Menu
▾
▴
snort-inline-users
|
From: Piyush_Mundra <Piy...@sa...> - 2007-07-11 15:49:10
|
Hello everybody, =20 I am working on Redhat. To make use of the packet dropping and rejecting = facility i installed the Snort_Inline. Snort inline makes use of the=20 iptables=20 Libnet-1.0.2a-FC2-Fixed=20 pcre-7.2=20 snort_inline-1.9.1=20 The installation process went fine without any failure. I have installed = snort_inline for the packet dropping facility. For that purpose i need = to write rules in the snort.conf file in the Snort_Inline/etc/snort.conf = file.=20 There i wrote a very basic rule:=20 drop tcp any any -> any any (msg: "Dropped Packet"; sid: 1000001;)=20 This should cause all traffic coming to my system to be dropped and = corresspondingly logging the alert to a default alert file.=20 But When i try to run Snort_Inline after making above changes to the = snort.conf file the Snort_Inline doesn't work stating:=20 Unknown Rule Type: Drop.=20 This thing get further clarified by the fact that when in snort.conf = file we write any rule like "alert" "drop" then being the keyword these = words become "Yellowish". As against them "drop" keyword is not becoming = same which means the .Conf file is not able to recognize it as a = command.=20 Kindly tell me where the things are going wrong. Its really important. = Is there any other way to configure Snort itself for dropping packet. I = am running Snort-2.6.1.4 also and i tried to configure it using=20 ./configure --enable_Inline=20 configure and make and make install are running fine but later on when i = insert the drop rule it is giving the same problem as above.=20 Thanks in advance. =20 Regards Piyush DISCLAIMER: This email (including any attachments) is intended for the sole use of = the intended recipient/s and may contain material that is CONFIDENTIAL = AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or = copying or distribution or forwarding of any or all of the contents in = this message is STRICTLY PROHIBITED. If you are not the intended = recipient, please contact the sender by email and delete all copies; = your cooperation in this regard is appreciated. |
|
From: Will M. <wil...@gm...> - 2007-07-11 16:21:47
|
for snort_inline-2.6.x you need libdnet installed. I'm not sure what OS you are running but you may want to make distclean ./autojunk.sh && ./configure && make && make install from the source directory. Regards, Will On 7/11/07, Piyush_Mundra <Piy...@sa...> wrote: > > > Hello everybody, > > I am working on Redhat. To make use of the packet dropping and rejecting > facility i installed the Snort_Inline. Snort inline makes use of the > > iptables > Libnet-1.0.2a-FC2-Fixed > pcre-7.2 > snort_inline-1.9.1 > > The installation process went fine without any failure. I have installed > snort_inline for the packet dropping facility. For that purpose i need to > write rules in the snort.conf file in the Snort_Inline/etc/snort.conf file. > > There i wrote a very basic rule: > > drop tcp any any -> any any (msg: "Dropped Packet"; sid: 1000001;) > > This should cause all traffic coming to my system to be dropped and > corresspondingly logging the alert to a default alert file. > > But When i try to run Snort_Inline after making above changes to the > snort.conf file the Snort_Inline doesn't work stating: > > Unknown Rule Type: Drop. > > This thing get further clarified by the fact that when in snort.conf file we > write any rule like "alert" "drop" then being the keyword these words become > "Yellowish". As against them "drop" keyword is not becoming same which means > the .Conf file is not able to recognize it as a command. > > > Kindly tell me where the things are going wrong. Its really important. Is > there any other way to configure Snort itself for dropping packet. I am > running Snort-2.6.1.4 also and i tried to configure it using > > ./configure --enable_Inline > > configure and make and make install are running fine but later on when i > insert the drop rule it is giving the same problem as above. > > Thanks in advance. > > Regards > Piyush > > > > DISCLAIMER: > This email (including any attachments) is intended for the sole use of the > intended recipient/s and may contain material that is CONFIDENTIAL AND > PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or > distribution or forwarding of any or all of the contents in this message is > STRICTLY PROHIBITED. If you are not the intended recipient, please contact > the sender by email and delete all copies; your cooperation in this regard > is appreciated.. > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
|
From: Piyush_Mundra <Piy...@sa...> - 2007-07-14 08:52:52
|
Hello will,
Thanks very much.
I tried to install the snort_inline on fedora and the installation =
process worked fine.
