[Snort-devel] Status of Snort Inline

Jan Ježek jjezek at ...3062...
Mon Oct 12 10:03:58 EDT 2009




On 12.10.2009 15:27, "Joel Esler" <eslerj at ...2499...> wrote:

> On Mon, Oct 12, 2009 at 12:51 AM, Jan Ježek <jjezek at ...3062...> wrote:
> 
>> Hi everybody,
>> 
>> I would like to gather some knowledge about the status of the inline
>> functionalty.
>> 
>> There is Snort 2.8 in which the inline functionality does not work. It does
>> not work because it relies on libipq which is no longer supported and the
>> compat layer from libnetfilter-queue has just been removed recently so
>> Snort
>> with GIDS enabled wouldn¹t even compile. Also, IP defragmentation in inline
>> mode seems to be broken in the current 2.8 (though it worked in 2.8.0). The
>> reason is because it tryes to safe memcopy zero bytes.
>> 
>> Then there is the snort-inline project which development seems dead. It¹s
>> only 2.6 and the maintainer isn¹t replying.
>> 
>> We would like to integrate Snort in inline mode into a security product. We
>> are willing to fix and maintain the inline mode Snort. But the current
>> status is unclear. Is the only way to branch and maintain our own project?
>> 
>> Furthermore, we are willing to maintain the Windows version even with the
>> inline mode. Internally, we were able to compile and run 2.8 on Windows in
>> inline mode successfully.
>> 
>> Thanks in advance for any pointers on how to proceed.
>> 
>> 
> The code you are looking at, I am assuming you are referring to the
> "snort_inline" project?
> As opposed to looking at the code in Snort.  Snort can be compiled to
> perform IPS functions with the --enable-inline compile tag.
> 
> Just for clarification.
> 
> Joel

Both, actually. I don't know how the inline code (activated by
--enable-inline) got to the Snort main line. I presume it was merged from
snort_inline at some port of time? However, in its current state it does not
work at all on Linux because it depends on libipq and support for that is
discontinued in the latest 2.6.x kernels.

As Victor clarified, we are now looking into the snort_inline project's SVN
repository and that one seems to be OK.  The current snapshot of
snort_inline now uses linetfilter_queue instead of libipq.

JJ.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1970 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20091012/50e552ce/attachment.bin>


More information about the Snort-devel mailing list