Menu
▾
▴
snort-inline-users — The goal of this list is to help users debug/use snort_inline
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(15) |
Jun
(23) |
Jul
(54) |
Aug
(20) |
Sep
(18) |
Oct
(19) |
Nov
(36) |
Dec
(30) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(48) |
Feb
(16) |
Mar
(36) |
Apr
(36) |
May
(45) |
Jun
(47) |
Jul
(93) |
Aug
(29) |
Sep
(28) |
Oct
(42) |
Nov
(45) |
Dec
(53) |
| 2005 |
Jan
(62) |
Feb
(51) |
Mar
(65) |
Apr
(28) |
May
(57) |
Jun
(23) |
Jul
(24) |
Aug
(72) |
Sep
(16) |
Oct
(53) |
Nov
(53) |
Dec
(3) |
| 2006 |
Jan
(56) |
Feb
(6) |
Mar
(15) |
Apr
(14) |
May
(35) |
Jun
(57) |
Jul
(35) |
Aug
(7) |
Sep
(22) |
Oct
(16) |
Nov
(18) |
Dec
(9) |
| 2007 |
Jan
(8) |
Feb
(3) |
Mar
(11) |
Apr
(35) |
May
(6) |
Jun
(10) |
Jul
(26) |
Aug
(4) |
Sep
|
Oct
(29) |
Nov
|
Dec
(7) |
| 2008 |
Jan
(1) |
Feb
(2) |
Mar
(2) |
Apr
(13) |
May
(8) |
Jun
(3) |
Jul
(19) |
Aug
(20) |
Sep
(6) |
Oct
(5) |
Nov
|
Dec
(4) |
| 2009 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(10) |
Jul
(2) |
Aug
(5) |
Sep
|
Oct
(1) |
Nov
|
Dec
(5) |
| 2010 |
Jan
(10) |
Feb
(10) |
Mar
(2) |
Apr
|
May
(7) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2011 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: MSN <ms...@vt...> - 2007-10-10 09:22:32
|
SGksIEkgaW5zdGFsbGVkIGV4YWN0IHNhbWUgcGFja2FnZXMgZnJvbSBzb3VyY2Vmb3JnZSBkb3du bG9hZCBzaXRlIHdpdGggYSBzYW1lIGNvbmZpZ3VyYXRpb25zDQphbmQgcnVubmluZyBvbiBsaW51 eCAyLjQuMzAga2VybmVsLiBpdCBpcyB3b3JrcyBmaW5lIGFzIHdlbGwgYnV0IGtlZXAgdGFraW5n IHRoZSBzeXN0ZW0gbWVtb3J5IHNvIGZhciwNCmRvZXMgbm90IHJlbGVhc2UgYW5kIGtlZXAgaW5j cmVhc2luZyBtb3JlIHRoYW4gMzAwTSBmb3IgdGhlIHNub3J0IGlubGluZSByZXNvdXJjZS4gYW55 IGlkZWFzPw0KdGhhbmtzIGluIGFkdmFuY2UuDQogDQpzbm9ydF9pbmxpbmUgLVEgLWwgL3Zhci9s b2dzL3Nub3J0IC1jIC9ldGMvc25vcnQvc25vcnRfaW5saW5lLmNvbmYNCiANCjUwOSByb290ICAg ICAgIDkgICAwICAzMTZNIDMxNk0gIDExNjQgUyAgICAgMC4wIDQ0LjMgICAwOjIzIHNub3J0X2lu bGluZQ0KIA0KIA0KLUEgRk9SV0FSRCAtaiBRVUVVRQ0KIA0KIA0KTVNOIDopDQo= |
|
From: Sart C. <sar...@ya...> - 2007-10-09 06:02:26
|
This is my script the stop section does not work OK
#!/bin/sh
#
# snort_inline This script controls the snort_inline daemon.
#
# chkconfig: 2345 79 32
# description: snort_inline
# processname: snort_inline
# pidfile: /var/run/snort_eth0.pid
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
proc="snort_inline"
prog="/usr/local/bin/snort_inline"
prog_base="$(basename ${prog})"
prog_config_file="/etc/snort_inline/snort_inline.conf"
# Source configuration.
[ -e /etc/sysconfig/${prog_base} ] && . /etc/sysconfig/${prog_base}
RETVAL=0
case "$1" in
start)
action $"Starting ${prog_base}:" ${prog} -c ${prog_config_file} -D -Q -N -l /var/log/snort_inline -t /var/log/snort_inline -v --nolock-pidfile
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/${prog_base}
;;
stop)
killproc $proc
RETVAL=$?
if [ $RETVAL -eq 0 ] ; then
echo "Stopping ${prog_base}"
rm -f /var/lock/subsys/${prog_base}
else
echo "Stopping ${prog_base}"
fi
;;
status)
status ${prog_base}
RETVAL=$?
;;
restart)
$0 stop
$0 start
RETVAL=$?
;;
*)
echo "Usage: $0 {start|stop|status|restart}"
exit 1
esac
exit $RETVAL
Jacques Beaudoin <jac...@cs...> wrote:
show us your script and we might be able to help you fix it...
Regards,
Will
On 10/8/07, Sart Cole wrote:
> Hi,
>
> I'm a new member to this list.
>
> I have snort_inline running on my firewall but my
> /etc/rd.d/init.d/snort_inline script
> does not stop snort_inline correctly.
>
> Can someone post is working /etc/rc.d/init.d/snort_inline script
>
> Thanks
> Sartcole
>
>
> ________________________________
> Be smarter than spam. See how smart SpamGuard is at giving junk email the
> boot with the All-new Yahoo! Mail
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
----- Fin du message transféré -----
----------------------------------------------------
Ce message a été acheminé par le Webmail de la CSPI.
---------------------------------
All new Yahoo! Mail
---------------------------------
Get news delivered. Enjoy RSS feeds right on your Mail page. |
|
From: Will M. <wil...@gm...> - 2007-10-09 04:00:50
|
show us your script and we might be able to help you fix it... Regards, Will On 10/8/07, Sart Cole <sar...@ya...> wrote: > Hi, > > I'm a new member to this list. > > I have snort_inline running on my firewall but my > /etc/rd.d/init.d/snort_inline script > does not stop snort_inline correctly. > > Can someone post is working /etc/rc.d/init.d/snort_inline script > > Thanks > Sartcole > > > ________________________________ > Be smarter than spam. See how smart SpamGuard is at giving junk email the > boot with the All-new Yahoo! Mail > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
|
From: Sart C. <sar...@ya...> - 2007-10-09 03:50:58
|
Hi,
I'm a new member to this list.
I have snort_inline running on my firewall but my /etc/rd.d/init.d/snort_inline script
does not stop snort_inline correctly.
Can someone post is working /etc/rc.d/init.d/snort_inline script
Thanks
Sartcole
---------------------------------
Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail |
|
From: Mike S. <mik...@ch...> - 2007-10-03 17:38:51
|
Hi All, having a little problem with naughty Limwire Ultrapeers at the moment, has anyone got a ruleset to stop 'em. I have been testing with LimeWire v 4.14.10-linux I have noticed that while my IPS is happily blocking non-Ultrapeers, it seems that the Ultrapeer connections are encrypted. thanks in advance, Mike :) |
|
From: Will M. <wil...@gm...> - 2007-08-27 21:41:54
|
I think he was talking about tcp stream reassembly, not frags... Regards, Will On 8/27/07, Dave Remien <dr...@ni...> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Will Metcalf wrote: > > every tcp segment.... In addition we also scan the unreassembled > > packet before passing the verdict back to iptables. That is only for > > stream4inline of course ;-)... > > At least under Linux, netfilter (up to at least the 2.6.18 kernel) > reassembles the packets for us, so we don't see frags. > > Cheers, > > Dave > > > > > Regards, > > > > Will > > > > On 8/27/07, Adayadil Thomas <ada...@gm...> wrote: > >> Greetings. > >> > >> In the inline mode, does snort_inline do reassembly operation (for TCP > >> packets) for every tcp segment OR does the reassembly happen only when > >> a threshold (bytes) is reached? > >> > >> Thanks > >> > >> ------------------------------------------------------------------------- > >> This SF.net email is sponsored by: Splunk Inc. > >> Still grepping through log files to find problems? Stop. > >> Now Search log events and configuration files using AJAX and a browser. > >> Download your FREE copy of Splunk now >> http://get.splunk.com/ > >> _______________________________________________ > >> Snort-inline-users mailing list > >> Sno...@li... > >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users > >> > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by: Splunk Inc. > > Still grepping through log files to find problems? Stop. > > Now Search log events and configuration files using AJAX and a browser. > > Download your FREE copy of Splunk now >> http://get.splunk.com/ > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFG00L8Hqzq3E2ozBMRApegAKCuk+4ilBkXozwUFe7QeJHFyo3BoQCgtbuX > NMTy2uBBPI216yPcjWt5E7s= > =IVyV > -----END PGP SIGNATURE----- > > This e-mail message and any attachments contain information that is confidential and may be privileged. If the reader of this e-mail is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to this message or by sending an email to pos...@ni..., and destroy all copies of this message and any attachments without reading or disclosing them. Thank you. > > > |
|
From: Dave R. <dr...@ni...> - 2007-08-27 21:33:04
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Will Metcalf wrote: > every tcp segment.... In addition we also scan the unreassembled > packet before passing the verdict back to iptables. That is only for > stream4inline of course ;-)... At least under Linux, netfilter (up to at least the 2.6.18 kernel) reassembles the packets for us, so we don't see frags. Cheers, Dave > > Regards, > > Will > > On 8/27/07, Adayadil Thomas <ada...@gm...> wrote: >> Greetings. >> >> In the inline mode, does snort_inline do reassembly operation (for TCP >> packets) for every tcp segment OR does the reassembly happen only when >> a threshold (bytes) is reached? >> >> Thanks >> >> ------------------------------------------------------------------------- >> This SF.net email is sponsored by: Splunk Inc. >> Still grepping through log files to find problems? Stop. >> Now Search log events and configuration files using AJAX and a browser. >> Download your FREE copy of Splunk now >> http://get.splunk.com/ >> _______________________________________________ >> Snort-inline-users mailing list >> Sno...@li... >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG00L8Hqzq3E2ozBMRApegAKCuk+4ilBkXozwUFe7QeJHFyo3BoQCgtbuX NMTy2uBBPI216yPcjWt5E7s= =IVyV -----END PGP SIGNATURE----- This e-mail message and any attachments contain information that is confidential and may be privileged. If the reader of this e-mail is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to this message or by sending an email to pos...@ni..., and destroy all copies of this message and any attachments without reading or disclosing them. Thank you. |
|
From: Will M. <wil...@gm...> - 2007-08-27 21:08:24
|
every tcp segment.... In addition we also scan the unreassembled packet before passing the verdict back to iptables. That is only for stream4inline of course ;-)... Regards, Will On 8/27/07, Adayadil Thomas <ada...@gm...> wrote: > Greetings. > > In the inline mode, does snort_inline do reassembly operation (for TCP > packets) for every tcp segment OR does the reassembly happen only when > a threshold (bytes) is reached? > > Thanks > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Adayadil T. <ada...@gm...> - 2007-08-27 20:29:24
|
Greetings. In the inline mode, does snort_inline do reassembly operation (for TCP packets) for every tcp segment OR does the reassembly happen only when a threshold (bytes) is reached? Thanks |
|
From: Victor J. <li...@in...> - 2007-07-30 21:27:26
|
Mike Smith wrote: > Hi, I keep getting this alert with snort v2.6 > > "(spp_stream4) TCP out-of-order packets limit reached for stream" > > And is essentially dropping payloads with non-ASCII characters, how can > I disable this ? > > Hi Mike, sorry for not responding earlier. The alerts are not related with the payload of the TCP packets. I've just written a blogpost about how the handling of out of order packets in Snort_inline works: http://www.inliniac.net/blog/2007/07/30/snort_inline-and-out-of-order-packets.html Cheers, Victor |
|
From: Nick R. <ni...@ro...> - 2007-07-27 14:38:23
|
> First of all you don't really want to use snort_inline to log directly to > a > MYSQL database from snort_inline. If snort/snort_inline loses connection > to > a database, the process terminates, which may be acceptable for passive mode, but not ok for InlineMode(); Use barnyard + snort unified logging to > log to your database. > Also, adding the --with-mysql flag during build time does not create the DB or setup the table structure. I believe there is (or used to be) a MYSQL readme file included in docs that describes how to setup your database structure. Nick Rogness <ni...@ro...> |
|
From: Will M. <wil...@gm...> - 2007-07-26 12:28:11
|
In your snort_inline.conf under your stream4 configuration set the following option. disable_ooo_pkts_drop Regards, Will On 7/26/07, Mike Smith <mik...@ch...> wrote: > > Hi, I keep getting this alert with snort v2.6 > > "(spp_stream4) TCP out-of-order packets limit reached for stream" > > And is essentially dropping payloads with non-ASCII characters, how can > I disable this ? > > many thanks > Mike :) > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Mike S. <mik...@ch...> - 2007-07-26 11:58:25
|
Hi, I keep getting this alert with snort v2.6 "(spp_stream4) TCP out-of-order packets limit reached for stream" And is essentially dropping payloads with non-ASCII characters, how can I disable this ? many thanks Mike :) |
|
From: Will M. <wil...@gm...> - 2007-07-25 11:52:29
|