Right now i'm using snort_inline-2.6.1.5.Now,after inserting the =
ip_queue module i am running the following command
=20
snort_inline -Q -v -c /etc/snort_inline/snort_inline.conf -l =
/var/log/snort_inline
I am getting the following summary:
=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
Snort processed 0 packets.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
Breakdown by protocol:
TCP: 0 (0.000%)
UDP: 0 (0.000%)
ICMP: 0 (0.000%)
ARP: 0 (0.000%)
EAPOL: 0 (0.000%)
IPv6: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
FRAG: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
Action Stats:
ALERTS: 0
LOGGED: 0
PASSED: 0
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
In my snort.conf file i have commented all the rules except one=20
include $RULE_PATH/web-attacks.rules
At the end of the web-attacks.rule file i have added a simple rule:
drop tcp any 80 -> any 80 (classtype:attempted-user; msg:"Port 80 =
connection initiated";sid:1000001;)
Kindly tell me where i am going wrong. Why snort_inline is not able to =
process any packet.
Regards,
Piyush
________________________________
From: Will Metcalf [mailto:wil...@gm...]
Sent: Wed 7/11/2007 9:48 PM
To: Piyush_Mundra
Cc: sno...@li...
Subject: Re: [Snort-inline-users] Snort_Inline not recognizing 'drop' =
rule
for snort_inline-2.6.x you need libdnet installed. I'm not sure what
OS you are running but you may want to make distclean ./autojunk.sh &&
./configure && make && make install from the source directory.
Regards,
Will
On 7/11/07, Piyush_Mundra <Piy...@sa...> wrote:
>
>
> Hello everybody,
>
> I am working on Redhat. To make use of the packet dropping and =
rejecting
> facility i installed the Snort_Inline. Snort inline makes use of the
>
> iptables
> Libnet-1.0.2a-FC2-Fixed
> pcre-7.2
> snort_inline-1.9.1
>
> The installation process went fine without any failure. I have =
installed
> snort_inline for the packet dropping facility. For that purpose i need =
to
> write rules in the snort.conf file in the Snort_Inline/etc/snort.conf =
file.
>
> There i wrote a very basic rule:
>
> drop tcp any any -> any any (msg: "Dropped Packet"; sid: 1000001;)
>
> This should cause all traffic coming to my system to be dropped and
> corresspondingly logging the alert to a default alert file.
>
> But When i try to run Snort_Inline after making above changes to the
> snort.conf file the Snort_Inline doesn't work stating:
>
> Unknown Rule Type: Drop.
>
> This thing get further clarified by the fact that when in snort.conf =
file we
> write any rule like "alert" "drop" then being the keyword these words =
become
> "Yellowish". As against them "drop" keyword is not becoming same which =
means
> the .Conf file is not able to recognize it as a command.
>
>
> Kindly tell me where the things are going wrong. Its really important. =
Is
> there any other way to configure Snort itself for dropping packet. I =
am
> running Snort-2.6.1.4 also and i tried to configure it using
>
> ./configure --enable_Inline
>
> configure and make and make install are running fine but later on when =
i
> insert the drop rule it is giving the same problem as above.
>
> Thanks in advance.
>
> Regards
> Piyush
>
>
>
> DISCLAIMER:
> This email (including any attachments) is intended for the sole use of =
the
> intended recipient/s and may contain material that is CONFIDENTIAL AND
> PRIVATE COMPANY INFORMATION. Any review or reliance by others or =
copying or
> distribution or forwarding of any or all of the contents in this =
message is
> STRICTLY PROHIBITED. If you are not the intended recipient, please =
contact
> the sender by email and delete all copies; your cooperation in this =
regard
> is appreciated..
> =
-------------------------------------------------------------------------=
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
DISCLAIMER:
This email (including any attachments) is intended for the sole use of =
the intended recipient/s and may contain material that is CONFIDENTIAL =
AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or =
copying or distribution or forwarding of any or all of the contents in =
this message is STRICTLY PROHIBITED. If you are not the intended =
recipient, please contact the sender by email and delete all copies; =
your cooperation in this regard is appreciated.
