Menu
▾
▴
snort-inline-users — The goal of this list is to help users debug/use snort_inline
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(15) |
Jun
(23) |
Jul
(54) |
Aug
(20) |
Sep
(18) |
Oct
(19) |
Nov
(36) |
Dec
(30) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(48) |
Feb
(16) |
Mar
(36) |
Apr
(36) |
May
(45) |
Jun
(47) |
Jul
(93) |
Aug
(29) |
Sep
(28) |
Oct
(42) |
Nov
(45) |
Dec
(53) |
| 2005 |
Jan
(62) |
Feb
(51) |
Mar
(65) |
Apr
(28) |
May
(57) |
Jun
(23) |
Jul
(24) |
Aug
(72) |
Sep
(16) |
Oct
(53) |
Nov
(53) |
Dec
(3) |
| 2006 |
Jan
(56) |
Feb
(6) |
Mar
(15) |
Apr
(14) |
May
(35) |
Jun
(57) |
Jul
(35) |
Aug
(7) |
Sep
(22) |
Oct
(16) |
Nov
(18) |
Dec
(9) |
| 2007 |
Jan
(8) |
Feb
(3) |
Mar
(11) |
Apr
(35) |
May
(6) |
Jun
(10) |
Jul
(26) |
Aug
(4) |
Sep
|
Oct
(29) |
Nov
|
Dec
(7) |
| 2008 |
Jan
(1) |
Feb
(2) |
Mar
(2) |
Apr
(13) |
May
(8) |
Jun
(3) |
Jul
(19) |
Aug
(20) |
Sep
(6) |
Oct
(5) |
Nov
|
Dec
(4) |
| 2009 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(10) |
Jul
(2) |
Aug
(5) |
Sep
|
Oct
(1) |
Nov
|
Dec
(5) |
| 2010 |
Jan
(10) |
Feb
(10) |
Mar
(2) |
Apr
|
May
(7) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2011 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: David G. <gu...@in...> - 2007-07-16 14:32:12
|
I'm not sure how to give a better answer than the error message you got from the compiler. Simply you do not seem to have libdnet that is required to compile snort_inline. Try download it from the site (the link in the error) or check if your distribution have it as a package. "apt-get install libdnet-dev libdnet" On ubuntu for example, probably the same with debian. Yavuzhan Canli wrote: > > Have a nice day, > > I’m new about snort and I have a problem regarding with snort-inline. > > When I want to compile I have met with a error as you see below. How > can I pass this error can anyone help me ? > > If you help I will be happy so much. > > ---------------------------------------------------------------------------------------------------------------- > > snortinline:~/download/snort_inline-2.6.1.5# ./configure --enable-inline > > ERROR! Libdnet header not found, go get it from > http://libdnet.sourceforge.net <http://libdnet.sourceforge.net/> or > use the --with-dnet-* > options, if you have it installed in an unusual place > ----------------------------------------------------------------------------------------------------------------- > > Thank you very much. > > Yavuzhan Canli > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > ------------------------------------------------------------------------ > > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Yavuzhan C. <yc...@te...> - 2007-07-16 14:09:03
|
Have a nice day, I'm new about snort and I have a problem regarding with snort-inline. When I want to compile I have met with a error as you see below. How can I pass this error can anyone help me ? If you help I will be happy so much. ---------------------------------------------------------------------------- ------------------------------------ snortinline:~/download/snort_inline-2.6.1.5# ./configure --enable-inline ERROR! Libdnet header not found, go get it from http://libdnet.sourceforge.net <http://libdnet.sourceforge.net/> or use the --with-dnet-* options, if you have it installed in an unusual place ---------------------------------------------------------------------------- ------------------------------------- Thank you very much. Yavuzhan Canli |
|
From: David G. <gu...@in...> - 2007-07-16 06:33:46
|
Yout rule:
*drop tcp any 80 -> any 80 (classtype:attempted-user; msg:"Port 80
connection initiated";sid:1000001;)
The first port of 80 is the source port, a webclient will most certainly
never send with sourceport 80, just destination port 80, the second one,
that is why this rule never is trigger.. Try with any any -> any 80 ....
instead.
good luck!
*
Piyush_Mundra wrote:
> Dear will,
>
> Regarding ip_queue i followed the following steps:
>
> 1) *modprobe ip_queue*
>
> *2) iptables -I INPUT -p tcp --dport 80 -j QUEUE*
>
> 3) snort -c /etc/snort_inline/snort_inline.conf -Q -N -l
> /var/log/snort_inline/ -t /var/log/snort_inline/ -v
>
> Previously i was working with snort_inline but somehow there was some
> problem compiling it. Then later on i started with snort-2.6.1.5 along
> with libdnet, libpcap, iptables and pcre libraries. After installation
> snort runs but is not able to process packets as mentioned in my
> previous mail.
>
> Looking forward eagerly for your reply,
>
> Thanks
>
> Regards,
>
> Piyush
>
> ------------------------------------------------------------------------
> *From:* Will Metcalf [mailto:wil...@gm...]
> *Sent:* Sat 7/14/2007 7:47 PM
> *To:* Piyush_Mundra
> *Cc:* sno...@li...
> *Subject:* Re: [Snort-inline-users] Snort_Inline not recognizing
> 'drop' rule
>
> what do your iptables rules look like?
>
> On 7/14/07, *Piyush_Mundra* <Piy...@sa...
> <mailto:Piy...@sa...>> wrote:
>
> Hello will,
> Thanks very much.
> I tried to install the snort_inline on fedora and the installation
> process worked fine.
> Right now i'm using snort_inline-2.6.1.5
> <http://2.6.1.5>.Now,after inserting the ip_queue module i am
> running the following command
>
> *snort_inline -Q -v -c /etc/snort_inline/snort_inline.conf -l
> /var/log/snort_inline
> *
> I am getting the following summary:
>
> ===============================================================================
> *Snort processed 0 packets*.