First of all you don't really want to use snort_inline to log directly to a MYSQL database from snort_inline. If snort/snort_inline loses connection to a database, the process terminates, which may be acceptable for passive mode, but not ok for InlineMode(); Use barnyard + snort unified logging to log to your database. Regards, Will On 7/25/07, Mike Smith <mik...@ch...> wrote: > > Hi, can anyone help me, I am trying to enable MYSQL support for version > 2.6.1.5 , I'm not having much luck. I have configured --with-mysql and > set the config file to log to MYSQL but nothing happens, the database > remains unpopulated. > > thanks > Mike :) > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > |
|
From: Mike S. <mik...@ch...> - 2007-07-25 11:09:10
|
Hi, can anyone help me, I am trying to enable MYSQL support for version 2.6.1.5 , I'm not having much luck. I have configured --with-mysql and set the config file to log to MYSQL but nothing happens, the database remains unpopulated. thanks Mike :) |
|
From: Alberto Z. <al...@in...> - 2007-07-22 08:43:48
|
I just tried vuurmuur, very beautiful system, the ncurses interface can
make my life more easier: many thanks for the suggestion. I didn't found
any reference to any traffic shaping fuctionality except in future
plans, but at the moment is not an important feauture for me.
But the problem is still alive: when a malicious packet go to
snort_inline, is detected and in snort_inline-fast log is marked by
drop(for example 07/21-10:42:41.215672 [Drop] [**] [1:4626:4] Port 80
connection initiated [**] [Classification: Attempted User Privilege
Gain] [Priority: 1] {TCP} 77.42.112.123:45799 -> 87.238.232.7:80), but
it pass through, not dropped.
Can someone check the rule application order in snort_inline log? In my
system is
dynamic->pass->drop->sdrop->reject->rejectboth->rejectsrc->rejectdst->alert=
->log
and it seems incorrect.
Now this is my iptables -L -n:
Chain INPUT (policy DROP)
target prot opt source destination =20
PRE-VRMR-INPUT all -- 0.0.0.0/0 0.0.0.0/0 =20
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth0 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth2 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth3 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth4 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth1 all -- 0.0.0.0/0 0.0.0.0/0 =20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x00 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe ALL '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x00=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x03/0x03 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe SYN-FIN '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x03/0x03=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x06/0x06 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe SYN-RST '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x06/0x06=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x05/0x05 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe FIN-RST '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x05/0x05=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x11/0x01 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe FIN '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x11/0x01=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x18/0x08 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe PSH '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x18/0x08=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x30/0x20 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe URG '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x30/0x20=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!
0x17/0x02 state NEW limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP no SYN '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!
0x17/0x02 state NEW=20
LOG all -f 0.0.0.0/0 0.0.0.0/0 limit: avg
1/sec burst 2 LOG flags 0 level 6 prefix `vrmr: DROP FRAG '=20
DROP all -f 0.0.0.0/0 0.0.0.0/0 =20
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 MARK match
0x0/0xff000000 state ESTABLISHED=20
NEWACCEPT all -- 0.0.0.0/0 0.0.0.0/0 MARK match
0x0/0xff000000 state RELATED=20
QUEUE all -- 0.0.0.0/0 0.0.0.0/0 MARK match
0x1000000/0xff000000 state ESTABLISHED=20
NEWQUEUE all -- 0.0.0.0/0 0.0.0.0/0 MARK match
0x1000000/0xff000000 state RELATED=20
LOG all -- 0.0.0.0/0 0.0.0.0/0 state
INVALID limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix `vrmr: DROP
in INVALID '=20
DROP all -- 0.0.0.0/0 0.0.0.0/0 state
INVALID=20
BLOCKLIST all -- 0.0.0.0/0 0.0.0.0/0 =20
ANTISPOOF all -- 0.0.0.0/0 0.0.0.0/0 =20
LOG tcp -- 87.238.232.0/25 87.238.232.1 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT inc. http '=20
NEWACCEPT tcp -- 87.238.232.0/25 87.238.232.1 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW=20
LOG tcp -- 87.238.232.136/30 87.238.232.137 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT inc. http '=20
NEWACCEPT tcp -- 87.238.232.136/30 87.238.232.137 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW=20
LOG tcp -- 87.238.232.136/30 87.238.232.137 tcp
spts:1024:65535 dpt:22 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT incoming ssh '=20
NEWACCEPT tcp -- 87.238.232.136/30 87.238.232.137 tcp
spts:1024:65535 dpt:22 flags:0x17/0x02 state NEW=20
LOG tcp -- 87.238.232.0/25 87.238.232.1 tcp
spts:1024:65535 dpt:22 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT incoming ssh '=20
NEWACCEPT tcp -- 87.238.232.0/25 87.238.232.1 tcp
spts:1024:65535 dpt:22 flags:0x17/0x02 state NEW=20
NEWACCEPT all -- 87.238.232.140/30 0.0.0.0/0 state NEW=20
NEWACCEPT all -- 87.238.232.136/30 0.0.0.0/0 state NEW=20
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
30/sec burst 60 LOG flags 0 level 6 prefix `vrmr: DROP in policy '=20
Chain FORWARD (policy DROP)
target prot opt source destination =20
PRE-VRMR-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth0 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth0 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth2 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth2 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth3 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth3 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth4 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth4 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth1 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth1 all -- 0.0.0.0/0 0.0.0.0/0 =20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x00 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe ALL '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x00=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x03/0x03 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe SYN-FIN '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x03/0x03=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x06/0x06 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe SYN-RST '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x06/0x06=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x05/0x05 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe FIN-RST '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x05/0x05=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x11/0x01 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe FIN '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x11/0x01=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x18/0x08 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe PSH '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x18/0x08=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x30/0x20 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe URG '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x30/0x20=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!
0x17/0x02 state NEW limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP no SYN '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!
0x17/0x02 state NEW=20
LOG all -f 0.0.0.0/0 0.0.0.0/0 limit: avg
1/sec burst 2 LOG flags 0 level 6 prefix `vrmr: DROP FRAG '=20
DROP all -f 0.0.0.0/0 0.0.0.0/0 =20
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 MARK match
0x0/0xff000000 state ESTABLISHED=20
NEWACCEPT all -- 0.0.0.0/0 0.0.0.0/0 MARK match
0x0/0xff000000 state RELATED=20
QUEUE all -- 0.0.0.0/0 0.0.0.0/0 MARK match
0x1000000/0xff000000 state ESTABLISHED=20
NEWQUEUE all -- 0.0.0.0/0 0.0.0.0/0 MARK match
0x1000000/0xff000000 state RELATED=20
LOG all -- 0.0.0.0/0 0.0.0.0/0 state
INVALID limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix `vrmr: DROP
fw INVALID '=20
DROP all -- 0.0.0.0/0 0.0.0.0/0 state
INVALID=20
BLOCKLIST all -- 0.0.0.0/0 0.0.0.0/0 =20
ANTISPOOF all -- 0.0.0.0/0 0.0.0.0/0 =20
LOG icmp -- 0.0.0.0/0 87.238.232.7 icmp type 8
code 0 state NEW LOG flags 0 level 6 prefix `vrmr: QUEUE '=20
NEWQUEUE icmp -- 0.0.0.0/0 87.238.232.7 icmp type 8
code 0 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.7 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: QUEUE '=20
NEWQUEUE tcp -- 0.0.0.0/0 87.238.232.7 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.7 tcp
spts:1024:65535 dpt:22 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 87.238.232.7 tcp
spts:1024:65535 dpt:22 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.18 tcp
spts:1024:65535 dpt:21 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 87.238.232.18 tcp
spts:1024:65535 dpt:21 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.18 tcp
spts:1024:65535 dpt:443 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 87.238.232.18 tcp
spts:1024:65535 dpt:443 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.18 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 87.238.232.18 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.22 tcp
spts:1024:65535 dpt:443 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 87.238.232.22 tcp
spts:1024:65535 dpt:443 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.22 tcp
spts:1024:65535 dpt:21 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 87.238.232.22 tcp
spts:1024:65535 dpt:21 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.22 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 87.238.232.22 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW=20
NEWACCEPT all -- 87.238.232.140/30 0.0.0.0/0 state NEW=20
NEWACCEPT all -- 87.238.232.136/30 0.0.0.0/0 state NEW=20
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
30/sec burst 60 LOG flags 0 level 6 prefix `vrmr: DROP fw policy '=20
Chain OUTPUT (policy DROP)
target prot opt source destination =20
PRE-VRMR-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0 =20
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth0 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth2 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth3 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth4 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth1 all -- 0.0.0.0/0 0.0.0.0/0 =20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x00 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe ALL '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x00=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x03/0x03 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe SYN-FIN '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x03/0x03=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x06/0x06 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe SYN-RST '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x06/0x06=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x05/0x05 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe FIN-RST '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x05/0x05=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x11/0x01 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe FIN '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x11/0x01=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x18/0x08 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe PSH '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x18/0x08=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x30/0x20 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe URG '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x30/0x20=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!
