7, 2003 - Systems 2003, IT-Security Area, hall B2, booth 326, Munich, Oct. 20-24, 2003 - Infosecurity Netherlands, hall 3, booth C40, Utrecht, Nov. 11-12, 2003 - Infosecurity France, Paris, Nov. 26-27, 2003 |
|
From: pieter <pi...@co...> - 2003-07-08 22:09:58
|
Hello Russel,
This is how we start SNIL. You need the -Q option for inline to work.
snort -D -d -c ${CONFIG_FILE} -Q -i eth0 -l ${SNORT_LOG}
Also, make sure you have ip_queue loaded to pass all data to SNIL and
that you have changed your rules to have "drop|sdrop|reject" actions in
stead of "log|alert...."
You will have to fiddle the honeynet rules as they are designed to keep
bad guys in, not out so the pre defined vars are not too logical out of
the box.
As for documentation, I think there is an inline document under the docs
dir in the SNIL patched Snort source tree that informs you of most of
the relevant stuff.
Cheers,
Pieter
Russell Mosley wrote:
>Hey all,
>
>I used to use Hogwash and am now trying to get Snort-Inline working to drop
>based on certain rules in the rule base. I am using RedHat8 and the
>Honeynet.org Snort-Inline toolkit (downloaded about two weeks ago). It
>seems to be designed to drop malicious stuff from the honeynet out and I
>want to do the opposite (or both!) However, I cannot seem to get it to
>work. Running just snort-inline -i eth0 after starting up a bridge will
>display traffic from both interfaces, and the bridge is passing traffic (to
>my PC.) The problem is, I cannot get it to log/drop anything..? Is there a
>howto somewhere on how to set this up as an IPS and not just for a honeynet?
>Let me know if anyone can help me out. I will be at SANSFIRE in DC next
>week as well. Thanks!
>
>Russell
>
>
>
>
>-------------------------------------------------------
>This SF.Net email sponsored by: Parasoft
>Error proof Web apps, automate testing & more.
>Download & eval WebKing and get a free book.
>www.parasoft.com/bulletproofapps
>_______________________________________________
>Snort-inline-users mailing list
>Sno...@li...
>https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
|
|
From: Russell M. <rm...@dy...> - 2003-07-08 21:16:54
|
Hey all, I used to use Hogwash and am now trying to get Snort-Inline working to = drop based on certain rules in the rule base. I am using RedHat8 and the Honeynet.org Snort-Inline toolkit (downloaded about two weeks ago). It seems to be designed to drop malicious stuff from the honeynet out and I want to do the opposite (or both!) However, I cannot seem to get it to work. Running just snort-inline -i eth0 after starting up a bridge will display traffic from both interfaces, and the bridge is passing traffic = (to my PC.) The problem is, I cannot get it to log/drop anything..? Is = there a howto somewhere on how to set this up as an IPS and not just for a = honeynet? Let me know if anyone can help me out. I will be at SANSFIRE in DC next week as well. Thanks! Russell |
|
From: josh <jo...@tk...> - 2003-07-03 14:57:20
|
Hi All,
I want to run snort-inline and my iptables port filtering firewall on
the same machine. I found several example of snort-inline running as a
bridge. I have two questions:
1. Is there any reason why snort-inline should not be run on the
same machine as a port filtering firewall?
2. When snort-inline is finished with a packet (i.e. does not drop the
packet) does the packet return to the FORWARD,INPUT,OUTPUT chain?
--
- Josh
94 F8 9F 3E 9A DB 6E FC F8 17 F1 B4 C7 51 CB AA ~. .~ Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
- jo...@tk... - tel: +972.58.520.636, http://www.tkos.co.il
|
|
From: Lance S. <la...@ho...> - 2003-07-01 01:16:54
|
On Mon, 30 Jun 2003, Lucas Ferreira de Lima wrote:
> I'm Brazilian and I my English is a little bad, but I need help on a
> school work. This is an implementation of the snort inline. I couldn't
> install this version of then snort, the manuals that I took are
> insufficient. Please, I implore for documentation of how to intall the snort
> inline in a configuration of then 3 machines: One working as a server inside
> the home network, another working as a way of communication with the outside
> (this has 2 net adapters, to make the routing with the others), and the last
> machine working as the external where the attacks will run.