> ===============================================================================
> Breakdown by protocol:
> TCP: 0 (0.000%)
> UDP: 0 (0.000%)
> ICMP: 0 (0.000%)
> ARP: 0 (0.000%)
> EAPOL: 0 (0.000%)
> IPv6: 0 (0.000%)
> ETHLOOP: 0 (0.000%)
> IPX: 0 (0.000%)
> FRAG: 0 (0.000%)
> OTHER: 0 (0.000%)
> DISCARD: 0 (0.000%)
> ===============================================================================
> Action Stats:
> ALERTS: 0
> LOGGED: 0
> PASSED: 0
> ===============================================================================
> In my snort.conf file i have commented all the rules except one
> *include $RULE_PATH/web-attacks.rules*
> At the end of the web-attacks.rule file i have added a simple rule:
> *drop tcp any 80 -> any 80 (classtype:attempted-user; msg:"Port 80
> connection initiated";sid:1000001;)*
>
> Kindly tell me where i am going wrong. Why snort_inline is not
> able to process any packet.
>
> Regards,
>
> Piyush
>
> ------------------------------------------------------------------------
> *From:* Will Metcalf [mailto:wil...@gm...
> <mailto:wil...@gm...>]
> *Sent:* Wed 7/11/2007 9:48 PM
> *To:* Piyush_Mundra
> *Cc:* sno...@li...
> <mailto:sno...@li...>
> *Subject:* Re: [Snort-inline-users] Snort_Inline not recognizing
> 'drop' rule
>
> for snort_inline-2.6.x you need libdnet installed. I'm not sure what
> OS you are running but you may want to make distclean ./autojunk.sh &&
> ./configure && make && make install from the source directory.
>
> Regards,
>
> Will
>
> On 7/11/07, Piyush_Mundra <Piy...@sa...
> <mailto:Piy...@sa...>> wrote:
> >
> >
> > Hello everybody,
> >
> > I am working on Redhat. To make use of the packet dropping and
> rejecting
> > facility i installed the Snort_Inline. Snort inline makes use of the
> >
> > iptables
> > Libnet-1.0.2a-FC2-Fixed
> > pcre-7.2
> > snort_inline-1.9.1
> >
> > The installation process went fine without any failure. I have
> installed
> > snort_inline for the packet dropping facility. For that purpose i
> need to
> > write rules in the snort.conf file in the
> Snort_Inline/etc/snort.conf file.
> >
> > There i wrote a very basic rule:
> >
> > drop tcp any any -> any any (msg: "Dropped Packet"; sid: 1000001;)
> >
> > This should cause all traffic coming to my system to be dropped and
> > corresspondingly logging the alert to a default alert file.
> >
> > But When i try to run Snort_Inline after making above changes to the
> > snort.conf file the Snort_Inline doesn't work stating:
> >
> > Unknown Rule Type: Drop.
> >
> > This thing get further clarified by the fact that when in
> snort.conf file we
> > write any rule like "alert" "drop" then being the keyword these
> words become
> > "Yellowish". As against them "drop" keyword is not becoming same
> which means
> > the .Conf file is not able to recognize it as a command.
> >
> >
> > Kindly tell me where the things are going wrong. Its really
> important. Is
> > there any other way to configure Snort itself for dropping
> packet. I am
> > running Snort-2.6.1.4 also and i tried to configure it using
> >
> > ./configure --enable_Inline
> >
> > configure and make and make install are running fine but later on
> when i
> > insert the drop rule it is giving the same problem as above.
> >
> > Thanks in advance.
> >
> > Regards
> > Piyush
> >
> >
> >
> > DISCLAIMER:
> > This email (including any attachments) is intended for the sole
> use of the
> > intended recipient/s and may contain material that is
> CONFIDENTIAL AND
> > PRIVATE COMPANY INFORMATION. Any review or reliance by others or
> copying or
> > distribution or forwarding of any or all of the contents in this
> message is
> > STRICTLY PROHIBITED. If you are not the intended recipient,
> please contact
> > the sender by email and delete all copies; your cooperation in
> this regard
> > is appreciated..
> > -------------------------------------------------------------------------
> > This SF.net email is sponsored by DB2 Express
> > Download DB2 Express C - the FREE version of DB2 express and take
> > control of your XML. No limits. Just data. Click to get it now.
> > http://sourceforge.net/powerbar/db2/
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> <mailto:Sno...@li...>
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >
> >
>
> DISCLAIMER:
> This email (including any attachments) is intended for the sole
> use of the intended recipient/s and may contain material that is
> CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or
> reliance by others or copying or distribution or forwarding of any
> or all of the contents in this message is STRICTLY PROHIBITED. If
> you are not the intended recipient, please contact the sender by
> email and delete all copies; your cooperation in this regard is
> appreciated..
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> <mailto:Sno...@li...>
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
> DISCLAIMER:
> This email (including any attachments) is intended for the sole use of
> the intended recipient/s and may contain material that is CONFIDENTIAL
> AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or
> copying or distribution or forwarding of any or all of the contents in
> this message is STRICTLY PROHIBITED. If you are not the intended
> recipient, please contact the sender by email and delete all copies;
> your cooperation in this regard is appreciated..