0x17/0x02 state NEW limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP no SYN '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!
0x17/0x02 state NEW=20
LOG all -f 0.0.0.0/0 0.0.0.0/0 limit: avg
1/sec burst 2 LOG flags 0 level 6 prefix `vrmr: DROP FRAG '=20
DROP all -f 0.0.0.0/0 0.0.0.0/0 =20
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 MARK match
0x0/0xff000000 state ESTABLISHED=20
NEWACCEPT all -- 0.0.0.0/0 0.0.0.0/0 MARK match
0x0/0xff000000 state RELATED=20
QUEUE all -- 0.0.0.0/0 0.0.0.0/0 MARK match
0x1000000/0xff000000 state ESTABLISHED=20
NEWQUEUE all -- 0.0.0.0/0 0.0.0.0/0 MARK match
0x1000000/0xff000000 state RELATED=20
LOG all -- 0.0.0.0/0 0.0.0.0/0 state
INVALID limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix `vrmr: DROP
out INVALID '=20
DROP all -- 0.0.0.0/0 0.0.0.0/0 state
INVALID=20
BLOCKLIST all -- 0.0.0.0/0 0.0.0.0/0 =20
ANTISPOOF all -- 0.0.0.0/0 0.0.0.0/0 =20
LOG icmp -- 0.0.0.0/0 87.238.232.7 icmp type 8
code 0 state NEW LOG flags 0 level 6 prefix `vrmr: QUEUE '=20
NEWQUEUE icmp -- 0.0.0.0/0 87.238.232.7 icmp type 8
code 0 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.7 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: QUEUE '=20
NEWQUEUE tcp -- 0.0.0.0/0 87.238.232.7 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.7 tcp
spts:1024:65535 dpt:22 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 87.238.232.7 tcp
spts:1024:65535 dpt:22 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.18 tcp
spts:1024:65535 dpt:21 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 87.238.232.18 tcp
spts:1024:65535 dpt:21 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.18 tcp
spts:1024:65535 dpt:443 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 87.238.232.18 tcp
spts:1024:65535 dpt:443 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.18 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 87.238.232.18 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.22 tcp
spts:1024:65535 dpt:443 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 87.238.232.22 tcp
spts:1024:65535 dpt:443 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.22 tcp
spts:1024:65535 dpt:21 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 87.238.232.22 tcp
spts:1024:65535 dpt:21 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.22 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 87.238.232.22 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
spts:1024:65535 dpt:21 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
spts:1024:65535 dpt:21 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
spts:1024:65535 dpt:443 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
spts:1024:65535 dpt:443 flags:0x17/0x02 state NEW=20
NEWACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
spts:1024:65535 dpt:53 flags:0x17/0x02 state NEW=20
NEWACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53
dpt:53 flags:0x17/0x02 state NEW=20
NEWACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
spts:1024:65535 dpt:53 state NEW=20
NEWACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53
dpt:53 state NEW=20
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
30/sec burst 60 LOG flags 0 level 6 prefix `vrmr: DROP out policy '=20
Chain ACC-eth0 (4 references)
target prot opt source destination =20
RETURN all -- 0.0.0.0/0 0.0.0.0/0 =20
RETURN all -- 0.0.0.0/0 0.0.0.0/0 =20
Chain ACC-eth1 (4 references)
target prot opt source destination =20
RETURN all -- 0.0.0.0/0 0.0.0.0/0 =20
RETURN all -- 0.0.0.0/0 0.0.0.0/0 =20
Chain ACC-eth2 (4 references)
target prot opt source destination =20
RETURN all -- 0.0.0.0/0 0.0.0.0/0 =20
RETURN all -- 0.0.0.0/0 0.0.0.0/0 =20
Chain ACC-eth3 (4 references)
target prot opt source destination =20
RETURN all -- 0.0.0.0/0 0.0.0.0/0 =20
RETURN all -- 0.0.0.0/0 0.0.0.0/0 =20
Chain ACC-eth4 (4 references)
target prot opt source destination =20
RETURN all -- 0.0.0.0/0 0.0.0.0/0 =20
RETURN all -- 0.0.0.0/0 0.0.0.0/0 =20
Chain ANTISPOOF (3 references)
target prot opt source destination =20
LOG all -- 10.0.0.0/8 0.0.0.0/0 limit: avg
1/sec burst 5 LOG flags 0 level 6 prefix `vrmr: DROP spoof class-a '=20
DROP all -- 10.0.0.0/8 0.0.0.0/0 =20
LOG all -- 0.0.0.0/0 10.0.0.0/8 limit: avg
1/sec burst 5 LOG flags 0 level 6 prefix `vrmr: DROP spoof class-a '=20
DROP all -- 0.0.0.0/0 10.0.0.0/8 =20
Chain BLOCK (0 references)
target prot opt source destination =20
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
1/sec burst 2 LOG flags 0 level 6 prefix `vrmr: DROP BLOCKED '=20
DROP all -- 0.0.0.0/0 0.0.0.0/0 =20
Chain BLOCKLIST (3 references)
target prot opt source destination =20
Chain NEWACCEPT (32 references)
target prot opt source destination =20
SYNLIMIT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x17/0x02=20
UDPLIMIT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW=20
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 =20
Chain NEWQUEUE (7 references)
target prot opt source destination =20
SYNLIMIT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x17/0x02=20
UDPLIMIT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW=20
QUEUE all -- 0.0.0.0/0 0.0.0.0/0 =20
Chain PRE-VRMR-FORWARD (1 references)
target prot opt source destination =20
Chain PRE-VRMR-INPUT (1 references)
target prot opt source destination =20
Chain PRE-VRMR-OUTPUT (1 references)
target prot opt source destination =20
Chain SYNLIMIT (2 references)
target prot opt source destination =20
RETURN all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
10/sec burst 20=20
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
1/sec burst 2 LOG flags 0 level 6 prefix `vrmr: DROP SYNLIMIT reach. '=20
DROP all -- 0.0.0.0/0 0.0.0.0/0 =20
Chain TCPRESET (0 references)
target prot opt source destination =20
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
reject-with tcp-reset=20
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable=20
Chain UDPLIMIT (2 references)
target prot opt source destination =20
RETURN all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
15/sec burst 45=20
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
1/sec burst 2 LOG flags 0 level 6 prefix `vrmr: DROP UDPLIMIT reach. '=20
DROP all -- 0.0.0.0/0 0.0.0.0/0=20
Bye,
Alberto
Il giorno ven, 20/07/2007 alle 14.20 -0400, Francisco Mu=C3=B1oz ha scritto=
:
> Shorewall is not compatible with snort-inline. That's it. If you have
> to use a high-level interface to iptables, try Victor Julien's
> Vuurmuur. http://vuurmuur.sourceforge.net/ It's excellent and
> integrates quite well with snort-inline.
>=20
> --=20
> Cheers,
> Francisco
|
|
From: <per...@gm...> - 2007-07-20 18:20:33
|
Shorewall is not compatible with snort-inline. That's it. If you have to use a high-level interface to iptables, try Victor Julien's Vuurmuur. http://vuurmuur.sourceforge.net/ It's excellent and integrates quite well with snort-inline. -- Cheers, Francisco |
|
From: Alberto Z. <al...@in...> - 2007-07-20 05:45:23
|
Excuse me, but didn't reply to list... I'm using shorewall to configure iptabls and my policy file is=20 $FW net ACCEPT $FW dmz ACCEPT $FW lea ACCEPT $FW clu ACCEPT lea $FW ACCEPT clu $FW ACCEPT dmz $FW ACCEPT lea net ACCEPT lea dmz ACCEPT dmz net ACCEPT pin net ACCEPT pin dmz ACCEPT net all DROP info all all REJECT info and my rules file is: QUEUE net fw icmp QUEUE net fw tcp 179 QUEUE net fw udp 179 QUEUE net fw tcp 41 QUEUE net fw udp 41 QUEUE net fw tcp 80 QUEUE net dmz icmp QUEUE net dmz tcp 41 QUEUE net dmz udp 41 ACCEPT net dmz:87.238.232.7 tcp 22 QUEUE net dmz:87.238.232.7 tcp 80 You can try to launch nmap -v 87.238.232.7, this is the output: Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-20 07:41 CEST Machine 87.238.232.7 MIGHT actually be listening on probe port 80 Initiating Parallel DNS resolution of 1 host. at 07:41 Completed Parallel DNS resolution of 1 host. at 07:41, 0.03s elapsed Initiating Connect() Scan at 07:41 Scanning napoli.leaproject.it (87.238.232.7) [1697 ports] Discovered open port 22/tcp on 87.238.232.7 Discovered open port 80/tcp on 87.238.232.7 Connect() Scan Timing: About 32.51% done; ETC: 07:43 (0:01:02 remaining) Completed Connect() Scan at 07:43, 89.75s elapsed (1697 total ports) Host napoli.leaproject.it (87.238.232.7) appears to be up ... good. Interesting ports on napoli.leaproject.it (87.238.232.7): Not shown: 1693 filtered ports PORT STATE SERVICE 22/tcp open ssh 41/tcp closed graphics 80/tcp open http 113/tcp closed auth Nmap finished: 1 IP address (1 host up) scanned in 91.956 seconds And in snort_inline-fast log: 07/20-07:41:26.446420 [**] [111:29:1] (spp_stream4) TCP wscale option normalized [**] {TCP} 62.123.168.250:42081 -> 87.238.232.7:80 07/20-07:42:12.812348 [**] [111:29:1] (spp_stream4) TCP wscale option normalized [**] {TCP} 62.123.168.250:39906 -> 87.238.232.7:41 My iptables -L: Chain INPUT (policy DROP) target prot opt source destination =20 ACCEPT all -- anywhere anywhere =20 eth0_in all -- anywhere anywhere =20 eth1_in all -- anywhere anywhere =20 eth2_in all -- anywhere anywhere =20 eth3_in all -- anywhere anywhere =20 eth4_in all -- anywhere anywhere =20 Reject all -- anywhere anywhere =20 LOG all -- anywhere anywhere LOG level info prefix `Shorewall:INPUT:REJECT:'=20 reject all -- anywhere anywhere =20 Chain FORWARD (policy DROP) target prot opt source destination =20 eth0_fwd all -- anywhere anywhere =20 eth1_fwd all -- anywhere anywhere =20 eth2_fwd all -- anywhere anywhere =20 eth3_fwd all -- anywhere anywhere =20 eth4_fwd all -- anywhere anywhere =20 Reject all -- anywhere anywhere =20 LOG all -- anywhere anywhere LOG level info prefix `Shorewall:FORWARD:REJECT:'=20 reject all -- anywhere anywhere =20 Chain OUTPUT (policy DROP) target prot opt source destination =20 ACCEPT all -- anywhere anywhere =20 ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc=20 ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc=20 fw2clu all -- anywhere anywhere =20 fw2net all -- anywhere anywhere =20 fw2dmz all -- anywhere anywhere =20 fw2lea all -- anywhere anywhere =20 all2all all -- anywhere anywhere =20 Reject all -- anywhere anywhere =20 LOG all -- anywhere anywhere LOG level info prefix `Shorewall:OUTPUT:REJECT:'=20 reject all -- anywhere anywhere =20 Chain Drop (1 references) target prot opt source destination =20 reject tcp -- anywhere anywhere tcp dpt:auth=20 dropBcast all -- anywhere anywhere =20 ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed=20 ACCEPT icmp -- anywhere anywhere icmp time-exceeded=20 dropInvalid all -- anywhere anywhere =20 DROP udp -- anywhere anywhere udp dpt:epmap=20 DROP udp -- anywhere anywhere udp dpt:microsoft-ds=20 DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn=20 DROP udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535=20 DROP tcp -- anywhere anywhere tcp dpt:epmap=20 DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn=20 DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds=20 DROP udp -- anywhere anywhere udp dpt:1900=20 dropNotSyn tcp -- anywhere anywhere =20 DROP udp -- anywhere anywhere udp spt:domain=20 