|
|
From: Will M. <wil...@gm...> - 2007-07-14 14:17:33
|
what do your iptables rules look like? On 7/14/07, Piyush_Mundra <Piy...@sa...> wrote: > > Hello will, > Thanks very much. > I tried to install the snort_inline on fedora and the installation process > worked fine. > Right now i'm using snort_inline-2.6.1.5.Now,after inserting the ip_queue > module i am running the following command > > *snort_inline -Q -v -c /etc/snort_inline/snort_inline.conf -l > /var/log/snort_inline > * > I am getting the following summary: > > > =============================================================================== > *Snort processed 0 packets*. > > =============================================================================== > Breakdown by protocol: > TCP: 0 (0.000%) > UDP: 0 (0.000%) > ICMP: 0 (0.000%) > ARP: 0 (0.000%) > EAPOL: 0 (0.000%) > IPv6: 0 (0.000%) > ETHLOOP: 0 (0.000%) > IPX: 0 (0.000%) > FRAG: 0 (0.000%) > OTHER: 0 (0.000%) > DISCARD: 0 (0.000%) > > =============================================================================== > Action Stats: > ALERTS: 0 > LOGGED: 0 > PASSED: 0 > > =============================================================================== > In my snort.conf file i have commented all the rules except one > *include $RULE_PATH/web-attacks.rules* > At the end of the web-attacks.rule file i have added a simple rule: > *drop tcp any 80 -> any 80 (classtype:attempted-user; msg:"Port 80 > connection initiated";sid:1000001;)* > > Kindly tell me where i am going wrong. Why snort_inline is not able to > process any packet. > > Regards, > > Piyush > ------------------------------ > *From:* Will Metcalf [mailto:wil...@gm...] > *Sent:* Wed 7/11/2007 9:48 PM > *To:* Piyush_Mundra > *Cc:* sno...@li... > *Subject:* Re: [Snort-inline-users] Snort_Inline not recognizing 'drop' > rule > > for snort_inline-2.6.x you need libdnet installed. I'm not sure what > OS you are running but you may want to make distclean ./autojunk.sh && > ./configure && make && make install from the source directory. > > Regards, > > Will > > On 7/11/07, Piyush_Mundra <Piy...@sa...> wrote: > > > > > > Hello everybody, > > > > I am working on Redhat. To make use of the packet dropping and rejecting > > facility i installed the Snort_Inline. Snort inline makes use of the > > > > iptables > > Libnet-1.0.2a-FC2-Fixed > > pcre-7.2 > > snort_inline-1.9.1 > > > > The installation process went fine without any failure. I have installed > > snort_inline for the packet dropping facility. For that purpose i need > to > > write rules in the snort.conf file in the Snort_Inline/etc/snort.conf > file. > > > > There i wrote a very basic rule: > > > > drop tcp any any -> any any (msg: "Dropped Packet"; sid: 1000001;) > > > > This should cause all traffic coming to my system to be dropped and > > corresspondingly logging the alert to a default alert file. > > > > But When i try to run Snort_Inline after making above changes to the > > snort.conf file the Snort_Inline doesn't work stating: > > > > Unknown Rule Type: Drop. > > > > This thing get further clarified by the fact that when in snort.conffile we > > write any rule like "alert" "drop" then being the keyword these words > become > > "Yellowish". As against them "drop" keyword is not becoming same which > means > > the .Conf file is not able to recognize it as a command. > > > > > > Kindly tell me where the things are going wrong. Its really important. > Is > > there any other way to configure Snort itself for dropping packet. I am > > running Snort-2.6.1.4 also and i tried to configure it using > > > > ./configure --enable_Inline > > > > configure and make and make install are running fine but later on when i > > insert the drop rule it is giving the same problem as above. > > > > Thanks in advance. > > > > Regards > > Piyush > > > > > > > > DISCLAIMER: > > This email (including any attachments) is intended for the sole use of > the > > intended recipient/s and may contain material that is CONFIDENTIAL AND > > PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying > or > > distribution or forwarding of any or all of the contents in this message > is > > STRICTLY PROHIBITED. If you are not the intended recipient, please > contact > > the sender by email and delete all copies; your cooperation in this > regard > > is appreciated.. > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by DB2 Express > > Download DB2 Express C - the FREE version of DB2 express and take > > control of your XML. No limits. Just data. Click to get it now. > > http://sourceforge.net/powerbar/db2/ > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > DISCLAIMER: > This email (including any attachments) is intended for the sole use of the > intended recipient/s and may contain material that is CONFIDENTIAL AND > PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or > distribution or forwarding of any or all of the contents in this message is > STRICTLY PROHIBITED. If you are not the intended recipient, please contact > the sender by email and delete all copies; your cooperation in this regard > is appreciated.. > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