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
|
|
From: Piyush_Mundra <Piy...@sa...> - 2007-07-16 05:19:23
|
Dear will, =20 Regarding ip_queue i followed the following steps: =20 1) modprobe ip_queue =20 2) iptables -I INPUT -p tcp --dport 80 -j QUEUE 3) snort -c /etc/snort_inline/snort_inline.conf -Q -N -l = /var/log/snort_inline/ -t /var/log/snort_inline/ -v Previously i was working with snort_inline but somehow there was some = problem compiling it. Then later on i started with snort-2.6.1.5 along = with libdnet, libpcap, iptables and pcre libraries. After installation = snort runs but is not able to process packets as mentioned in my = previous mail. Looking forward eagerly for your reply, Thanks Regards, Piyush ________________________________ From: Will Metcalf [mailto:wil...@gm...] Sent: Sat 7/14/2007 7:47 PM To: Piyush_Mundra Cc: sno...@li... Subject: Re: [Snort-inline-users] Snort_Inline not recognizing 'drop' = rule what do your iptables rules look like? On 7/14/07, Piyush_Mundra <Piy...@sa...> wrote:=20 Hello will, Thanks very much. I tried to install the snort_inline on fedora and the installation = process worked fine. Right now i'm using snort_inline-2.6.1.5.Now,after inserting the = ip_queue module i am running the following command =20 snort_inline -Q -v -c /etc/snort_inline/snort_inline.conf -l = /var/log/snort_inline =09 I am getting the following summary: =20 = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D Snort processed 0 packets. = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D Breakdown by protocol: TCP: 0 (0.000%) UDP: 0 (0.000%) ICMP: 0 (0.000%) ARP: 0 (0.000%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) ETHLOOP: 0 (0.000%) IPX: 0 (0.000%) FRAG: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D Action Stats: ALERTS: 0 LOGGED: 0 PASSED: 0 = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D =09 In my snort.conf file i have commented all the rules except one=20 include $RULE_PATH/web-attacks.rules At the end of the web-attacks.rule file i have added a simple rule: drop tcp any 80 -> any 80 (classtype:attempted-user; msg:"Port 80 = connection initiated";sid:1000001;) Kindly tell me where i am going wrong. Why snort_inline is not able to = process any packet. =09 Regards, Piyush =09 ________________________________ From: Will Metcalf [mailto:wil...@gm...] Sent: Wed 7/11/2007 9:48 PM To: Piyush_Mundra Cc: sno...@li... Subject: Re: [Snort-inline-users] Snort_Inline not recognizing 'drop' = rule =09 =09 =09 for snort_inline-2.6.x you need libdnet installed. I'm not sure what OS you are running but you may want to make distclean ./autojunk.sh && ./configure && make && make install from the source directory. =09 Regards, =09 Will =09 On 7/11/07, Piyush_Mundra <Piy...@sa...> wrote: > > > Hello everybody, > > I am working on Redhat. To make use of the packet dropping and = rejecting > facility i installed the Snort_Inline. Snort inline makes use of the > > iptables > Libnet-1.0.2a-FC2-Fixed > pcre-7.2 > snort_inline-1.9.1 > > The installation process went fine without any failure. I have = installed > snort_inline for the packet dropping facility. For that purpose i = need to > write rules in the snort.conf file in the Snort_Inline/etc/snort.conf = file. > > There i wrote a very basic rule: > > drop tcp any any -> any any (msg: "Dropped Packet"; sid: 1000001;) > > This should cause all traffic coming to my system to be dropped and > corresspondingly logging the alert to a default alert file. > > But When i try to run Snort_Inline after making above changes to the > snort.conf file the Snort_Inline doesn't work stating: > > Unknown Rule Type: Drop. > > This thing get further clarified by the fact that when in snort.conf = file we > write any rule like "alert" "drop" then being the keyword these words = become > "Yellowish". As against them "drop" keyword is not becoming same = which means > the .Conf file is not able to recognize it as a command. > > > Kindly tell me where the things are going wrong. Its really = important. Is > there any other way to configure Snort itself for dropping packet. I = am > running Snort-2.6.1.4 also and i tried to configure it using > > ./configure --enable_Inline > > configure and make and make install are running fine but later on = when i > insert the drop rule it is giving the same problem as above. > > Thanks in advance. > > Regards > Piyush > > > > DISCLAIMER: > This email (including any attachments) is intended for the sole use = of the > intended recipient/s and may contain material that is CONFIDENTIAL = AND > PRIVATE COMPANY INFORMATION. Any review or reliance by others or = copying or > distribution or forwarding of any or all of the contents in this = message is > STRICTLY PROHIBITED. If you are not the intended recipient, please = contact > the sender by email and delete all copies; your cooperation in this = regard > is appreciated.. > = -------------------------------------------------------------------------= > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > =09 =09 =09 DISCLAIMER: This email (including any attachments) is intended for the sole use of = the intended recipient/s and may contain material that is CONFIDENTIAL = AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or = copying or distribution or forwarding of any or all of the contents in = this message is STRICTLY PROHIBITED. If you are not the intended = recipient, please contact the sender by email and delete all copies; = your cooperation in this regard is appreciated..=20 = -------------------------------------------------------------------------= This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now.=20 http://sourceforge.net/powerbar/db2/ _______________________________________________ Snort-inline-users mailing list=20 Sno...@li... https://lists.sourceforge.net/lists/listinfo/snort-inline-users =09 =09 DISCLAIMER: This email (including any attachments) is intended for the sole use of = the intended recipient/s and may contain material that is CONFIDENTIAL = AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or = copying or distribution or forwarding of any or all of the contents in = this message is STRICTLY PROHIBITED. If you are not the intended = recipient, please contact the sender by email and delete all copies; = your cooperation in this regard is appreciated. |
|
From: Dave R. <da...@re...> - 2007-07-14 17:00:48
|