Chain Reject (4 references) target prot opt source destination =20 reject tcp -- anywhere anywhere tcp dpt:auth=20 dropBcast all -- anywhere anywhere =20 ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed=20 ACCEPT icmp -- anywhere anywhere icmp time-exceeded=20 dropInvalid all -- anywhere anywhere =20 reject udp -- anywhere anywhere udp dpt:epmap=20 reject udp -- anywhere anywhere udp dpt:microsoft-ds=20 reject udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn=20 reject udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535=20 reject tcp -- anywhere anywhere tcp dpt:epmap=20 reject tcp -- anywhere anywhere tcp dpt:netbios-ssn=20 reject tcp -- anywhere anywhere tcp dpt:microsoft-ds=20 DROP udp -- anywhere anywhere udp dpt:1900=20 dropNotSyn tcp -- anywhere anywhere =20 DROP udp -- anywhere anywhere udp spt:domain=20 Chain all2all (13 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 Reject all -- anywhere anywhere =20 LOG all -- anywhere anywhere LOG level info prefix `Shorewall:all2all:REJECT:'=20 reject all -- anywhere anywhere =20 Chain clu2fw (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain dmz2fw (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain dmz2net (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain dropBcast (2 references) target prot opt source destination =20 DROP all -- anywhere anywhere PKTTYPE =3D broadcast=20 DROP all -- anywhere anywhere PKTTYPE =3D multicast=20 Chain dropInvalid (2 references) target prot opt source destination =20 DROP all -- anywhere anywhere state INVALID=20 Chain dropNotSyn (2 references) target prot opt source destination =20 DROP tcp -- anywhere anywhere tcp flags:! FIN,SYN,RST,ACK/SYN=20 Chain dynamic (10 references) target prot opt source destination =20 Chain eth0_fwd (1 references) target prot opt source destination =20 dynamic all -- anywhere anywhere state INVALID,NEW=20 all2all all -- anywhere anywhere =20 all2all all -- anywhere anywhere =20 all2all all -- anywhere anywhere =20 all2all all -- anywhere anywhere =20 Chain eth0_in (1 references) target prot opt source destination =20 dynamic all -- anywhere anywhere state INVALID,NEW=20 clu2fw all -- anywhere anywhere =20 Chain eth1_fwd (1 references) target prot opt source destination =20 dynamic all -- anywhere anywhere state INVALID,NEW=20 net2all all -- anywhere anywhere =20 net2dmz all -- anywhere anywhere =20 net2all all -- anywhere anywhere =20 net2all all -- anywhere anywhere =20 Chain eth1_in (1 references) target prot opt source destination =20 dynamic all -- anywhere anywhere state INVALID,NEW=20 net2fw all -- anywhere anywhere =20 Chain eth2_fwd (1 references) target prot opt source destination =20 dynamic all -- anywhere anywhere state INVALID,NEW=20 all2all all -- anywhere anywhere =20 dmz2net all -- anywhere anywhere =20 all2all all -- anywhere anywhere =20 all2all all -- anywhere anywhere =20 Chain eth2_in (1 references) target prot opt source destination =20 dynamic all -- anywhere anywhere state INVALID,NEW=20 dmz2fw all -- anywhere anywhere =20 Chain eth3_fwd (1 references) target prot opt source destination =20 dynamic all -- anywhere anywhere state INVALID,NEW=20 all2all all -- anywhere anywhere =20 lea2net all -- anywhere anywhere =20 lea2dmz all -- anywhere anywhere =20 all2all all -- anywhere anywhere =20 Chain eth3_in (1 references) target prot opt source destination =20 dynamic all -- anywhere anywhere state INVALID,NEW=20 ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc=20 lea2fw all -- anywhere anywhere =20 Chain eth4_fwd (1 references) target prot opt source destination =20 dynamic all -- anywhere anywhere state INVALID,NEW=20 all2all all -- anywhere anywhere =20 pin2net all -- anywhere anywhere =20 pin2dmz all -- anywhere anywhere =20 all2all all -- anywhere anywhere =20 Chain eth4_in (1 references) target prot opt source destination =20 dynamic all -- anywhere anywhere state INVALID,NEW=20 ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc=20 all2all all -- anywhere anywhere =20 Chain fw2clu (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain fw2dmz (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain fw2lea (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain fw2net (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain lea2dmz (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain lea2fw (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain lea2net (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain logdrop (0 references) target prot opt source destination =20 LOG all -- anywhere anywhere LOG level info prefix `Shorewall:logdrop:DROP:'=20 DROP all -- anywhere anywhere =20 Chain logreject (0 references) target prot opt source destination =20 LOG all -- anywhere anywhere LOG level info prefix `Shorewall:logreject:REJECT:'=20 reject all -- anywhere anywhere =20 Chain net2all (5 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 Drop all -- anywhere anywhere =20 LOG all -- anywhere anywhere LOG level info prefix `Shorewall:net2all:DROP:'=20 DROP all -- anywhere anywhere =20 Chain net2dmz (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 QUEUE icmp -- anywhere anywhere =20 QUEUE tcp -- anywhere anywhere tcp dpt:graphics=20 QUEUE udp -- anywhere anywhere udp dpt:graphics=20 ACCEPT tcp -- anywhere napoli.leaproject.it tcp dpt:ssh=20 QUEUE tcp -- anywhere napoli.leaproject.it tcp dpt:http=20 net2all all -- anywhere anywhere =20 Chain net2fw (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 QUEUE icmp -- anywhere anywhere =20 QUEUE tcp -- anywhere anywhere tcp dpt:bgp=20 QUEUE udp -- anywhere anywhere udp dpt:bgp=20 QUEUE tcp -- anywhere anywhere tcp dpt:graphics=20 QUEUE udp -- anywhere anywhere udp dpt:graphics=20 QUEUE tcp -- anywhere anywhere tcp dpt:http=20 net2all all -- anywhere anywhere =20 Chain pin2dmz (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain pin2net (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain reject (14 references) target prot opt source destination =20 DROP all -- 255.255.255.255 anywhere =20 DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere =20 DROP all -- anywhere anywhere PKTTYPE =3D broadcast=20 DROP all -- anywhere anywhere PKTTYPE =3D multicast=20 DROP all -- 255.255.255.255 anywhere =20 DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere =20 REJECT tcp -- anywhere anywhere reject-with tcp-reset=20 REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable=20 REJECT icmp -- anywhere anywhere reject-with icmp-host-unreachable=20 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited=20 Chain shorewall (0 references) target prot opt source destination =20 Chain smurfs (0 references) target prot opt source destination =20 LOG all -- 172.20.10.3 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'=20 DROP all -- 172.20.10.3 anywhere =20 LOG all -- 87.238.232.239 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'=20 DROP all -- 87.238.232.239 anywhere =20 LOG all -- 87.238.232.127 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'=20 DROP all -- 87.238.232.127 anywhere =20 LOG all -- 87.238.232.139 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'=20 DROP all -- 87.238.232.139 anywhere =20 LOG all -- 87.238.232.143 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'=20 DROP all -- 87.238.232.143 anywhere =20 LOG all -- 255.255.255.255 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'=20 DROP all -- 255.255.255.255 anywhere =20 LOG all -- BASE-ADDRESS.MCAST.NET/4 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'=20 DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere =20 Thanks, Alberto Il giorno gio, 19/07/2007 alle 18.32 -0500, Will Metcalf ha scritto: > what do your iptables rules look like? >=20 > Regards, >=20 > Will >=20 > On 7/19/07, Alberto Zuin <al...@in... > wrote: > I'm a newbie but I didn't found any help in previous messages. > I just compiled snort_inline 2.6.1.5 on a gentoo linux server > using the > howto at http://linuxgazette.net/117/savage.html, I downloaded > the rules=20 > via oinkmaster and I subtituted all "alert" with "drop", but > snort don't > drop any packet, only alert. > The strange thing is the rules application order where the > pass rule is > just before the drop rule like a startup with -o flag.=20 > The server use hardened sources and selinux. > Can you help me please? > Thanks, > Alberto > =20 |
|
From: Will M. <wil...@gm...> - 2007-07-19 23:32:31
|
what do your iptables rules look like? Regards, Will On 7/19/07, Alberto Zuin <al...@in...> wrote: > > I'm a newbie but I didn't found any help in previous messages. > I just compiled snort_inline 2.6.1.5 on a gentoo linux server using the > howto at http://linuxgazette.net/117/savage.html, I downloaded the rules > via oinkmaster and I subtituted all "alert" with "drop", but snort don't > drop any packet, only alert. > The strange thing is the rules application order where the pass rule is > just before the drop rule like a startup with -o flag. > The server use hardened sources and selinux. > Can you help me please? > Thanks, > Alberto > > > linux # /usr/local/bin/snort_inline -Qv > -c /etc/snort_inline/snort_inline.conf > Reading from iptables > Running in IDS mode > Initializing Inline mode > > --== Initializing Snort ==-- > Initializing Output Plugins! > Var 'eth1_ADDRESS' defined, value len = 30 chars, value = > 87.238.232.224/255.255.255.240 > Var 'eth2_ADDRESS' defined, value len = 28 chars, value = > 87.238.232.0/255.255.255.128 > Var 'eth3_ADDRESS' defined, value len = 30 chars, value = > 87.238.232.136/255.255.255.252 > Var 'eth4_ADDRESS' defined, value len = 30 chars, value = > 87.238.232.140/255.255.255.252 > Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0 > Var 'lo_ADDRESS' defined, value len = 19 chars, value = > 127.0.0.0/255.0.0.0 > Initializing Preprocessors! > Initializing Plug-ins! > Parsing Rules file /etc/snort_inline/snort_inline.conf > > +++++++++++++++++++++++++++++++++++++++++++++++++++ > Initializing rule chains... > Var 'HOME_NET' defined, value len = 3 chars, value = any > Var 'HONEYNET' defined, value len = 3 chars, value = any > Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any > Var 'SMTP_SERVERS' defined, value len = 3 chars, value = any > Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any > Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any > Var 'SQL_SERVERS' defined, value len = 3 chars, value = any > Var 'DNS_SERVERS' defined, value len = 3 chars, value = any > Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80 > Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80 > Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521 > Var 'SSH_PORTS' defined, value len = 2 chars, value = 22 > Var 'AIM_SERVERS' defined, value len = 185 chars > > [ > 64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9 > .