|
From: Piyush_Mundra <Piy...@sa...> - 2007-07-16 05:19:23
|
Dear will, =20 Regarding ip_queue i followed the following steps: =20 1) modprobe ip_queue =20 2) iptables -I INPUT -p tcp --dport 80 -j QUEUE 3) snort -c /etc/snort_inline/snort_inline.conf -Q -N -l = /var/log/snort_inline/ -t /var/log/snort_inline/ -v Previously i was working with snort_inline but somehow there was some = problem compiling it. Then later on i started with snort-2.6.1.5 along = with libdnet, libpcap, iptables and pcre libraries. After installation = snort runs but is not able to process packets as mentioned in my = previous mail. Looking forward eagerly for your reply, Thanks Regards, Piyush ________________________________ From: Will Metcalf [mailto:wil...@gm...] Sent: Sat 7/14/2007 7:47 PM To: Piyush_Mundra Cc: sno...@li... Subject: Re: [Snort-inline-users] Snort_Inline not recognizing 'drop' = rule what do your iptables rules look like? On 7/14/07, Piyush_Mundra <Piy...@sa...> wrote:=20 Hello will, Thanks very much. I tried to install the snort_inline on fedora and the installation = process worked fine. Right now i'm using snort_inline-2.6.1.5.Now,after inserting the = ip_queue module i am running the following command =20 snort_inline -Q -v -c /etc/snort_inline/snort_inline.conf -l = /var/log/snort_inline =09 I am getting the following summary: =20 = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D Snort processed 0 packets. = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D Breakdown by protocol: TCP: 0 (0.000%) UDP: 0 (0.000%) ICMP: 0 (0.000%) ARP: 0 (0.000%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) ETHLOOP: 0 (0.000%) IPX: 0 (0.000%) FRAG: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D Action Stats: ALERTS: 0 LOGGED: 0 PASSED: 0 = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D =09 In my snort.conf file i have commented all the rules except one=20 include $RULE_PATH/web-attacks.rules At the end of the web-attacks.rule file i have added a simple rule: drop tcp any 80 -> any 80 (classtype:attempted-user; msg:"Port 80 = connection initiated";sid:1000001;) Kindly tell me where i am going wrong. Why snort_inline is not able to = process any packet. =09 Regards, Piyush =09 ________________________________ From: Will Metcalf [mailto:wil...@gm...] Sent: Wed 7/11/2007 9:48 PM To: Piyush_Mundra Cc: sno...@li... Subject: Re: [Snort-inline-users] Snort_Inline not recognizing 'drop' = rule =09 =09 =09 for snort_inline-2.6.x you need libdnet installed. I'm not sure what OS you are running but you may want to make distclean ./autojunk.sh && ./configure && make && make install from the source directory. =09 Regards, =09 Will =09 On 7/11/07, Piyush_Mundra <Piy...@sa...> wrote: > > > Hello everybody, > > I am working on Redhat. To make use of the packet dropping and = rejecting > facility i installed the Snort_Inline. Snort inline makes use of the > > iptables > Libnet-1.0.2a-FC2-Fixed > pcre-7.2 > snort_inline-1.9.1 > > The installation process went fine without any failure. I have = installed > snort_inline for the packet dropping facility. For that purpose i = need to > write rules in the snort.conf file in the Snort_Inline/etc/snort.conf = file. > > There i wrote a very basic rule: > > drop tcp any any -> any any (msg: "Dropped Packet"; sid: 1000001;) > > This should cause all traffic coming to my system to be dropped and > corresspondingly logging the alert to a default alert file. > > But When i try to run Snort_Inline after making above changes to the > snort.conf file the Snort_Inline doesn't work stating: > > Unknown Rule Type: Drop. > > This thing get further clarified by the fact that when in snort.conf = file we > write any rule like "alert" "drop" then being the keyword these words = become > "Yellowish". As against them "drop" keyword