If you are looking for information on gateway configuration, I recommend
the Honeynet GenII paper.
http://www.honeynet.org/papers/gen2/
This outlines how to use snort-inline to allow inbound attack, but
block outbound (for honeypot purposes). You may also want to
check out the snort-inline toolkit, as it comes with a precomiled
binary and rule set for snort-inline.
http://www.honeynet.org/papers/honeynet/tools/
lance
|
|
From: Lucas F. de L. <luc...@tr...> - 2003-06-30 14:52:38
|
Hi, I'm Brazilian and I my English is a little bad, but I need help on a school work. This is an implementation of the snort inline. I couldn't install this version of then snort, the manuals that I took are insufficient. Please, I implore for documentation of how to intall the snort inline in a configuration of then 3 machines: One working as a server inside the home network, another working as a way of communication with the outside (this has 2 net adapters, to make the routing with the others), and the last machine working as the external where the attacks will run. Please give me the documentation of installation. My e-mail to receive: luc...@tr... Thanks Att, Lucas Lima |
|
From: Gordon M. <gor...@fa...> - 2003-06-26 07:54:22
|
Is everyone using the Honeynet rc.firewall script or using their own iptables rules? At the moment I have standard snort set up on a machine which is forwarding from eth0 -> eth1 and I am planning on replacing this with an inline installation. i.e. INTERNET -> snort-eth0 -> snort-eth1 -> protected network I have successfully installed snort_inline on a test box (thanks for the help Stephan) I was just wondering what everyone was doing regarding iptables Thanks Gordon |
|
From: Stephan S. <ss...@as...> - 2003-06-20 13:28:47
|
Hi Gordon, > Sorry should have mentioned I am running snort_inline-2.0.0-1, when you try > to start it, it always says starting in IDS mode, there does not appear to > be a switch for inline mode. Can you give some more information about the command line which you are using, and the output of snort ? Is there a previous (non-inline) version of Snort on your system, and are you accidently calling it instead of the inline version ? Regards, Stephan -- Stephan Scholz <ss...@as...> | Development Astaro AG | www.astaro.com | Phone +49-721-490069-0 | Fax -55 Visit Astaro at: - Linux Tag, booth E8, Karlsruhe, Jul. 10-13, 2003 - LinuxWorld Expo, San Francisco, Aug. 5-7, 2003 - Systems 2003, IT-Security Area, hall B2, booth 326, Munich, Oct. 20-24, 2003 - Infosecurity Netherlands, hall 3, booth C40, Utrecht, Nov. 11-12, 2003 - Infosecurity France, Paris, Nov. 26-27, 2003 |
|
From: NC A. <NC_...@ku...> - 2003-06-20 13:20:33
|
Snat and dnat rule keywords have been on my to do list for inline snort for a long time. When used in a rule, snat or dnat would allow you to do source or destination routing (via iptables) when a rule is triggered. This would allow you to redirect interesting stuff to a honeypot. Jed On Sunday, May 18, 2003, at 06:42 PM, Lance Spitzner wrote: > On Sun, 18 May 2003, Ray Stirbei wrote: > >> >> Forescout ( http://www.forescout.com/index.html) sells a product that >> works >> with commercial firewall and IPS vendors. It detects all kinds of >> scans and >> returns dummy server information. Then any traffic to these dummy >> servers can >> be filtered. You can replace the dummy server addresses with your >> honeypot(s). >> >> I agree this would be a great feature to snort and I have copied the >> snort-inline list. >> Best regards > >>> I'm looking for some program to redirect an attack on my web >>> server >>> to a honeypot. Maybe triggered by number of hits in a given time or >>> by >>> certain requests. Does such a thing exist? Where can I get it? Or >>> would I >>> have to write some kind of script? > > There is already something similar to this, called Bait-n-Switch. > While very beta, you may want to check it out. > > http://violating.us/projects/baitnswitch/ > > lance > > > > ------------------------------------------------------- > This SF.net email is sponsored by: If flattening out C++ or Java > code to make your application fit in a relational database is painful, > don't do it! Check out ObjectStore. Now part of Progress Software. > http://www.objectstore.net/sourceforge > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > --------------------------------------------------------------------------- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ---------------------------------------------------------------------------- |
133 messages has been excluded from this view by a project administrator.