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] > Var 'RULE_PATH' defined, value len = 28 chars, value > = /etc/snort_inline/drop-rules > ,-----------[Flow Config]---------------------- > | Stats Interval: 0 > | Hash Method: 2 > | Memcap: 10485760 > | Rows : 4099 > | Overhead Bytes: 16400(%0.16) > `---------------------------------------------- > stream4inline mode enabled > truncating mode enabled > Stream4 config: > Stateful inspection: ACTIVE > Session statistics: INACTIVE > Session timeout: 3600 seconds > Session memory cap: 134217728 bytes > Session count max: 8192 sessions > Session cleanup count: 5 > State alerts: INACTIVE > Evasion alerts: INACTIVE > Scan alerts: INACTIVE > Log Flushed Streams: INACTIVE > MinTTL: 1 > TTL Limit: 5 > Async Link: 0 > State Protection: 0 > Self preservation threshold: 50 > Self preservation period: 90 > Suspend threshold: 200 > Suspend period: 30 > Enforce TCP State: ACTIVE and DROPPING > Midstream Drop Alerts: INACTIVE > Allow Blocking of TCP Sessions in Inline: ACTIVE > Server Data Inspection Limit: -1 > Inline-mode options: > Inline-mode enabled? (stream4inline): Yes > Scan mode? (scan_stream_only): Both packet and stream > Sliding Windowsize (window_size): 3000 > Memcap reached method (truncate): Truncate > Truncate percentage (truncate_percentage): 33 > Store/Load state from/to disk: No > Max out-of-order packets in a stream (max_ooo_pkts): 5 > Max out-of-order bytes in a stream (max_ooo_bytes): 5000 > Max sequence holes in a stream (max_seq_holes): 2 > Normalize wscale max (norm_wscale_max): 2 > Perform window scale normaliztion: Yes > Disable out-of-order packet drop: No > Disable out-of-order packet drop: No > Disable sequence hole packet drop: No > Max sequence holes in a stream (max_seq_holes): 2 > Disable wscale normalization alerts > (disable_norm_wscale_alerts): No > Disable out-of-order alerts (disable_ooo_alerts): No > Drop bad RST packets? (drop_bad_rst): No > Disable evasive retransmission packet drop: No > Disable out-of-window packet drop: No > Disable all protocol violation drops: No > WARNING /etc/snort_inline/snort_inline.conf(368) => flush_behavior set > in config file, using old static flushpoints (0) > Stream4_reassemble config: > Server reassembly: ACTIVE > Client reassembly: ACTIVE > Reassembler alerts: ACTIVE > Zero out flushed packets: INACTIVE > Flush stream on alert: INACTIVE > flush_data_diff_size: 500 > Reassembler Packet Preferance : Favor New > Packet Sequence Overlap Limit: -1 > Flush behavior: Small (<255 bytes) > Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 > 1521 3306 > Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 > 513 1433 1521 3306 > HttpInspect Config: > GLOBAL CONFIG > Max Pipeline Requests: 0 > Inspection Type: STATELESS > Detect Proxy Usage: NO > IIS Unicode Map Filename: /etc/snort_inline/unicode.map > IIS Unicode Map Codepage: 1252 > DEFAULT SERVER CONFIG: > Server profile: All > Ports: 80 8080 8180 > Flow Depth: 300 > Max Chunk Length: 500000 > Inspect Pipeline Requests: YES > URI Discovery Strict Mode: NO > Allow Proxy Usage: NO > Disable Alerting: NO > Oversize Dir Length: 500 > Only inspect URI: NO > Ascii: YES alert: NO > Double Decoding: YES alert: YES > %U Encoding: YES alert: YES > Bare Byte: YES alert: YES > Base36: OFF > UTF 8: OFF > IIS Unicode: YES alert: YES > Multiple Slash: YES alert: NO > IIS Backslash: YES alert: NO > Directory Traversal: YES alert: NO > Web Root Traversal: YES alert: YES > Apache WhiteSpace: YES alert: NO > IIS Delimiter: YES alert: NO > IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG > Non-RFC Compliant Characters: NONE > Whitespace Characters: 0x09 0x0b 0x0c 0x0d > rpc_decode arguments: > Ports to decode RPC on: 111 32771 > alert_fragments: INACTIVE > alert_large_fragments: ACTIVE > alert_incomplete: ACTIVE > alert_multiple_requests: ACTIVE > Portscan Detection Config: > Detect Protocols: TCP UDP ICMP IP > Detect Scan Type: portscan portsweep decoy_portscan > distributed_portscan > Sensitivity Level: Low > Memcap (in bytes): 10000000 > Number of Nodes: 36900 > > 6152 Snort rules read... > 6152 Option Chains linked into 185 Chain Headers > 0 Dynamic rules > +++++++++++++++++++++++++++++++++++++++++++++++++++ > > Tagged Packet Limit: 256 > InitInline stage 2: InitInlinePostConfig starting... > > > +-----------------------[thresholding-config]---------------------------------- > | memory-cap : 1048576 bytes > > +-----------------------[thresholding-global]---------------------------------- > | none > > +-----------------------[thresholding-local]----------------------------------- > | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 > seconds=60 > | gen-id=1 sig-id=5321 type=Limit tracking=src count=1 > seconds=60 > | gen-id=1 sig-id=3273 type=Threshold tracking=src count=5 > seconds=2 > | gen-id=1 sig-id=3527 type=Limit tracking=dst count=5 > seconds=60 > | gen-id=1 sig-id=4984 type=Threshold tracking=src count=5 > seconds=2 > | gen-id=1 sig-id=2923 type=Threshold tracking=dst count=10 > seconds=60 > | gen-id=1 sig-id=3152 type=Threshold tracking=src count=5 > seconds=2 > | gen-id=1 sig-id=2523 type=Both tracking=dst count=10 > seconds=10 > | gen-id=1 sig-id=5323 type=Limit tracking=src count=1 > seconds=60 > | gen-id=1 sig-id=5322 type=Limit tracking=src count=1 > seconds=60 > | gen-id=1 sig-id=3543 type=Threshold tracking=src count=5 > seconds=2 > | gen-id=1 sig-id=2924 type=Threshold tracking=dst count=10 > seconds=60 > | gen-id=1 sig-id=3542 type=Threshold tracking=src count=5 > seconds=2 > > +-----------------------[suppression]------------------------------------------ > | none > > ------------------------------------------------------------------------------- > Rule application order: > > ->activation->dynamic->pass->drop->sdrop->reject->rejectboth->rejectsrc->rejectdst->alert->log > Log directory = /var/log/snort > Loading dynamic > engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done > Loading all dynamic preprocessor libs > from /usr/local/lib/snort_dynamicpreprocessor/... > Loading dynamic preprocessor > library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... > done > Loading dynamic preprocessor > library > /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done > Loading dynamic preprocessor > library > /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done > Loading dynamic preprocessor > library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... > done > Loading dynamic preprocessor > library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... > done > Finished Loading all dynamic preprocessor libs > from /usr/local/lib/snort_dynamicpreprocessor/ > FTPTelnet Config: > GLOBAL CONFIG > Inspection Type: stateful > Check for Encrypted Traffic: YES alert: YES > Continue to check encrypted data: NO > TELNET CONFIG: > Ports: 23 > Are You There Threshold: 200 > Normalize: YES > Detect Anomalies: NO > FTP CONFIG: > FTP Server: default > Ports: 21 > Check for Telnet Cmds: YES alert: YES > Identify open data channels: YES > FTP Client: default > Check for Bounce Attacks: YES alert: YES > Check for Telnet Cmds: YES alert: YES > Max Response Length: 256 > SMTP Config: > Ports: 25 > Inspection Type: STATEFUL > Normalize Spaces: YES > Ignore Data: NO > Ignore TLS Data: NO > Ignore Alerts: NO > Max Command Length: 0 > Max Header Line Length: 0 > Max Response Line Length: 0 > X-Link2State Alert: YES > Drop on X-Link2State Alert: NO > > DCE/RPC Decoder config: > Autodetect ports ENABLED > SMB fragmentation ENABLED > DCE/RPC fragmentation ENABLED > Max Frag Size: 3000 bytes > Memcap: 100000 KB > Alert if memcap exceeded DISABLED > > DNS config: > DNS Client rdata txt Overflow Alert: ACTIVE > Obsolete DNS RR Types Alert: INACTIVE > Experimental DNS RR Types Alert: INACTIVE > Ports: 53 > Verifying Preprocessor Configurations! > Warning: flowbits key 'dce.bind.veritas' is set but not ever checked. > Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set. > Warning: flowbits key 'realplayer.playlist' is checked but not ever set. > 50 out of 512 flowbits in use. > Setting the Packet Processor to decode packets from iptables > database: compiled support for ( postgresql ) > database: configured to use postgresql > database: user = snort > database: password is set > database: database name = snort_log > database: host = localhost > Node unique name is: unknown:NULL > > database: sensor name = unknown:NULL > database: sensor id = 2 > database: schema version = 107 > database: using the "log" facility > +--[Pattern Matcher:Aho-Corasick Summary]---------------------- > | Alphabet Size : 256 Chars > | Sizeof State : 2 bytes > | Storage Format : Full > | Num States : 103504 > | Num Transitions : 4125009 > | State Density : 15.6% > | Finite Automatum : DFA > | Memory : 163.78Mbytes > +------------------------------------------------------------- > > --== Initialization Complete ==-- > > ,,_ -*> Snort_Inline! <*- > o" )~ Version 2.6.1.5 (Build 59) inline > '''' By Martin Roesch & The Snort Team: > http://www.snort.org/team.html > Snort_Inline Mod by William Metcalf, Victor Julien, Nick > Rogness, > Dave Remien, Rob McMillen and Jed Haile > (C) Copyright 1998-2007 Sourcefire Inc., et al. > > Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6 <Build > 11> > Preprocessor Object: SF_SMTP Version 1.0 <Build 7> > Preprocessor Object: SF_SSH Version 1.0 <Build 1> > Preprocessor Object: SF_FTPTELNET Version 1.0 <Build 10> > Preprocessor Object: SF_DCERPC Version 1.0 <Build 4> > Preprocessor Object: SF_DNS Version 1.0 <Build 2> > Not Using PCAP_FRAMES > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > |
|
From: Alberto Z. <al...@in...> - 2007-07-19 21:09:34
|