On Sat, 14 Jul 2007, sno...@li... wrote: +I tried to install the snort_inline on fedora and the installation process worked fine. +Right now i'm using snort_inline-2.6.1.5.Now,after inserting the ip_queue module i am running the following command + +snort_inline -Q -v -c /etc/snort_inline/snort_inline.conf -l /var/log/snort_inline Your iptables needs to send packets to ip_queue: iptables -I FORWARD -j QUEUE if you're doing this as a bridge/router, or, if to/from localhost: iptables -I INPUT -j QUEUE iptables -I OUTPUT -j QUEUE + +I am getting the following summary: + +=============================================================================== +Snort processed 0 packets. +=============================================================================== +Breakdown by protocol: + TCP: 0 (0.000%) + UDP: 0 (0.000%) + ICMP: 0 (0.000%) + ARP: 0 (0.000%) + EAPOL: 0 (0.000%) + IPv6: 0 (0.000%) +ETHLOOP: 0 (0.000%) + IPX: 0 (0.000%) + FRAG: 0 (0.000%) + OTHER: 0 (0.000%) +DISCARD: 0 (0.000%) +=============================================================================== +Action Stats: +ALERTS: 0 +LOGGED: 0 +PASSED: 0 +=============================================================================== + +In my snort.conf file i have commented all the rules except one +include $RULE_PATH/web-attacks.rules +At the end of the web-attacks.rule file i have added a simple rule: +drop tcp any 80 -> any 80 (classtype:attempted-user; msg:"Port 80 +connection initiated";sid:1000001;) + I think you want this: drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80 connection initiated";sid:1000001;) Unless you're really (highly unlikely) expecting packets to be sourced from port 80. The norm for source packets is 1024 up... +Kindly tell me where i am going wrong. Why snort_inline is not able to process any packet. Iptables needs to be told to send packets to the QUEUE, it doesn't just "happen". Cheers, Dave -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. |
|
From: Will M. <wil...@gm...> - 2007-07-14 14:17:33
|
what do your iptables rules look like? On 7/14/07, Piyush_Mundra <Piy...@sa...> wrote: > > Hello will, > Thanks very much. > I tried to install the snort_inline on fedora and the installation process > worked fine. > Right now i'm using snort_inline-2.6.1.5.Now,after inserting the ip_queue > module i am running the following command > > *snort_inline -Q -v -c /etc/snort_inline/snort_inline.conf -l > /var/log/snort_inline > * > I am getting the following summary: > > > =============================================================================== > *Snort processed 0 packets*. > > =============================================================================== > Breakdown by protocol: > TCP: 0 (0.000%) > UDP: 0 (0.000%) > ICMP: 0 (0.000%) > ARP: 0 (0.000%) > EAPOL: 0 (0.000%) > IPv6: 0 (0.000%) > ETHLOOP: 0 (0.000%) > IPX: 0 (0.000%) > FRAG: 0 (0.000%) > OTHER: 0 (0.000%) > DISCARD: 0 (0.000%) > > =============================================================================== > Action Stats: > ALERTS: 0 > LOGGED: 0 > PASSED: 0 > > =============================================================================== > In my snort.conf file i have commented all the rules except one > *include $RULE_PATH/web-attacks.rules* > At the end of the web-attacks.rule file i have added a simple rule: > *drop tcp any 80 -> any 80 (classtype:attempted-user; msg:"Port 80 > connection initiated";sid:1000001;)* > > Kindly tell me where i am going wrong. Why snort_inline is not able to > process any packet. > > Regards, > > Piyush > ------------------------------ > *From:* Will Metcalf [mailto:wil...@gm...] > *Sent:* Wed 7/11/2007 9:48 PM > *To:* Piyush_Mundra > *Cc:* sno...@li... > *Subject:* Re: [Snort-inline-users] Snort_Inline not recognizing 'drop' > rule > > for snort_inline-2.6.x you need libdnet installed. I'm not sure what > OS you are running but you may want to make distclean ./autojunk.sh && > ./configure && make && make install from the source directory. > > Regards, > > Will > > On 7/11/07, Piyush_Mundra <Piy...@sa...> wrote: > > > > > > Hello everybody, > > > > I am working on Redhat. To make use of the packet dropping and rejecting > > facility i installed the Snort_Inline. Snort inline makes use of the > > > > iptables > > Libnet-1.0.2a-FC2-Fixed > > pcre-7.2 > > snort_inline-1.9.1 > > > > The installation process went fine without any failure. I have installed > > snort_inline for the packet dropping facility. For that purpose i need > to > > write rules in the snort.conf file in the Snort_Inline/etc/snort.conf > file. > > > > There i wrote a very basic rule: > > > > drop tcp any any -> any any (msg: "Dropped Packet"; sid: 1000001;) > > > > This should cause all traffic coming to my system to be dropped and > > corresspondingly logging the alert to a default alert file. > > > > But When i try to run Snort_Inline after making above changes to the > > snort.conf file the Snort_Inline doesn't work stating: > > > > Unknown Rule Type: Drop. > > > > This thing get further clarified by the fact that when in snort.conffile we > > write any rule like "alert" "drop" then being the keyword these words > become > > "Yellowish". As against them "drop" keyword is not becoming same which > means > > the .Conf file is not able to recognize it as a command. > > > > > > Kindly tell me where the things are going wrong. Its really important. > Is > > there any other way to configure Snort itself for dropping packet. I am > > running Snort-2.6.1.4 also and i tried to configure it using > > > > ./configure --enable_Inline > > > > configure and make and make install are running fine but later on when i > > insert the drop rule it is giving the same problem as above. > > > > Thanks in advance. > > > > Regards > > Piyush > > > > > > > > DISCLAIMER: > > This email (including any attachments) is intended for the sole use of > the > > intended recipient/s and may contain material that is CONFIDENTIAL AND > > PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying > or > > distribution or forwarding of any or all of the contents in this message > is > > STRICTLY PROHIBITED. If you are not the intended recipient, please > contact > > the sender by email and delete all copies; your cooperation in this > regard > > is appreciated.. > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by DB2 Express > > Download DB2 Express C - the FREE version of DB2 express and take > > control of your XML. No limits. Just data. Click to get it now. > > http://sourceforge.net/powerbar/db2/ > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > DISCLAIMER: > This email (including any attachments) is intended for the sole use of the > intended recipient/s and may contain material that is CONFIDENTIAL AND > PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or > distribution or forwarding of any or all of the contents in this message is > STRICTLY PROHIBITED. If you are not the intended recipient, please contact > the sender by email and delete all copies; your cooperation in this regard > is appreciated.. > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
|
From: Piyush_Mundra <Piy...@sa...> - 2007-07-14 08:52:52
|
Hello will,
Thanks very much.
