[Snort-devel] [Snort-users] inline mode works(seems) without compiling with --enable-inline option

Russ Combs rcombs at ...402...
Fri Aug 7 16:42:45 EDT 2009


Comments below ...

On Fri, Aug 7, 2009 at 4:08 PM, Joel Ebrahimi <joel.ebrahimi at ...2499...>wrote:

> I have always been curious how this works. Working for Bivio Networks I
> know that there is a Snort IPS that Sourcefire uses on our platform but I
> was never sure how they integrated it. Since our performance relies on pcap
> and since our pcap is modified to drop packets I had assumed it was all
> handled through pcap.
> So does --enable-inline need to be used at all to initialize any of the
> drop structures or mechanisms?
>

That depends on what you are trying to do:

* use --enable-inline for ipq.
* use --enable-inline --enable-ipfw for ipfw.
* otherwise, if you have a modified libpcap, the drop is handled there.
* otherwise, the drop doesn't take place.


> Would the keyword 'drop' still be able to be used from the rules just like
> the -Q option is allowed ?
>

Using -Q and a drop action in a rule is perfectly fine without the use of
--enable-inline with a modified
libpcap.

>
> I don't actually see any of the Bivio specific API calls to drop packets. I
> assuming this is not released in the general Snort release. Is this code
> available or is it licensed differently then the available public Snort?
>

There are no calls to non-standard libpcap API functions in Snort.
Everything to do this is there in the snort code base and the license is the
same.  There are a few global variables that need to be shared between the
pcap library and Snort.  Have a look at inline.c for details.


> Thanks,
>
> // Joel
>
> On Wed, Aug 5, 2009 at 8:48 AM, Russ Combs <rcombs at ...402...> wrote:
>
>> Hey Justin,
>>
>> Thanks for the patch.  The -Q option, and the inline implementation in
>> general, is a little confusing.  However, there is no warning without
>> --enable-inline because it allows Snort to be deployed inline using 3rd
>> party pcap implementations that don't require ipq or ipfw.
>>
>> Compounding that, the help for -Q is only output for ipq builds.  The help
>> will be addressed in an upcoming release.
>>
>> Russ
>>
>> On Wed, Aug 5, 2009 at 8:11 AM, justin joseph <justinjoseph007 at ...2499...>wrote:
>>
>>> Hi
>>>
>>> Were trying to configure snort-inline on Ubuntu hardy (snort version
>>> 2.7.0) for some days.
>>> Today figured out by looking at the code that even if snort was not
>>> compiled with --enable-inline
>>> option, it was seemingly running with the -Q option(drop, sdrop,
>>> reject won't work off course)
>>>
>>> IMHO this confuses a newbie user like me because if snort was not
>>> compiled enabling
>>> inline mode then it is supposed to print error and abort if user tries
>>> to run with the -Q option.
>>>
>>> Attached patch against 2.8.4(changes in snort.c) or something like
>>> that would be nice IMHO.
>>>
>>> thank you
>>> Justin
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>>> 30-Day
>>> trial. Simplify your report design, integration and deployment - and
>>> focus on
>>> what you do best, core application coding. Discover what's new with
>>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>> 30-Day
>> trial. Simplify your report design, integration and deployment - and focus
>> on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20090807/071ff6e3/attachment.html>


More information about the Snort-devel mailing list