I'm a newbie but I didn't found any help in previous messages. I just compiled snort_inline 2.6.1.5 on a gentoo linux server using the howto at http://linuxgazette.net/117/savage.html, I downloaded the rules via oinkmaster and I subtituted all "alert" with "drop", but snort don't drop any packet, only alert. The strange thing is the rules application order where the pass rule is just before the drop rule like a startup with -o flag. The server use hardened sources and selinux. Can you help me please? Thanks, Alberto linux # /usr/local/bin/snort_inline -Qv -c /etc/snort_inline/snort_inline.conf Reading from iptables Running in IDS mode Initializing Inline mode=20 --=3D=3D Initializing Snort =3D=3D-- Initializing Output Plugins! Var 'eth1_ADDRESS' defined, value len =3D 30 chars, value =3D 87.238.232.224/255.255.255.240 Var 'eth2_ADDRESS' defined, value len =3D 28 chars, value =3D 87.238.232.0/255.255.255.128 Var 'eth3_ADDRESS' defined, value len =3D 30 chars, value =3D 87.238.232.136/255.255.255.252 Var 'eth4_ADDRESS' defined, value len =3D 30 chars, value =3D 87.238.232.140/255.255.255.252 Var 'any_ADDRESS' defined, value len =3D 15 chars, value =3D 0.0.0.0/0.0.0.= 0 Var 'lo_ADDRESS' defined, value len =3D 19 chars, value =3D 127.0.0.0/255.0.0.0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort_inline/snort_inline.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... Var 'HOME_NET' defined, value len =3D 3 chars, value =3D any Var 'HONEYNET' defined, value len =3D 3 chars, value =3D any Var 'EXTERNAL_NET' defined, value len =3D 3 chars, value =3D any Var 'SMTP_SERVERS' defined, value len =3D 3 chars, value =3D any Var 'TELNET_SERVERS' defined, value len =3D 3 chars, value =3D any Var 'HTTP_SERVERS' defined, value len =3D 3 chars, value =3D any Var 'SQL_SERVERS' defined, value len =3D 3 chars, value =3D any Var 'DNS_SERVERS' defined, value len =3D 3 chars, value =3D any Var 'HTTP_PORTS' defined, value len =3D 2 chars, value =3D 80 Var 'SHELLCODE_PORTS' defined, value len =3D 3 chars, value =3D !80 Var 'ORACLE_PORTS' defined, value len =3D 4 chars, value =3D 1521 Var 'SSH_PORTS' defined, value len =3D 2 chars, value =3D 22 Var 'AIM_SERVERS' defined, value len =3D 185 chars [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,2= 05.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9 .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] Var 'RULE_PATH' defined, value len =3D 28 chars, value =3D /etc/snort_inline/drop-rules ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- stream4inline mode enabled truncating mode enabled Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 3600 seconds Session memory cap: 134217728 bytes Session count max: 8192 sessions Session cleanup count: 5 State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Enforce TCP State: ACTIVE and DROPPING Midstream Drop Alerts: INACTIVE Allow Blocking of TCP Sessions in Inline: ACTIVE Server Data Inspection Limit: -1 Inline-mode options: Inline-mode enabled? (stream4inline): Yes Scan mode? (scan_stream_only): Both packet and stream Sliding Windowsize (window_size): 3000 Memcap reached method (truncate): Truncate Truncate percentage (truncate_percentage): 33 Store/Load state from/to disk: No Max out-of-order packets in a stream (max_ooo_pkts): 5 Max out-of-order bytes in a stream (max_ooo_bytes): 5000 Max sequence holes in a stream (max_seq_holes): 2 Normalize wscale max (norm_wscale_max): 2 Perform window scale normaliztion: Yes Disable out-of-order packet drop: No Disable out-of-order packet drop: No Disable sequence hole packet drop: No Max sequence holes in a stream (max_seq_holes): 2 Disable wscale normalization alerts (disable_norm_wscale_alerts): No Disable out-of-order alerts (disable_ooo_alerts): No Drop bad RST packets? (drop_bad_rst): No Disable evasive retransmission packet drop: No Disable out-of-window packet drop: No Disable all protocol violation drops: No WARNING /etc/snort_inline/snort_inline.conf(368) =3D> flush_behavior set in config file, using old static flushpoints (0) Stream4_reassemble config: Server reassembly: ACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE Flush stream on alert: INACTIVE flush_data_diff_size: 500 Reassembler Packet Preferance : Favor New Packet Sequence Overlap Limit: -1 Flush behavior: Small (<255 bytes) Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306=20 Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306=20 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort_inline/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Server profile: All Ports: 80 8080 8180=20 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE Whitespace Characters: 0x09 0x0b 0x0c 0x0d=20 rpc_decode arguments: Ports to decode RPC on: 111 32771=20 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE Portscan Detection Config: Detect Protocols: TCP UDP ICMP IP Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan Sensitivity Level: Low Memcap (in bytes): 10000000 Number of Nodes: 36900 6152 Snort rules read... 6152 Option Chains linked into 185 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Tagged Packet Limit: 256 InitInline stage 2: InitInlinePostConfig starting... +-----------------------[thresholding-config]------------------------------= ---- | memory-cap : 1048576 bytes +-----------------------[thresholding-global]------------------------------= ---- | none +-----------------------[thresholding-local]-------------------------------= ---- | gen-id=3D1 sig-id=3D2275 type=3DThreshold tracking=3Ddst count= =3D5 seconds=3D60=20 | gen-id=3D1 sig-id=3D5321 type=3DLimit tracking=3Dsrc count= =3D1 seconds=3D60=20 | gen-id=3D1 sig-id=3D3273 type=3DThreshold tracking=3Dsrc count= =3D5 seconds=3D2 =20 | gen-id=3D1 sig-id=3D3527 type=3DLimit tracking=3Ddst count= =3D5 seconds=3D60=20 | gen-id=3D1 sig-id=3D4984 type=3DThreshold tracking=3Dsrc count= =3D5 seconds=3D2 =20 | gen-id=3D1 sig-id=3D2923 type=3DThreshold tracking=3Ddst count= =3D10 seconds=3D60=20 | gen-id=3D1 sig-id=3D3152 type=3DThreshold tracking=3Dsrc count= =3D5 seconds=3D2 =20 | gen-id=3D1 sig-id=3D2523 type=3DBoth tracking=3Ddst count= =3D10 seconds=3D10=20 | gen-id=3D1 sig-id=3D5323 type=3DLimit tracking=3Dsrc count= =3D1 seconds=3D60=20 | gen-id=3D1 sig-id=3D5322 type=3DLimit tracking=3Dsrc count= =3D1 seconds=3D60=20 | gen-id=3D1 sig-id=3D3543 type=3DThreshold tracking=3Dsrc count= =3D5 seconds=3D2 =20 | gen-id=3D1 sig-id=3D2924 type=3DThreshold tracking=3Ddst count= =3D10 seconds=3D60=20 | gen-id=3D1 sig-id=3D3542 type=3DThreshold tracking=3Dsrc count= =3D5 seconds=3D2 =20 +-----------------------[suppression]--------------------------------------= ---- | none ---------------------------------------------------------------------------= ---- Rule application order: ->activation->dynamic->pass->drop->sdrop->reject->rejectboth->rejectsrc->re= jectdst->alert->log Log directory =3D /var/log/snort Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/... Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... d= one Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so..= . done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.s= o... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... d= one Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... = done Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/ FTPTelnet Config: GLOBAL CONFIG Inspection Type: stateful Check for Encrypted Traffic: YES alert: YES Continue to check encrypted data: NO TELNET CONFIG: Ports: 23=20 Are You There Threshold: 200 Normalize: YES Detect Anomalies: NO FTP CONFIG: FTP Server: default Ports: 21=20 Check for Telnet Cmds: YES alert: YES Identify open data channels: YES FTP Client: default Check for Bounce Attacks: YES alert: YES Check for Telnet Cmds: YES alert: YES Max Response Length: 256 SMTP Config: Ports: 25=20 Inspection Type: STATEFUL Normalize Spaces: YES Ignore Data: NO Ignore TLS Data: NO Ignore Alerts: NO Max Command Length: 0 Max Header Line Length: 0 Max Response Line Length: 0 X-Link2State Alert: YES Drop on X-Link2State Alert: NO DCE/RPC Decoder config: Autodetect ports ENABLED SMB fragmentation ENABLED DCE/RPC fragmentation ENABLED Max Frag Size: 3000 bytes Memcap: 100000 KB Alert if memcap exceeded DISABLED DNS config:=20 DNS Client rdata txt Overflow Alert: ACTIVE Obsolete DNS RR Types Alert: INACTIVE Experimental DNS RR Types Alert: INACTIVE Ports: 53 Verifying Preprocessor Configurations! Warning: flowbits key 'dce.bind.veritas' is set but not ever checked. Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set. Warning: flowbits key 'realplayer.playlist' is checked but not ever set. 50 out of 512 flowbits in use. Setting the Packet Processor to decode packets from iptables database: compiled support for ( postgresql ) database: configured to use postgresql database: user =3D snort database: password is set database: database name =3D snort_log database: host =3D localhost Node unique name is: unknown:NULL database: sensor name =3D unknown:NULL database: sensor id =3D 2 database: schema version =3D 107 database: using the "log" facility +--[Pattern Matcher:Aho-Corasick Summary]---------------------- | Alphabet Size : 256 Chars | Sizeof State : 2 bytes | Storage Format : Full=20 | Num States : 103504 | Num Transitions : 4125009 | State Density : 15.6% | Finite Automatum : DFA | Memory : 163.78Mbytes +------------------------------------------------------------- --=3D=3D Initialization Complete =3D=3D-- ,,_ -*> Snort_Inline! <*- o" )~ Version 2.6.1.5 (Build 59) inline=20 '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html Snort_Inline Mod by William Metcalf, Victor Julien, Nick Rogness, Dave Remien, Rob McMillen and Jed Haile (C) Copyright 1998-2007 Sourcefire Inc., et al. Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6 <Build 11> Preprocessor Object: SF_SMTP Version 1.0 <Build 7> Preprocessor Object: SF_SSH Version 1.0 <Build 1> Preprocessor Object: SF_FTPTELNET Version 1.0 <Build 10> Preprocessor Object: SF_DCERPC Version 1.0 <Build 4> Preprocessor Object: SF_DNS Version 1.0 <Build 2> Not Using PCAP_FRAMES |
|
From: flg2932946 <flg...@16...> - 2007-07-19 04:34:39
|
I use snort_inline-2.4.5 with iptables QUEUE. I start clamav and stickydrop in snort_inline.conf, and i find the kernel memory of slab creasing. I stop snort_inline, the kernel memory can't be released unless i reboot.Anyone can help me? Thanks for help! |
|
From: Yavuzhan C. <yc...@te...> - 2007-07-17 07:19:06
|
Hi David, Yes I run make and make install too. But when I compiled snort-inline I have met with same problem that I explained previous mail. -----Original Message----- From: David Gunnarsson [mailto:gu...@in...] Sent: Monday, July 16, 2007 5:56 PM To: Yavuzhan Canli Cc: sno...@li... Subject: Re: [Snort-inline-users] snort inline compile problem ... I don't see any errors in that output, it seemed to go well! Have you run make install after the make? if not, do so. Yavuzhan Canli wrote: > I am sorry David. I have forget which system that I'm working. > > ** Debian Net install 4.0 > ** Kernel 2.6.18 > ** I have tried to install libdnet-dev and libdnet packets with > > *** apt-get install libdnet libdnet-dev > > And when I controlled with -- > dpkg -l > result said that they were installed. > > ii libdnet 2.37.2-0.1 DECnet Libraries > ii libdnet-dev 2.37.2-0.1 DECnet development libraries & Headers > > After made these processes I tried to install libdnet manually. But I have > met with this screen as below. > Can you help me about these directions. > > ---------------------------------------------------------------------------- > --- > Making all in include > make[1]: Entering directory `/root/download/libdnet-1.11/include' > make all-recursive > make[2]: Entering directory `/root/download/libdnet-1.11/include' > Making all in dnet > make[3]: Entering directory `/root/download/libdnet-1.11/include/dnet' > make[3]: Nothing to be done for `all'. > make[3]: Leaving directory `/root/download/libdnet-1.11/include/dnet' > make[3]: Entering directory `/root/download/libdnet-1.11/include' > make[3]: Leaving directory `/root/download/libdnet-1.11/include' > make[2]: Leaving directory `/root/download/libdnet-1.11/include' > make[1]: Leaving directory `/root/download/libdnet-1.11/include' > Making all in man > make[1]: Entering directory `/root/download/libdnet-1.11/man' > make[1]: Nothing to be done for `all'. > make[1]: Leaving directory `/root/download/libdnet-1.11/man' > Making all in src > make[1]: Entering directory `/root/download/libdnet-1.11/src' > make[1]: Nothing to be done for `all'. > make[1]: Leaving directory `/root/download/libdnet-1.11/src' > Making all in python > make[1]: Entering directory `/root/download/libdnet-1.11/python' > make[1]: Nothing to be done for `all'. > make[1]: Leaving directory `/root/download/libdnet-1.11/python' > Making all in test > make[1]: Entering directory `/root/download/libdnet-1.11/test' > Making all in check > make[2]: Entering directory `/root/download/libdnet-1.11/test/check' > make[2]: Nothing to be done for `all'. > make[2]: Leaving directory `/root/download/libdnet-1.11/test/check' > Making all in dnet > make[2]: Entering directory `/root/download/libdnet-1.11/test/dnet' > make[2]: Nothing to be done for `all'. > make[2]: Leaving directory `/root/download/libdnet-1.11/test/dnet' > make[2]: Entering directory `/root/download/libdnet-1.11/test' > make[2]: Nothing to be done for `all-am'. > make[2]: Leaving directory `/root/download/libdnet-1.11/test' > make[1]: Leaving directory `/root/download/libdnet-1.11/test' > make[1]: Entering directory `/root/download/libdnet-1.11' > make[1]: Nothing to be done for `all-am'. > make[1]: Leaving directory `/root/download/libdnet-1.11' > > ---------------------------------------------------------------------------- > ----------- > > > -----Original Message----- > From: David Gunnarsson [mailto:gu...