is not becoming same = which means > the .Conf file is not able to recognize it as a command. > > > Kindly tell me where the things are going wrong. Its really = important. Is > there any other way to configure Snort itself for dropping packet. I = am > running Snort-2.6.1.4 also and i tried to configure it using > > ./configure --enable_Inline > > configure and make and make install are running fine but later on = when i > insert the drop rule it is giving the same problem as above. > > Thanks in advance. > > Regards > Piyush > > > > DISCLAIMER: > This email (including any attachments) is intended for the sole use = of the > intended recipient/s and may contain material that is CONFIDENTIAL = AND > PRIVATE COMPANY INFORMATION. Any review or reliance by others or = copying or > distribution or forwarding of any or all of the contents in this = message is > STRICTLY PROHIBITED. If you are not the intended recipient, please = contact > the sender by email and delete all copies; your cooperation in this = regard > is appreciated.. > = -------------------------------------------------------------------------= > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > =09 =09 =09 DISCLAIMER: This email (including any attachments) is intended for the sole use of = the intended recipient/s and may contain material that is CONFIDENTIAL = AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or = copying or distribution or forwarding of any or all of the contents in = this message is STRICTLY PROHIBITED. If you are not the intended = recipient, please contact the sender by email and delete all copies; = your cooperation in this regard is appreciated..=20 = -------------------------------------------------------------------------= This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now.=20 http://sourceforge.net/powerbar/db2/ _______________________________________________ Snort-inline-users mailing list=20 Sno...@li... https://lists.sourceforge.net/lists/listinfo/snort-inline-users =09 =09 DISCLAIMER: This email (including any attachments) is intended for the sole use of = the intended recipient/s and may contain material that is CONFIDENTIAL = AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or = copying or distribution or forwarding of any or all of the contents in = this message is STRICTLY PROHIBITED. If you are not the intended = recipient, please contact the sender by email and delete all copies; = your cooperation in this regard is appreciated. |
|
From: David G. <gu...@in...> - 2007-07-16 06:33:46
|
Yout rule:
*drop tcp any 80 -> any 80 (classtype:attempted-user; msg:"Port 80
connection initiated";sid:1000001;)
The first port of 80 is the source port, a webclient will most certainly
never send with sourceport 80, just destination port 80, the second one,
that is why this rule never is trigger.. Try with any any -> any 80 ....
instead.
good luck!
*
Piyush_Mundra wrote:
> Dear will,
>
> Regarding ip_queue i followed the following steps:
>
> 1) *modprobe ip_queue*
>
> *2) iptables -I INPUT -p tcp --dport 80 -j QUEUE*
>
> 3) snort -c /etc/snort_inline/snort_inline.conf -Q -N -l
> /var/log/snort_inline/ -t /var/log/snort_inline/ -v
>
> Previously i was working with snort_inline but somehow there was some
> problem compiling it. Then later on i started with snort-2.6.1.5 along
> with libdnet, libpcap, iptables and pcre libraries. After installation
> snort runs but is not able to process packets as mentioned in my
> previous mail.
>
> Looking forward eagerly for your reply,
>
> Thanks
>
> Regards,
>
> Piyush
>
> ------------------------------------------------------------------------
> *From:* Will Metcalf [mailto:wil...@gm...]
> *Sent:* Sat 7/14/2007 7:47 PM
> *To:* Piyush_Mundra
> *Cc:* sno...@li...
> *Subject:* Re: [Snort-inline-users] Snort_Inline not recognizing
> 'drop' rule
>
> what do your iptables rules look like?
>
> On 7/14/07, *Piyush_Mundra* <Piy...@sa...
> <mailto:Piy...@sa...>> wrote:
>
> Hello will,
> Thanks very much.
> I tried to install the snort_inline on fedora and the installation
> process worked fine.
> Right now i'm using snort_inline-2.6.1.5
> <http://2.6.1.5>.Now,after inserting the ip_queue module i am
> running the following command
>
> *snort_inline -Q -v -c /etc/snort_inline/snort_inline.conf -l
> /var/log/snort_inline
> *
> I am getting the following summary:
>
> ===============================================================================
> *Snort processed 0 packets*.
