Menu
▾
▴
snort-inline-users
|
From: Christopher B. <bla...@um...> - 2005-01-03 11:46:08
|
List, I'm running freebsd 4.10 on a system configured with no IPs, briding between two interfaces. The network works fine if diverting is disabled, but when packets are diverted to snort_inline, snort never appears to recieve them. Has anyone seen this before? -- Christopher Black <bla...@um...> |
|
From: Nick R. <ni...@ro...> - 2005-01-03 19:59:01
|
On Mon, 3 Jan 2005, Christopher Black wrote: > List, > > I'm running freebsd 4.10 on a system configured with no IPs, briding > between two interfaces. The network works fine if diverting is > disabled, but when packets are diverted to snort_inline, snort never > appears to recieve them. Has anyone seen this before? What is the output of: root# sysctl net.link.ether.bridge.ipfw Nick Rogness <ni...@ro...> - How many people here have telekenetic powers? Raise my hand. -Emo Philips |
|
From: Christopher B. <bla...@um...> - 2005-01-03 21:42:34
|
On Mon, 2005-01-03 at 14:55, Nick Rogness wrote: > On Mon, 3 Jan 2005, Christopher Black wrote: >=20 > > List, > > > > I'm running freebsd 4.10 on a system configured with no IPs, briding=20 > > between two interfaces. The network works fine if diverting is=20 > > disabled, but when packets are diverted to snort_inline, snort never=20 > > appears to recieve them. Has anyone seen this before? >=20 > What is the output of: >=20 > root# sysctl net.link.ether.bridge.ipfw >=20 >=20 > Nick Rogness <ni...@ro...> > - > How many people here have telekenetic powers? Raise my hand. > -Emo Philips bash-2.05b# sysctl -a | grep net.link.ether.bridge net.link.ether.bridge_cfg: sis0,sis1 net.link.ether.bridge: 1 net.link.ether.bridge_ipfw: 1 ... The bridging part itself is working fine, until I divert the packets to snort. The one command 'ipfw add divert 6666 all from any to any' (6666 being the port I put snort on) causes a complete loss of throughput.=20 Snort is never receiving them as debug statements in the main loop of inline.c report. Is there a special bridging (as opposed to inline) mode to enable? --=20 Christopher Black <bla...@um...> |
|
From: Christopher B. <bla...@um...> - 2005-01-04 12:17:32
|
On Tue, 2005-01-04 at 03:16, Alex Dupre wrote: > Nick Rogness wrote: > >> The bridging part itself is working fine, until I divert the packets=20 > >> to snort. The one command 'ipfw add divert 6666 all from any to any'=20 > >> (6666 being the port I put snort on) causes a complete loss of=20 > >> throughput. >=20 > ipfw divert action (like forward and tee) cannot be used on bridged packe= ts. >=20 > -- > Alex Dupre That explains a lot. I seem to recall seeing invisible bridges running snort_inline before, so I assume it's possible with IPTables? --=20 Christopher Black <bla...@um...> |
|
From: Christopher B. <bla...@um...> - 2005-01-04 12:35:08
|
On Mon, 2005-01-03 at 19:44, Nick Rogness wrote: > On Mon, 3 Jan 2005, Christopher Black wrote: >=20 > > On Mon, 2005-01-03 at 14:55, Nick Rogness wrote: > >> On Mon, 3 Jan 2005, Christopher Black wrote: > >> > >>> List, > >>> > >>> I'm running freebsd 4.10 on a system configured with no IPs, briding > >>> between two interfaces. The network works fine if diverting is > >>> disabled, but when packets are diverted to snort_inline, snort never > >>> appears to recieve them. Has anyone seen this before? > >> > >> What is the output of: > >> > >> root# sysctl net.link.ether.bridge.ipfw > >> > >> > >> Nick Rogness <ni...@ro...