@in...] > Sent: Monday, July 16, 2007 5:32 PM > To: Yavuzhan Canli > Cc: sno...@li... > Subject: Re: [Snort-inline-users] snort inline compile problem ... > > I'm not sure how to give a better answer than the error message you got > from the compiler. > Simply you do not seem to have libdnet that is required to compile > snort_inline. > Try download it from the site (the link in the error) or check if your > distribution have it as a package. > "apt-get install libdnet-dev libdnet" On ubuntu for example, probably > the same with debian. > Yavuzhan Canli wrote: > >> Have a nice day, >> >> I'm new about snort and I have a problem regarding with snort-inline. >> >> When I want to compile I have met with a error as you see below. How >> can I pass this error can anyone help me ? >> >> If you help I will be happy so much. >> >> >> > ---------------------------------------------------------------------------- > ------------------------------------ > >> snortinline:~/download/snort_inline-2.6.1.5# ./configure --enable-inline >> >> ERROR! Libdnet header not found, go get it from >> http://libdnet.sourceforge.net <http://libdnet.sourceforge.net/> or >> use the --with-dnet-* >> options, if you have it installed in an unusual place >> >> > ---------------------------------------------------------------------------- > ------------------------------------- > >> Thank you very much. >> >> Yavuzhan Canli >> >> ------------------------------------------------------------------------ >> >> ------------------------------------------------------------------------- >> This SF.net email is sponsored by DB2 Express >> Download DB2 Express C - the FREE version of DB2 express and take >> control of your XML. No limits. Just data. Click to get it now. >> http://sourceforge.net/powerbar/db2/ >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Snort-inline-users mailing list >> Sno...@li... >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> >> > > > > __________ NOD32 2400 (20070716) Information __________ > > This message was checked by NOD32 antivirus system. > http://www.eset.com > > __________ NOD32 2400 (20070716) Information __________ This message was checked by NOD32 antivirus system. http://www.eset.com |
|
From: David G. <gu...@in...> - 2007-07-16 14:56:14
|
I don't see any errors in that output, it seemed to go well! Have you run make install after the make? if not, do so. Yavuzhan Canli wrote: > I am sorry David. I have forget which system that I'm working. > > ** Debian Net install 4.0 > ** Kernel 2.6.18 > ** I have tried to install libdnet-dev and libdnet packets with > > *** apt-get install libdnet libdnet-dev > > And when I controlled with -- > dpkg -l > result said that they were installed. > > ii libdnet 2.37.2-0.1 DECnet Libraries > ii libdnet-dev 2.37.2-0.1 DECnet development libraries & Headers > > After made these processes I tried to install libdnet manually. But I have > met with this screen as below. > Can you help me about these directions. > > ---------------------------------------------------------------------------- > --- > Making all in include > make[1]: Entering directory `/root/download/libdnet-1.11/include' > make all-recursive > make[2]: Entering directory `/root/download/libdnet-1.11/include' > Making all in dnet > make[3]: Entering directory `/root/download/libdnet-1.11/include/dnet' > make[3]: Nothing to be done for `all'. > make[3]: Leaving directory `/root/download/libdnet-1.11/include/dnet' > make[3]: Entering directory `/root/download/libdnet-1.11/include' > make[3]: Leaving directory `/root/download/libdnet-1.11/include' > make[2]: Leaving directory `/root/download/libdnet-1.11/include' > make[1]: Leaving directory `/root/download/libdnet-1.11/include' > Making all in man > make[1]: Entering directory `/root/download/libdnet-1.11/man' > make[1]: Nothing to be done for `all'. > make[1]: Leaving directory `/root/download/libdnet-1.11/man' > Making all in src > make[1]: Entering directory `/root/download/libdnet-1.11/src' > make[1]: Nothing to be done for `all'. > make[1]: Leaving directory `/root/download/libdnet-1.11/src' > Making all in python > make[1]: Entering directory `/root/download/libdnet-1.11/python' > make[1]: Nothing to be done for `all'. > make[1]: Leaving directory `/root/download/libdnet-1.11/python' > Making all in test > make[1]: Entering directory `/root/download/libdnet-1.11/test' > Making all in check > make[2]: Entering directory `/root/download/libdnet-1.11/test/check' > make[2]: Nothing to be done for `all'. > make[2]: Leaving directory `/root/download/libdnet-1.11/test/check' > Making all in dnet > make[2]: Entering directory `/root/download/libdnet-1.11/test/dnet' > make[2]: Nothing to be done for `all'. > make[2]: Leaving directory `/root/download/libdnet-1.11/test/dnet' > make[2]: Entering directory `/root/download/libdnet-1.11/test' > make[2]: Nothing to be done for `all-am'. > make[2]: Leaving directory `/root/download/libdnet-1.11/test' > make[1]: Leaving directory `/root/download/libdnet-1.11/test' > make[1]: Entering directory `/root/download/libdnet-1.11' > make[1]: Nothing to be done for `all-am'. > make[1]: Leaving directory `/root/download/libdnet-1.11' > > ---------------------------------------------------------------------------- > ----------- > > > -----Original Message----- > From: David Gunnarsson [mailto:gu...@in...] > Sent: Monday, July 16, 2007 5:32 PM > To: Yavuzhan Canli > Cc: sno...@li... > Subject: Re: [Snort-inline-users] snort inline compile problem ... > > I'm not sure how to give a better answer than the error message you got > from the compiler. > Simply you do not seem to have libdnet that is required to compile > snort_inline. > Try download it from the site (the link in the error) or check if your > distribution have it as a package. > "apt-get install libdnet-dev libdnet" On ubuntu for example, probably > the same with debian. > Yavuzhan Canli wrote: > >> Have a nice day, >> >> I'm new about snort and I have a problem regarding with snort-inline. >> >> When I want to compile I have met with a error as you see below. How >> can I pass this error can anyone help me ? >> >> If you help I will be happy so much. >> >> >> > ---------------------------------------------------------------------------- > ------------------------------------ > >> snortinline:~/download/snort_inline-2.6.1.5# ./configure --enable-inline >> >> ERROR! Libdnet header not found, go get it from >> http://libdnet.sourceforge.net <http://libdnet.sourceforge.net/> or >> use the --with-dnet-* >> options, if you have it installed in an unusual place >> >> > ---------------------------------------------------------------------------- > ------------------------------------- > >> Thank you very much. >> >> Yavuzhan Canli >> >> ------------------------------------------------------------------------ >> >> ------------------------------------------------------------------------- >> This SF.net email is sponsored by DB2 Express >> Download DB2 Express C - the FREE version of DB2 express and take >> control of your XML. No limits. Just data. Click to get it now. >> http://sourceforge.net/powerbar/db2/ >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Snort-inline-users mailing list >> Sno...@li... >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> >> > > > > __________ NOD32 2400 (20070716) Information __________ > > This message was checked by NOD32 antivirus system. > http://www.eset.com > > |
|
From: Yavuzhan C. <yc...@te...> - 2007-07-16 14:50:36
|
I am sorry David. I have forget which system that I'm working. ** Debian Net install 4.0 ** Kernel 2.6.18 ** I have tried to install libdnet-dev and libdnet packets with *** apt-get install libdnet libdnet-dev And when I controlled with -- dpkg -l result said that they were installed. ii libdnet 2.37.2-0.1 DECnet Libraries ii libdnet-dev 2.37.2-0.1 DECnet development libraries & Headers After made these processes I tried to install libdnet manually. But I have met with this screen as below. Can you help me about these directions. ---------------------------------------------------------------------------- --- Making all in include make[1]: Entering directory `/root/download/libdnet-1.11/include' make all-recursive make[2]: Entering directory `/root/download/libdnet-1.11/include' Making all in dnet make[3]: Entering directory `/root/download/libdnet-1.11/include/dnet' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/root/download/libdnet-1.11/include/dnet' make[3]: Entering directory `/root/download/libdnet-1.11/include' make[3]: Leaving directory `/root/download/libdnet-1.11/include' make[2]: Leaving directory `/root/download/libdnet-1.11/include' make[1]: Leaving directory `/root/download/libdnet-1.11/include' Making all in man make[1]: Entering directory `/root/download/libdnet-1.11/man' make[1]: Nothing to be done for `all'. make[1]: Leaving directory `/root/download/libdnet-1.11/man' Making all in src make[1]: Entering directory `/root/download/libdnet-1.11/src' make[1]: Nothing to be done for `all'. make[1]: Leaving directory `/root/download/libdnet-1.11/src' Making all in python make[1]: Entering directory `/root/download/libdnet-1.11/python' make[1]: Nothing to be done for `all'. make[1]: Leaving directory `/root/download/libdnet-1.11/python' Making all in test make[1]: Entering directory `/root/download/libdnet-1.11/test' Making all in check make[2]: Entering directory `/root/download/libdnet-1.11/test/check' make[2]: Nothing to be done for `all'. make[2]: Leaving directory `/root/download/libdnet-1.11/test/check' Making all in dnet make[2]: Entering directory `/root/download/libdnet-1.11/test/dnet' make[2]: Nothing to be done for `all'. make[2]: Leaving directory `/root/download/libdnet-1.11/test/dnet' make[2]: Entering directory `/root/download/libdnet-1.11/test' make[2]: Nothing to be done for `all-am'. make[2]: Leaving directory `/root/download/libdnet-1.11/test' make[1]: Leaving directory `/root/download/libdnet-1.11/test' make[1]: Entering directory `/root/download/libdnet-1.11' make[1]: Nothing to be done for `all-am'. make[1]: Leaving directory `/root/download/libdnet-1.11' ---------------------------------------------------------------------------- ----------- -----Original Message----- From: David Gunnarsson [mailto:gu...