> ===============================================================================
> Breakdown by protocol:
> TCP: 0 (0.000%)
> UDP: 0 (0.000%)
> ICMP: 0 (0.000%)
> ARP: 0 (0.000%)
> EAPOL: 0 (0.000%)
> IPv6: 0 (0.000%)
> ETHLOOP: 0 (0.000%)
> IPX: 0 (0.000%)
> FRAG: 0 (0.000%)
> OTHER: 0 (0.000%)
> DISCARD: 0 (0.000%)
> ===============================================================================
> Action Stats:
> ALERTS: 0
> LOGGED: 0
> PASSED: 0
> ===============================================================================
> In my snort.conf file i have commented all the rules except one
> *include $RULE_PATH/web-attacks.rules*
> At the end of the web-attacks.rule file i have added a simple rule:
> *drop tcp any 80 -> any 80 (classtype:attempted-user; msg:"Port 80
> connection initiated";sid:1000001;)*
>
> Kindly tell me where i am going wrong. Why snort_inline is not
> able to process any packet.
>
> Regards,
>
> Piyush
>
> ------------------------------------------------------------------------
> *From:* Will Metcalf [mailto:wil...@gm...
> <mailto:wil...@gm...>]
> *Sent:* Wed 7/11/2007 9:48 PM
> *To:* Piyush_Mundra
> *Cc:* sno...@li...
> <mailto:sno...@li...>
> *Subject:* Re: [Snort-inline-users] Snort_Inline not recognizing
> 'drop' rule
>
> for snort_inline-2.6.x you need libdnet installed. I'm not sure what
> OS you are running but you may want to make distclean ./autojunk.sh &&
> ./configure && make && make install from the source directory.
>
> Regards,
>
> Will
>
> On 7/11/07, Piyush_Mundra <Piy...@sa...
> <mailto:Piy...@sa...>> wrote:
> >
> >
> > Hello everybody,
> >
> > I am working on Redhat. To make use of the packet dropping and
> rejecting
> > facility i installed the Snort_Inline. Snort inline makes use of the
> >
> > iptables
> > Libnet-1.0.2a-FC2-Fixed
> > pcre-7.2
> > snort_inline-1.9.1
> >
> > The installation process went fine without any failure. I have
> installed
> > snort_inline for the packet dropping facility. For that purpose i
> need to
> > write rules in the snort.conf file in the
> Snort_Inline/etc/snort.conf file.
> >
> > There i wrote a very basic rule:
> >
> > drop tcp any any -> any any (msg: "Dropped Packet"; sid: 1000001;)
> >
> > This should cause all traffic coming to my system to be dropped and
> > corresspondingly logging the alert to a default alert file.
> >
> > But When i try to run Snort_Inline after making above changes to the
> > snort.conf file the Snort_Inline doesn't work stating:
> >
> > Unknown Rule Type: Drop.
> >
> > This thing get further clarified by the fact that when in
> snort.conf file we
> > write any rule like "alert" "drop" then being the keyword these
> words become
> > "Yellowish". As against them "drop" keyword is not becoming same
> which means
> > the .Conf file is not able to recognize it as a command.
> >
> >
> > Kindly tell me where the things are going wrong. Its really
> important. Is
> > there any other way to configure Snort itself for dropping
> packet. I am
> > running Snort-2.6.1.4 also and i tried to configure it using
> >
> > ./configure --enable_Inline
> >
> > configure and make and make install are running fine but later on
> when i
> > insert the drop rule it is giving the same problem as above.
> >
> > Thanks in advance.
> >
> > Regards
> > Piyush
> >
> >
> >
> > DISCLAIMER:
> > This email (including any attachments) is intended for the sole
> use of the
> > intended recipient/s and may contain material that is
> CONFIDENTIAL AND
> > PRIVATE COMPANY INFORMATION. Any review or reliance by others or
> copying or
> > distribution or forwarding of any or all of the contents in this
> message is
> > STRICTLY PROHIBITED. If you are not the intended recipient,
> please contact
> > the sender by email and delete all copies; your cooperation in
> this regard
> > is appreciated..
> > -------------------------------------------------------------------------
> > This SF.net email is sponsored by DB2 Express
> > Download DB2 Express C - the FREE version of DB2 express and take
> > control of your XML. No limits. Just data. Click to get it now.
> > http://sourceforge.net/powerbar/db2/
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> <mailto:Sno...@li...>
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >
> >
>
> DISCLAIMER:
> This email (including any attachments) is intended for the sole
> use of the intended recipient/s and may contain material that is
> CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or
> reliance by others or copying or distribution or forwarding of any
> or all of the contents in this message is STRICTLY PROHIBITED. If
> you are not the intended recipient, please contact the sender by
> email and delete all copies; your cooperation in this regard is
> appreciated..