I tried to install the snort_inline on fedora and the installation =
process worked fine.
Right now i'm using snort_inline-2.6.1.5.Now,after inserting the =
ip_queue module i am running the following command
=20
snort_inline -Q -v -c /etc/snort_inline/snort_inline.conf -l =
/var/log/snort_inline
I am getting the following summary:
=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
Snort processed 0 packets.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
Breakdown by protocol:
TCP: 0 (0.000%)
UDP: 0 (0.000%)
ICMP: 0 (0.000%)
ARP: 0 (0.000%)
EAPOL: 0 (0.000%)
IPv6: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
FRAG: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
Action Stats:
ALERTS: 0
LOGGED: 0
PASSED: 0
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
In my snort.conf file i have commented all the rules except one=20
include $RULE_PATH/web-attacks.rules
At the end of the web-attacks.rule file i have added a simple rule:
drop tcp any 80 -> any 80 (classtype:attempted-user; msg:"Port 80 =
connection initiated";sid:1000001;)
Kindly tell me where i am going wrong. Why snort_inline is not able to =
process any packet.
Regards,
Piyush
________________________________
From: Will Metcalf [mailto:wil...@gm...]
Sent: Wed 7/11/2007 9:48 PM
To: Piyush_Mundra
Cc: sno...@li...
Subject: Re: [Snort-inline-users] Snort_Inline not recognizing 'drop' =
rule
for snort_inline-2.6.x you need libdnet installed. I'm not sure what
OS you are running but you may want to make distclean ./autojunk.sh &&
./configure && make && make install from the source directory.
Regards,
Will
On 7/11/07, Piyush_Mundra <Piy...@sa...> wrote:
>
>
> Hello everybody,
>
> I am working on Redhat. To make use of the packet dropping and =
rejecting
> facility i installed the Snort_Inline. Snort inline makes use of the
>
> iptables
> Libnet-1.0.2a-FC2-Fixed
> pcre-7.2
> snort_inline-1.9.1
>
> The installation process went fine without any failure. I have =
installed
> snort_inline for the packet dropping facility. For that purpose i need =
to
> write rules in the snort.conf file in the Snort_Inline/etc/snort.conf =
file.
>
> There i wrote a very basic rule:
>
> drop tcp any any -> any any (msg: "Dropped Packet"; sid: 1000001;)
>
> This should cause all traffic coming to my system to be dropped and
> corresspondingly logging the alert to a default alert file.
>
> But When i try to run Snort_Inline after making above changes to the
> snort.conf file the Snort_Inline doesn't work stating:
>
> Unknown Rule Type: Drop.
>
> This thing get further clarified by the fact that when in snort.conf =
file we
> write any rule like "alert" "drop" then being the keyword these words =
become
> "Yellowish". As against them "drop" keyword is not becoming same which =
means
> the .Conf file is not able to recognize it as a command.
>
>
> Kindly tell me where the things are going wrong. Its really important. =
Is
> there any other way to configure Snort itself for dropping packet. I =
am
> running Snort-2.6.1.4 also and i tried to configure it using
>
> ./configure --enable_Inline
>
> configure and make and make install are running fine but later on when =
i
> insert the drop rule it is giving the same problem as above.
>
> Thanks in advance.
>
> Regards
> Piyush
>
>
>
> DISCLAIMER:
> This email (including any attachments) is intended for the sole use of =
the
> intended recipient/s and may contain material that is CONFIDENTIAL AND
> PRIVATE COMPANY INFORMATION. Any review or reliance by others or =
copying or
> distribution or forwarding of any or all of the contents in this =
message is
> STRICTLY PROHIBITED. If you are not the intended recipient, please =
contact
> the sender by email and delete all copies; your cooperation in this =
regard
> is appreciated..
> =
-------------------------------------------------------------------------=
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
DISCLAIMER:
This email (including any attachments) is intended for the sole use of =
the intended recipient/s and may contain material that is CONFIDENTIAL =
AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or =
copying or distribution or forwarding of any or all of the contents in =
this message is STRICTLY PROHIBITED. If you are not the intended =
recipient, please contact the sender by email and delete all copies; =
your cooperation in this regard is appreciated.