> > >> - > >> How many people here have telekenetic powers? Raise my hand. > >> -Emo Philips > > > > bash-2.05b# sysctl -a | grep net.link.ether.bridge > > net.link.ether.bridge_cfg: sis0,sis1 > > net.link.ether.bridge: 1 > > net.link.ether.bridge_ipfw: 1 > > ... > > > > The bridging part itself is working fine, until I divert the packets to= =20 > > snort. The one command 'ipfw add divert 6666 all from any to any' (666= 6=20 > > being the port I put snort on) causes a complete loss of throughput.=20 > > Snort is never receiving them as debug statements in the main loop of=20 > > inline.c report. Is there a special bridging (as opposed to inline)=20 > > mode to enable? >=20 > No, snort_inline is unaware of anything in the lower layers, e.g. > bridging vs routing. The divert socket is just a socket, not much > different than a standard TCP socket. >=20 > I've never done briding+IPFW before on FreeBSD. What happens if > you divert to say natd as a test? Is this on FreeBSD 5.3 again? >=20 > Nick Rogness <ni...@ro...> > - > How many people here have telekenetic powers? Raise my hand. > -Emo Philips This was on FreeBSD 4.10. Since I'm under a fairly tight deadline, I had to revert to just doing NAT on that box. I will try this out later though. Is there a special way to create a divert socket from a userland application to just test to see what's hitting the socket? --=20 Christopher Black <bla...@um...> |
|
From: Nick R. <ni...@ro...> - 2005-01-04 18:00:46
|
On Tue, 4 Jan 2005, Christopher Black wrote: > On Mon, 2005-01-03 at 19:44, Nick Rogness wrote: >> On Mon, 3 Jan 2005, Christopher Black wrote: >> >>> On Mon, 2005-01-03 at 14:55, Nick Rogness wrote: >>>> On Mon, 3 Jan 2005, Christopher Black wrote: >>>> >>>>> List, >>>>> >>>>> I'm running freebsd 4.10 on a system configured with no IPs, briding >>>>> between two interfaces. The network works fine if diverting is >>>>> disabled, but when packets are diverted to snort_inline, snort never >>>>> appears to recieve them. Has anyone seen this before? >>>> >>>> What is the output of: >>>> >>>> root# sysctl net.link.ether.bridge.ipfw >>>> >>>> >>>> Nick Rogness <ni...@ro...> >>>> - >>>> How many people here have telekenetic powers? Raise my hand. >>>> -Emo Philips >>> >>> bash-2.05b# sysctl -a | grep net.link.ether.bridge >>> net.link.ether.bridge_cfg: sis0,sis1 >>> net.link.ether.bridge: 1 >>> net.link.ether.bridge_ipfw: 1 >>> ... >>> >>> The bridging part itself is working fine, until I divert the packets to >>> snort. The one command 'ipfw add divert 6666 all from any to any' (6666 >>> being the port I put snort on) causes a complete loss of throughput. >>> Snort is never receiving them as debug statements in the main loop of >>> inline.c report. Is there a special bridging (as opposed to inline) >>> mode to enable? >> >> No, snort_inline is unaware of anything in the lower layers, e.g. >> bridging vs routing. The divert socket is just a socket, not much >> different than a standard TCP socket. >> >> I've never done briding+IPFW before on FreeBSD. What happens if >> you divert to say natd as a test? Is this on FreeBSD 5.3 again? >> > > This was on FreeBSD 4.10. Since I'm under a fairly tight deadline, I > had to revert to just doing NAT on that box. I will try this out later > though. Is there a special way to create a divert socket from a > userland application to just test to see what's hitting the socket? Yes. You can simply take the code out of any standard divert userland app (such as tcpmssd or natd) and use it to read/write without changing the packet. I'm putting together a set of test tools to do this. Nick Rogness <ni...@ro...> - How many people here have telekenetic powers? Raise my hand. -Emo Philips |
|
From: Nick R. <ni...@ro...> - 2005-01-10 07:08:41
|