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> <mailto:Sno...@li...>
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
> DISCLAIMER:
> This email (including any attachments) is intended for the sole use of
> the intended recipient/s and may contain material that is CONFIDENTIAL
> AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or
> copying or distribution or forwarding of any or all of the contents in
> this message is STRICTLY PROHIBITED. If you are not the intended
> recipient, please contact the sender by email and delete all copies;
> your cooperation in this regard is appreciated..
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
|
|
From: Will M. <wil...@gm...> - 2007-07-16 14:46:44
|
not only that but you need to queue both sides of the conversation so iptables -I INPUT -p tcp --dport 80 -j QUEUE iptables -I OUTPUT -p tcp --sport 80 -j QUEUE On 7/16/07, David Gunnarsson <gu...@in...> wrote: > > Yout rule: > *drop tcp any 80 -> any 80 (classtype:attempted-user; msg:"Port 80 > connection initiated";sid:1000001;) > The first port of 80 is the source port, a webclient will most certainly > never send with sourceport 80, just destination port 80, the second one, > that is why this rule never is trigger.. Try with any any -> any 80 .... > instead. > good luck! > * > > Piyush_Mundra wrote: > > Dear will, > > > > Regarding ip_queue i followed the following steps: > > > > 1) *modprobe ip_queue* > > > > *2) iptables -I INPUT -p tcp --dport 80 -j QUEUE* > > > > 3) snort -c /etc/snort_inline/snort_inline.conf -Q -N -l > > /var/log/snort_inline/ -t /var/log/snort_inline/ -v > > > > Previously i was working with snort_inline but somehow there was some > > problem compiling it. Then later on i started with snort-2.6.1.5 along > > with libdnet, libpcap, iptables and pcre libraries. After installation > > snort runs but is not able to process packets as mentioned in my > > previous mail. > > > > Looking forward eagerly for your reply, > > > > Thanks > > > > Regards, > > > > Piyush > > > > ------------------------------------------------------------------------ > > *From:* Will Metcalf [mailto:wil...@gm...] > > *Sent:* Sat 7/14/2007 7:47 PM > > *To:* Piyush_Mundra > > *Cc:* sno...@li... > > *Subject:* Re: [Snort-inline-users] Snort_Inline not recognizing > > 'drop' rule > > > > what do your iptables rules look like? > > > > On 7/14/07, *Piyush_Mundra* <Piy...@sa... > > <mailto:Piy...@sa...>> wrote: > > > > Hello will, > > Thanks very much. > > I tried to install the snort_inline on fedora and the installation > > process worked fine. > > Right now i'm using snort_inline-2.6.1.5 > > <http://2.6.1.5>.Now,after inserting the ip_queue module i am > > running the following command > > > > *snort_inline -Q -v -c /etc/snort_inline/snort_inline.conf -l > > /var/log/snort_inline > > * > > I am getting the following summary: > > > > > =============================================================================== > > *Snort processed 0 packets*. > > > =============================================================================== > > Breakdown by protocol: > > TCP: 0 (0.000%) > > UDP: 0 (0.000%) > > ICMP: 0 (0.000%) > > ARP: 0 (0.000%) > > EAPOL: 0 (0.000%) > > IPv6: 0 (0.000%) > > ETHLOOP: 0 (0.000%) > > IPX: 0 (0.000%) > > FRAG: 0 (0.000%) > > OTHER: 0 (0.000%) > > DISCARD: 0 (0.000%) > > > =============================================================================== > > Action Stats: > > ALERTS: 0 > > LOGGED: 0 > > PASSED: 0 > > > =============================================================================== > > In my snort.conf file i have commented all the rules except one > > *include $RULE_PATH/web-attacks.rules* > > At the end of the web-attacks.rule file i have added a simple rule: > > *drop tcp any 80 -> any 80 (classtype:attempted-user; msg:"Port 80 > > connection initiated";sid:1000001;)* > > > > Kindly tell me where i am going wrong. Why snort_inline is not > > able to process any packet. > > > > Regards, > > > > Piyush > > > > > ------------------------------------------------------------------------ > > *From:* Will Metcalf [mailto:wil...@gm... > > <mailto:wil...@gm...>] > > *Sent:* Wed 7/11/2007 9:48 PM > > *To:* Piyush_Mundra > > *Cc:* sno...@li... > > <mailto:sno...@li...> > > *Subject:* Re: [Snort-inline-users] Snort_Inline not recognizing > > 'drop' rule > > > > for snort_inline-2.6.x you need libdnet installed. I'm not sure > what > > OS you are running but you may want to make distclean ./autojunk.sh > && > > ./configure && make && make install from the source directory. > > > > Regards, > > > > Will > > > > On 7/11/07, Piyush_Mundra <Piy...@sa... > > <mailto:Piy...@sa...