|
|
From: Will M. <wil...@gm...> - 2007-07-11 16:21:47
|
for snort_inline-2.6.x you need libdnet installed. I'm not sure what OS you are running but you may want to make distclean ./autojunk.sh && ./configure && make && make install from the source directory. Regards, Will On 7/11/07, Piyush_Mundra <Piy...@sa...> wrote: > > > Hello everybody, > > I am working on Redhat. To make use of the packet dropping and rejecting > facility i installed the Snort_Inline. Snort inline makes use of the > > iptables > Libnet-1.0.2a-FC2-Fixed > pcre-7.2 > snort_inline-1.9.1 > > The installation process went fine without any failure. I have installed > snort_inline for the packet dropping facility. For that purpose i need to > write rules in the snort.conf file in the Snort_Inline/etc/snort.conf file. > > There i wrote a very basic rule: > > drop tcp any any -> any any (msg: "Dropped Packet"; sid: 1000001;) > > This should cause all traffic coming to my system to be dropped and > corresspondingly logging the alert to a default alert file. > > But When i try to run Snort_Inline after making above changes to the > snort.conf file the Snort_Inline doesn't work stating: > > Unknown Rule Type: Drop. > > This thing get further clarified by the fact that when in snort.conf file we > write any rule like "alert" "drop" then being the keyword these words become > "Yellowish". As against them "drop" keyword is not becoming same which means > the .Conf file is not able to recognize it as a command. > > > Kindly tell me where the things are going wrong. Its really important. Is > there any other way to configure Snort itself for dropping packet. I am > running Snort-2.6.1.4 also and i tried to configure it using > > ./configure --enable_Inline > > configure and make and make install are running fine but later on when i > insert the drop rule it is giving the same problem as above. > > Thanks in advance. > > Regards > Piyush > > > > DISCLAIMER: > This email (including any attachments) is intended for the sole use of the > intended recipient/s and may contain material that is CONFIDENTIAL AND > PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or > distribution or forwarding of any or all of the contents in this message is > STRICTLY PROHIBITED. If you are not the intended recipient, please contact > the sender by email and delete all copies; your cooperation in this regard > is appreciated.. > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
|
From: Piyush_Mundra <Piy...@sa...> - 2007-07-11 15:49:10
|
Hello everybody, =20 I am working on Redhat. To make use of the packet dropping and rejecting = facility i installed the Snort_Inline. Snort inline makes use of the=20 iptables=20 Libnet-1.0.2a-FC2-Fixed=20 pcre-7.2=20 snort_inline-1.9.1=20 The installation process went fine without any failure. I have installed = snort_inline for the packet dropping facility. For that purpose i need = to write rules in the snort.conf file in the Snort_Inline/etc/snort.conf = file.=20 There i wrote a very basic rule:=20 drop tcp any any -> any any (msg: "Dropped Packet"; sid: 1000001;)=20 This should cause all traffic coming to my system to be dropped and = corresspondingly logging the alert to a default alert file.=20 But When i try to run Snort_Inline after making above changes to the = snort.conf file the Snort_Inline doesn't work stating:=20 Unknown Rule Type: Drop.=20 This thing get further clarified by the fact that when in snort.conf = file we write any rule like "alert" "drop" then being the keyword these = words become "Yellowish". As against them "drop" keyword is not becoming = same which means the .Conf file is not able to recognize it as a = command.=20 Kindly tell me where the things are going wrong. Its really important. = Is there any other way to configure Snort itself for dropping packet. I = am running Snort-2.6.1.4 also and i tried to configure it using=20 ./configure --enable_Inline=20 configure and make and make install are running fine but later on when i = insert the drop rule it is giving the same problem as above.=20 Thanks in advance. =20 Regards Piyush DISCLAIMER: This email (including any attachments) is intended for the sole use of = the intended recipient/s and may contain material that is CONFIDENTIAL = AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or = copying or distribution or forwarding of any or all of the contents in = this message is STRICTLY PROHIBITED. If you are not the intended = recipient, please contact the sender by email and delete all copies; = your cooperation in this regard is appreciated. |
|
From: Yavuzhan C. <yc...@te...> - 2007-07-06 09:39:11
|
Have a nice day, I've installed snort that is running like IDS mode and blocked unwanted traffic provided by iptables that is different machine working as a firewall. But I wonder what is snort-inline mode and I want to practise about it. When I researched a few documents that is say that snort-inline must be configure back on the WAN as bridge mode. Can you explain me how it will work and do you have any sample figures, pictures about bridge mode that was installed with snort-inline. Best regards, Yavuzhan CANLI |
|
From: Victor J. <li...@in...> - 2007-06-30 20:51:29
|
Mike Guiterman wrote: > - The source code release includes additional language regarding GPL v2 > licensing in the LICENSE and COPYING files. For more information on this > see Marty's news item on the home page. > What is actually done is that for almost every source file in the tree, the copyright header is changed from: ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License as published by ** the Free Software Foundation; either version 2 of the License, or ** (at your option) any later version. to: ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. The former explicitly permits anyone to 'redistribute it and/or modify it' under the GPL version 3 in addition to GPLv2, the latter doesn't. This is okay for source code copyrighted by Sourcefire, but the changes to the source go much further. For example src/inline.c was written mostly by the Snort_inline project, but still it was changed. Changing the conditions under which the code can be distributed can only be done by the copyright holders, which in this case is not (primarily) Sourcefire. Sourcefire suddenly also claims the copyright of BSD licensed OpenBSD code: the strlcat and strlcpy files and functions. There now is even a GPL header on top of those files! There are more examples in the source tree such as Prelude-IDS support and Aruba Networks contributions where apparently the copyright holder is not Sourcefire, but the conditions to modify and distribute were still changed. To me it looks like this change was done in a rush and a number of big mistakes appear to have been made. Please repair this by pulling this release and replacing it by one that respects the rights of all copyright holders. Best regards, Victor Julien and William Metcalf Snort_inline project |