On Tue, 4 Jan 2005, Christopher Black wrote: >> No, snort_inline is unaware of anything in the lower layers, e.g. >> bridging vs routing. The divert socket is just a socket, not much >> different than a standard TCP socket. >> >> I've never done briding+IPFW before on FreeBSD. What happens if >> you divert to say natd as a test? Is this on FreeBSD 5.3 again? >> >> Nick Rogness <ni...@ro...> > > This was on FreeBSD 4.10. Since I'm under a fairly tight deadline, I > had to revert to just doing NAT on that box. I will try this out later > though. Is there a special way to create a divert socket from a > userland application to just test to see what's hitting the socket? For simply printing packets received by a divert socket, a simple C userland program: http://freebsd.rogness.net/tools/ipprint/ipprint.c Nick Rogness <ni...@ro...> - How many people here have telekenetic powers? Raise my hand. -Emo Philips |
|
From: Nick R. <ni...@ro...> - 2005-01-04 18:02:16
|
On Tue, 4 Jan 2005, Alex Dupre wrote: > Nick Rogness wrote: >>> The bridging part itself is working fine, until I divert the packets to >>> snort. The one command 'ipfw add divert 6666 all from any to any' (6666 >>> being the port I put snort on) causes a complete loss of throughput. > > ipfw divert action (like forward and tee) cannot be used on bridged packets. That's right, I do recall hearing about this. Funny how the divert(4) man page doesn't mention anything about this. Do you know if it is possible on FreeBSD 5.X branch? Nick Rogness <ni...@ro...> - How many people here have telekenetic powers? Raise my hand. -Emo Philips |
|
From: Nick R. <ni...@ro...> - 2005-01-05 19:23:28
|
On Wed, 5 Jan 2005, Alex Dupre wrote: > Nick Rogness wrote: >> That's right, I do recall hearing about this. Funny how the >> divert(4) man page doesn't mention anything about this. Do you >> know if it is possible on FreeBSD 5.X branch? > > No, it's not possibile and I don't think it'll change in future. hmm, I wonder if we could use some combination of netgraph modules to make this work instead. THe code would have to be changed, but it may be an option in the future. Nick Rogness <ni...@ro...> - How many people here have telekenetic powers? Raise my hand. -Emo Philips |
|
From: Nick R. <ni...@ro...> - 2005-01-04 00:47:51
|
On Mon, 3 Jan 2005, Christopher Black wrote: > On Mon, 2005-01-03 at 14:55, Nick Rogness wrote: >> On Mon, 3 Jan 2005, Christopher Black wrote: >> >>> List, >>> >>> I'm running freebsd 4.10 on a system configured with no IPs, briding >>> between two interfaces. The network works fine if diverting is >>> disabled, but when packets are diverted to snort_inline, snort never >>> appears to recieve them. Has anyone seen this before? >> >> What is the output of: >> >> root# sysctl net.link.ether.bridge.ipfw >> >> >> Nick Rogness <ni...@ro...> >> - >> How many people here have telekenetic powers? Raise my hand. >> -Emo Philips > > bash-2.05b# sysctl -a | grep net.link.ether.bridge > net.link.ether.bridge_cfg: sis0,sis1 > net.link.ether.bridge: 1 > net.link.ether.bridge_ipfw: 1 > ... > > The bridging part itself is working fine, until I divert the packets to > snort. The one command 'ipfw add divert 6666 all from any to any' (6666 > being the port I put snort on) causes a complete loss of throughput. > Snort is never receiving them as debug statements in the main loop of > inline.c report. Is there a special bridging (as opposed to inline) > mode to enable? No, snort_inline is unaware of anything in the lower layers, e.g. bridging vs routing. The divert socket is just a socket, not much different than a standard TCP socket. I've never done briding+IPFW before on FreeBSD. What happens if you divert to say natd as a test? Is this on FreeBSD 5.3 again? Nick Rogness <ni...@ro...> - How many people here have telekenetic powers? Raise my hand. -Emo Philips |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X