>> wrote: > > > > > > > > > Hello everybody, > > > > > > I am working on Redhat. To make use of the packet dropping and > > rejecting > > > facility i installed the Snort_Inline. Snort inline makes use of > the > > > > > > iptables > > > Libnet-1.0.2a-FC2-Fixed > > > pcre-7.2 > > > snort_inline-1.9.1 > > > > > > The installation process went fine without any failure. I have > > installed > > > snort_inline for the packet dropping facility. For that purpose i > > need to > > > write rules in the snort.conf file in the > > Snort_Inline/etc/snort.conf file. > > > > > > There i wrote a very basic rule: > > > > > > drop tcp any any -> any any (msg: "Dropped Packet"; sid: 1000001;) > > > > > > This should cause all traffic coming to my system to be dropped > and > > > corresspondingly logging the alert to a default alert file. > > > > > > But When i try to run Snort_Inline after making above changes to > the > > > snort.conf file the Snort_Inline doesn't work stating: > > > > > > Unknown Rule Type: Drop. > > > > > > This thing get further clarified by the fact that when in > > snort.conf file we > > > write any rule like "alert" "drop" then being the keyword these > > words become > > > "Yellowish". As against them "drop" keyword is not becoming same > > which means > > > the .Conf file is not able to recognize it as a command. > > > > > > > > > Kindly tell me where the things are going wrong. Its really > > important. Is > > > there any other way to configure Snort itself for dropping > > packet. I am > > > running Snort-2.6.1.4 also and i tried to configure it using > > > > > > ./configure --enable_Inline > > > > > > configure and make and make install are running fine but later on > > when i > > > insert the drop rule it is giving the same problem as above. > > > > > > Thanks in advance. > > > > > > Regards > > > Piyush > > > > > > > > > > > > DISCLAIMER: > > > This email (including any attachments) is intended for the sole > > use of the > > > intended recipient/s and may contain material that is > > CONFIDENTIAL AND > > > PRIVATE COMPANY INFORMATION. Any review or reliance by others or > > copying or > > > distribution or forwarding of any or all of the contents in this > > message is > > > STRICTLY PROHIBITED. If you are not the intended recipient, > > please contact > > > the sender by email and delete all copies; your cooperation in > > this regard > > > is appreciated.. > > > > ------------------------------------------------------------------------- > > > This SF.net email is sponsored by DB2 Express > > > Download DB2 Express C - the FREE version of DB2 express and take > > > control of your XML. No limits. Just data. Click to get it now. > > > http://sourceforge.net/powerbar/db2/ > > > _______________________________________________ > > > Snort-inline-users mailing list > > > Sno...@li... > > <mailto:Sno...@li...> > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > > > > > DISCLAIMER: > > This email (including any attachments) is intended for the sole > > use of the intended recipient/s and may contain material that is > > CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or > > reliance by others or copying or distribution or forwarding of any > > or all of the contents in this message is STRICTLY PROHIBITED. If > > you are not the intended recipient, please contact the sender by > > email and delete all copies; your cooperation in this regard is > > appreciated.. > > > > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by DB2 Express > > Download DB2 Express C - the FREE version of DB2 express and take > > control of your XML. No limits. Just data. Click to get it now. > > http://sourceforge.net/powerbar/db2/ > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > <mailto:Sno...@li...> > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > DISCLAIMER: > > This email (including any attachments) is intended for the sole use of > > the intended recipient/s and may contain material that is CONFIDENTIAL > > AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or > > copying or distribution or forwarding of any or all of the contents in > > this message is STRICTLY PROHIBITED. If you are not the intended > > recipient, please contact the sender by email and delete all copies; > > your cooperation in this regard is appreciated.. > > > > ------------------------------------------------------------------------ > > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by DB2 Express > > Download DB2 Express C - the FREE version of DB2 express and take > > control of your XML. No limits. Just data. Click to get it now. > > http://sourceforge.net/powerbar/db2/ > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X