|
From: Dave R. <dr...@ni...> - 2007-06-22 14:34:38
|
Dave Remien wrote: A little more "filler", because apparently I'm not fully awake.... > Sounds like you're using a Core 2 Duo? Or Quadro? > > Are you using snort_inline with ipq or with nfq? ipq is a little more efficient, nfq lets you run multiple copies of snort to take advantage of more CPUSs. > > Our experience has been that stream reassembly uses about 10% more CPU > than without. After that, the traffic mix, preprocessors turned on and > snort ruleset can cause traffic to vary by up to a factor of 6. THe > worst case is all http. A single instance of snort, running on a Core 2 > Duo, with a normal ruleset, i.e., 3000-400 current rules, the stock snort preprocessors turned on, and with stream reassembly on, all high port traffic from a traffic > generator (iperf), should run around 400-500 Mbits/sec. The switch to > all http traffic with the http: prepocessor enabled will drop the throughput to less than a third of that. Using stick or snot, or something else designed to get snort to alert on every packet will take overall throughput down to maybe 10 Mbits/sec. > NICs and iptables rules are also part of the throughput issue - some > NICs use way more CPU tha others, and complicated iptables rules can > slow things down. Oh, and correctly tuning the box makes a big > difference. Running two instances of snort can help, until you run out > of CPU. > > Victor's performance analysis is a good starting point. Cheers, Dave This e-mail message and any attachments contain information that is confidential and may be privileged. If the reader of this e-mail is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to this message or by sending an email to pos...@ni..., and destroy all copies of this message and any attachments without reading or disclosing them. Thank you. |
|
From: Dave R. <dr...@ni...> - 2007-06-22 14:24:11
|
Adayadil Thomas wrote: > Thanks for the reply. > > I am only looking for a crude estimate. > Have anyone measured performance of the snort inline ? Sounds like you're using a Core 2 Duo? Are you using snort_inline with ipq or with nfq? Our experience has been that stream reassembly uses about 10% more CPU than without. After that, the traffic mix, preprocessors turned on and snort ruleset can cause traffic to vary by up to a factor of 6. THe worst case is all http. A single instance of snort, running on a Core 2 Duo, with a normal ruleset, all high port traffic from a traffic generator (iperf), should run around 400-500 Mbits/sec. The switch to all http traffic will drop the throughput to less than a third of that. NICs and iptables rules are also part of the throughput issue - some NICs use way more CPU tha others, and complicated iptables rules can slow things down. Oh, and correctly tuning the box makes a big difference. Running two instances of snort can help, until you run out of CPU. Victor's performance analysis is a good starting point. Cheers, Dave > > Results of throughput tests using snort inline on > -any type of system > -with any ruleset and traffic profile > would suffice. > > Thanks > > On 6/21/07, Will Metcalf <wil...@gm...> wrote: >> I think this greatly depends on what type of traffic you are queueing >> and what rule sets you have enabled. Are you experiencing slowdown? >> Getting lots of window scale and ooo alerts? Try tweaking wscale.... >> >> http://www.inliniac.net/blog/?p=85 >> >> Regards, >> >> Will >> >> On 6/21/07, Adayadil Thomas <ada...@gm...> wrote: >>> Greetings. >>> >>> I am interested to know the performance/throughput (mbps,pps) >>> for a snort-inline system with stream reassembly deployed inline >>> on a network. >>> Assuming the system (hardware) used is quite powerful >>> (for e.g. 2.4GHz, 1066MHz front side bus, 2x4MB cache with >1G RAM) >>> >>> Any information is much appreciated. >>> >>> Thanks >>> >>> ------------------------------------------------------------------------- >>> This SF.net email is sponsored by DB2 Express >>> Download DB2 Express C - the FREE version of DB2 express and take >>> control of your XML. No limits. Just data. Click to get it now. >>> http://sourceforge.net/powerbar/db2/ >>> _______________________________________________ >>> Snort-inline-users mailing list >>> Sno...@li... >>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >>> > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > This e-mail message and any attachments contain information that is confidential and may be privileged. If the reader of this e-mail is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to this message or by sending an email to pos...@ni..., and destroy all copies of this message and any attachments without reading or disclosing them. Thank you. |
|
From: Eric L. <er...@in...> - 2007-06-22 05:41:47
|
Hi, Le jeudi 21 juin 2007 =E0 23:00 -0400, Adayadil Thomas a =E9crit : > Thanks for the reply. >=20 > I am only looking for a crude estimate. > Have anyone measured performance of the snort inline ? >=20 > Results of throughput tests using snort inline on > -any type of system > -with any ruleset and traffic profile > would suffice. You can have a look at the following study : http://wiki.vuurmuur.org/~victor/snort_inline_perf.pdf BR, --=20 Eric Leblond <er...@in...> INL |
|
From: Adayadil T. <ada...@gm...> - 2007-06-22 03:00:07
|
Thanks for the reply. I am only looking for a crude estimate. Have anyone measured performance of the snort inline ? Results of throughput tests using snort inline on -any type of system -with any ruleset and traffic profile would suffice. Thanks On 6/21/07, Will Metcalf <wil...@gm...> wrote: > I think this greatly depends on what type of traffic you are queueing > and what rule sets you have enabled. Are you experiencing slowdown? > Getting lots of window scale and ooo alerts? Try tweaking wscale.... > > http://www.inliniac.net/blog/?p=85 > > Regards, > > Will > > On 6/21/07, Adayadil Thomas <ada...@gm...> wrote: > > Greetings. > > > > I am interested to know the performance/throughput (mbps,pps) > > for a snort-inline system with stream reassembly deployed inline > > on a network. > > Assuming the system (hardware) used is quite powerful > > (for e.g. 2.4GHz, 1066MHz front side bus, 2x4MB cache with >1G RAM) > > > > Any information is much appreciated. > > > > Thanks > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by DB2 Express > > Download DB2 Express C - the FREE version of DB2 express and take > > control of your XML. No limits. Just data. Click to get it now. > > http://sourceforge.net/powerbar/db2/ > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > |
|
From: Will M. <wil...@gm...> - 2007-06-22 02:36:30
|