@in...] Sent: Monday, July 16, 2007 5:32 PM To: Yavuzhan Canli Cc: sno...@li... Subject: Re: [Snort-inline-users] snort inline compile problem ... I'm not sure how to give a better answer than the error message you got from the compiler. Simply you do not seem to have libdnet that is required to compile snort_inline. Try download it from the site (the link in the error) or check if your distribution have it as a package. "apt-get install libdnet-dev libdnet" On ubuntu for example, probably the same with debian. Yavuzhan Canli wrote: > > Have a nice day, > > I'm new about snort and I have a problem regarding with snort-inline. > > When I want to compile I have met with a error as you see below. How > can I pass this error can anyone help me ? > > If you help I will be happy so much. > > ---------------------------------------------------------------------------- ------------------------------------ > > snortinline:~/download/snort_inline-2.6.1.5# ./configure --enable-inline > > ERROR! Libdnet header not found, go get it from > http://libdnet.sourceforge.net <http://libdnet.sourceforge.net/> or > use the --with-dnet-* > options, if you have it installed in an unusual place > ---------------------------------------------------------------------------- ------------------------------------- > > Thank you very much. > > Yavuzhan Canli > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > ------------------------------------------------------------------------ > > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > __________ NOD32 2400 (20070716) Information __________ This message was checked by NOD32 antivirus system. http://www.eset.com |
|
From: Will M. <wil...@gm...> - 2007-07-16 14:46:44
|
not only that but you need to queue both sides of the conversation so iptables -I INPUT -p tcp --dport 80 -j QUEUE iptables -I OUTPUT -p tcp --sport 80 -j QUEUE On 7/16/07, David Gunnarsson <gu...@in...> wrote: > > Yout rule: > *drop tcp any 80 -> any 80 (classtype:attempted-user; msg:"Port 80 > connection initiated";sid:1000001;) > The first port of 80 is the source port, a webclient will most certainly > never send with sourceport 80, just destination port 80, the second one, > that is why this rule never is trigger.. Try with any any -> any 80 .... > instead. > good luck! > * > > Piyush_Mundra wrote: > > Dear will, > > > > Regarding ip_queue i followed the following steps: > > > > 1) *modprobe ip_queue* > > > > *2) iptables -I INPUT -p tcp --dport 80 -j QUEUE* > > > > 3) snort -c /etc/snort_inline/snort_inline.conf -Q -N -l > > /var/log/snort_inline/ -t /var/log/snort_inline/ -v > > > > Previously i was working with snort_inline but somehow there was some > > problem compiling it. Then later on i started with snort-2.6.1.5 along > > with libdnet, libpcap, iptables and pcre libraries. After installation > > snort runs but is not able to process packets as mentioned in my > > previous mail. > > > > Looking forward eagerly for your reply, > > > > Thanks > > > > Regards, > > > > Piyush > > > > ------------------------------------------------------------------------ > > *From:* Will Metcalf [mailto:wil...@gm...] > > *Sent:* Sat 7/14/2007 7:47 PM > > *To:* Piyush_Mundra > > *Cc:* sno...@li... > > *Subject:* Re: [Snort-inline-users] Snort_Inline not recognizing > > 'drop' rule > > > > what do your iptables rules look like? > > > > On 7/14/07, *Piyush_Mundra* <Piy...@sa... > > <mailto:Piy...@sa...>> wrote: > > > > Hello will, > > Thanks very much. > > I tried to install the snort_inline on fedora and the installation > > process worked fine. > > Right now i'm using snort_inline-2.6.1.5 > > <http://2.6.1.5>.Now,after inserting the ip_queue module i am > > running the following command > > > > *snort_inline -Q -v -c /etc/snort_inline/snort_inline.conf -l > > /var/log/snort_inline > > * > > I am getting the following summary: > > > > > =============================================================================== > > *Snort processed 0 packets*. > > > =============================================================================== > > Breakdown by protocol: > > TCP: 0 (0.000%) > > UDP: 0 (0.000%) > > ICMP: 0 (0.000%) > > ARP: 0 (0.000%) > > EAPOL: 0 (0.000%) > > IPv6: 0 (0.000%) > > ETHLOOP: 0 (0.000%) > > IPX: 0 (0.000%) > > FRAG: 0 (0.000%) > > OTHER: 0 (0.000%) > > DISCARD: 0 (0.000%) > > > =============================================================================== > > Action Stats: > > ALERTS: 0 > > LOGGED: 0 > > PASSED: 0 > > > =============================================================================== > > In my snort.conf file i have commented all the rules except one > > *include $RULE_PATH/web-attacks.rules* > > At the end of the web-attacks.rule file i have added a simple rule: > > *drop tcp any 80 -> any 80 (classtype:attempted-user; msg:"Port 80 > > connection initiated";sid:1000001;)* > > > > Kindly tell me where i am going wrong. Why snort_inline is not > > able to process any packet. > > > > Regards, > > > > Piyush > > > > > ------------------------------------------------------------------------ > > *From:* Will Metcalf [mailto:wil...@gm... > > <mailto:wil...@gm...>] > > *Sent:* Wed 7/11/2007 9:48 PM > > *To:* Piyush_Mundra > > *Cc:* sno...@li... > > <mailto:sno...@li...> > > *Subject:* Re: [Snort-inline-users] Snort_Inline not recognizing > > 'drop' rule > > > > for snort_inline-2.6.x you need libdnet installed. I'm not sure > what > > OS you are running but you may want to make distclean ./autojunk.sh > && > > ./configure && make && make install from the source directory. > > > > Regards, > > > > Will > > > > On 7/11/07, Piyush_Mundra <Piy...@sa... > > <mailto:Piy...@sa...>> wrote: > > > > > > > > > Hello everybody, > > > > > > I am working on Redhat. To make use of the packet dropping and > > rejecting > > > facility i installed the Snort_Inline. Snort inline makes use of > the > > > > > > iptables > > > Libnet-1.0.2a-FC2-Fixed > > > pcre-7.2 > > > snort_inline-1.9.1 > > > > > > The installation process went fine without any failure. I have > > installed > > > snort_inline for the packet dropping facility. For that purpose i > > need to > > > write rules in the snort.conf file in the > > Snort_Inline/etc/snort.conf file. > > > > > > There i wrote a very basic rule: > > > > > > drop tcp any any -> any any (msg: "Dropped Packet"; sid: 1000001;) > > > > > > This should cause all traffic coming to my system to be dropped > and > > > corresspondingly logging the alert to a default alert file. > > > > > > But When i try to run Snort_Inline after making above changes to > the > > > snort.conf file the Snort_Inline doesn't work stating: > > > > > > Unknown Rule Type: Drop. > > > > > > This thing get further clarified by the fact that when in > > snort.conf file we > > > write any rule like "alert" "drop" then being the keyword these > > words become > > > "Yellowish". As against them "drop" keyword is not becoming same > > which means > > > the .Conf file is not able to recognize it as a command. > > > > > > > > > Kindly tell me where the things are going wrong. Its really > > important. Is > > > there any other way to configure Snort itself for dropping > > packet. I am > > > running Snort-2.6.1.4 also and i tried to configure it using > > > > > > ./configure --enable_Inline > > > > > > configure and make and make install are running fine but later on > > when i > > > insert the drop rule it is giving the same problem as above. > > > > > > Thanks in advance. > > > > > > Regards > > > Piyush > > > > > > > > > > > > DISCLAIMER: > > > This email (including any attachments) is intended for the sole > > use of the > > > intended recipient/s and may contain material that is > > CONFIDENTIAL AND > > > PRIVATE COMPANY INFORMATION. Any review or reliance by others or > > copying or > > > distribution or forwarding of any or all of the contents in this > > message is > > > STRICTLY PROHIBITED. If you are not the intended recipient, > > please contact > > > the sender by email and delete all copies; your cooperation in > > this regard > > > is appreciated.. > > > > ------------------------------------------------------------------------- > > > This SF.net email is sponsored by DB2 Express > > > Download DB2 Express C - the FREE version of DB2 express and take > > > control of your XML. No limits. Just data. Click to get it now. > > > http://sourceforge.net/powerbar/db2/ > > > _______________________________________________ > > > Snort-inline-users mailing list > > > Sno...@li... > > <mailto:Sno...@li...> > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > > > > > DISCLAIMER: > > This email (including any attachments) is intended for the sole > > use of the intended recipient/s and may contain material that is > > CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or > > reliance by others or copying or distribution or forwarding of any > > or all of the contents in this message is STRICTLY PROHIBITED. If > > you are not the intended recipient, please contact the sender by > > email and delete all copies; your cooperation in this regard is > > appreciated.. > > > > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by DB2 Express > > Download DB2 Express C - the FREE version of DB2 express and take > > control of your XML. No limits. Just data. Click to get it now. > > http://sourceforge.net/powerbar/db2/ > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > <mailto:Sno...@li...> > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > DISCLAIMER: > > This email (including any attachments) is intended for the sole use of > > the intended recipient/s and may contain material that is CONFIDENTIAL > > AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or > > copying or distribution or forwarding of any or all of the contents in > > this message is STRICTLY PROHIBITED. If you are not the intended > > recipient, please contact the sender by email and delete all copies; > > your cooperation in this regard is appreciated.. > > > > ------------------------------------------------------------------------ > > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by DB2 Express > > Download DB2 Express C - the FREE version of DB2 express and take > > control of your XML. No limits. Just data. Click to get it now. > > http://sourceforge.net/powerbar/db2/ > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
133 messages has been excluded from this view by a project administrator.