I think this greatly depends on what type of traffic you are queueing and what rule sets you have enabled. Are you experiencing slowdown? Getting lots of window scale and ooo alerts? Try tweaking wscale.... http://www.inliniac.net/blog/?p=85 Regards, Will On 6/21/07, Adayadil Thomas <ada...@gm...> wrote: > Greetings. > > I am interested to know the performance/throughput (mbps,pps) > for a snort-inline system with stream reassembly deployed inline > on a network. > Assuming the system (hardware) used is quite powerful > (for e.g. 2.4GHz, 1066MHz front side bus, 2x4MB cache with >1G RAM) > > Any information is much appreciated. > > Thanks > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Adayadil T. <ada...@gm...> - 2007-06-22 01:51:41
|
Greetings. I am interested to know the performance/throughput (mbps,pps) for a snort-inline system with stream reassembly deployed inline on a network. Assuming the system (hardware) used is quite powerful (for e.g. 2.4GHz, 1066MHz front side bus, 2x4MB cache with >1G RAM) Any information is much appreciated. Thanks |
|
From: Victor J. <li...@in...> - 2007-06-18 14:27:06
|
Adayadil Thomas wrote: > Hello and greetings! > > http://www.inliniac.net/blog/?p=74 says -- > > >> It implements a number of ideas from Vern Paxson on TCP reassembly, >> > such as a >limit on >the number of out of order packets and bytes that > are accepted in a stream. > > What are the other ideas ? (limit on out of order segments is one.) > In the same line is the option to limit the number of sequence number holes (option seq_holes). The last one is the option to normalize wscale traffic we can't handle. See my blogpost on a discussion of this option: http://www.inliniac.net/blog/?p=85 Hope this helps, Victor |
|
From: Adayadil T. <ada...@gm...> - 2007-06-18 13:11:41
|
Hello and greetings! http://www.inliniac.net/blog/?p=74 says -- >It implements a number of ideas from Vern Paxson on TCP reassembly, such as a >limit on >the number of out of order packets and bytes that are accepted in a stream. What are the other ideas ? (limit on out of order segments is one.) Thanks and regards |
|
From: Will M. <wil...@gm...> - 2007-06-07 01:30:47
|
List, I know it has been a long time since we have had a non-beta release, but what can I say? Victor and I have both been busy in our personal and professional lives. If you have been running the version of code in SVN, there are no major updates with this release other than a memleak fix for stream4inline. I don't think this gets said often enough, so I would like to thank Sourcefire for all the hard work they put into snort and the snort rule sets for which I and the rest of the community greatly benefit. Regards, Will snort_inline-2.6.1.5 http://snort-inline.sourceforge.net/download.html Differences between snort in inline mode and snort_inline http://www.inliniac.net/blog/?p=74 |
|
From: Pom P. <pom...@gm...> - 2007-05-24 07:26:38
|
Hi, I changed the flow_depth to 0, but it didn't work... snort-inline still doesn't drop the attack or log it. any suggestions? thanks. On 5/21/07, Will Metcalf <wil...@gm...> wrote: > > Set flow_depth 0 in your http_inspect configuration. > > Regards, > > Will > > On 5/21/07, Pom Padir <pom...@gm... > wrote: > > > Hello! > > Iv'e just installed snort-inline 2.6.1 on my linux bridge, and changed > > all the rules to 'drop'. > > > > I used metasploit 3.0 in order to test snort's abilities. > > snort drops many attacks successfully, but when I use client-side > > attacks > > (which exploits vulnerability in the browser) it fails to stop them. > > I used the default snort-inline.conf file. > > > > why snort-inline doesn't drop the attacks? > > > > thanks > > > > > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by DB2 Express > > Download DB2 Express C - the FREE version of DB2 express and take > > control of your XML. No limits. Just data. Click to get it now. > > http://sourceforge.net/powerbar/db2/ > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > |
|
From: Will M. <wil...@gm...> - 2007-05-22 16:13:50
|
please send your snort_inline.conf On 5/22/07, Julius S <ko...@ya...> wrote: > > Hello! > I installed snort_inline on Linksys WRT54GL. package file - > http://openwrt.alphacore.net/snort-inline_2.1.3b_mipsel.ipk. I also > installed required packages. > > I try launching snort with: > snort_inline -c /etc/snort-inline/snort_inline.conf -l > /tmp/log/snort_inline/ > and it gives me: > ERROR: Unable to open rules file: > /etc/snort_inline/drop-rules/classification.config or > /etc/snort-inline//etc/snort_inline/drop-rules/classification.config > Fatal Error, Quitting.. > The folowing file is fine and is in the required directory. > > What could be wrong? > > Thank you > > > > ------------------------------ > Don't pick lemons. > See all the new 2007 cars<http://autos.yahoo.com/new_cars.html;_ylc=X3oDMTE0OGRsc3F2BF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDbmV3Y2Fycw-->at Yahoo! > Autos.<http://autos.yahoo.com/new_cars.html;_ylc=X3oDMTE0OGRsc3F2BF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDbmV3Y2Fycw--> > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
|
From: Julius S <ko...@ya...> - 2007-05-22 13:56:47
|
Hello! I installed snort_inline on Linksys WRT54GL. package file - http://openwrt.alphacore.net/snort-inline_2.1.3b_mipsel.ipk. I also installed required packages. I try launching snort with: snort_inline -c /etc/snort-inline/snort_inline.conf -l /tmp/log/snort_inline/ and it gives me: ERROR: Unable to open rules file: /etc/snort_inline/drop-rules/classification.config or /etc/snort-inline//etc/snort_inline/drop-rules/classification.config Fatal Error, Quitting.. The folowing file is fine and is in the required directory. What could be wrong? Thank you ____________________________________________________________________________________ Get your own web address. Have a HUGE year through Yahoo! Small Business. http://smallbusiness.yahoo.com/domains/?p=BESTDEAL |
|
From: Will M. <wil...@gm...> - 2007-05-21 11:33:17
|
Set flow_depth 0 in your http_inspect configuration. Regards, Will On 5/21/07, Pom Padir <pom...@gm...> wrote: > > Hello! > Iv'e just installed snort-inline 2.6.1 on my linux bridge, and changed all > the rules to 'drop'. > > I used metasploit 3.0 in order to test snort's abilities. > snort drops many attacks successfully, but when I use client-side attacks > > (which exploits vulnerability in the browser) it fails to stop them. > I used the default snort-inline.conf file. > > why snort-inline doesn't drop the attacks? > > thanks > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
|
From: Pom P. <pom...@gm...> - 2007-05-21 10:01:27
|
Hello! Iv'e just installed snort-inline 2.6.1 on my linux bridge, and changed all the rules to 'drop'. I used metasploit 3.0 in order to test snort's abilities. snort drops many attacks successfully, but when I use client-side attacks (which exploits vulnerability in the browser) it fails to stop them. I used the default snort-inline.conf file. why snort-inline doesn't drop the attacks? thanks |
133 messages has been excluded from this view by a project administrator.
