[Snort-devel] Status of Snort Inline
justinjoseph007 at ...2499...
Mon Oct 12 13:12:04 EDT 2009
On 10/12/09, Jan Ježek <jjezek at ...3062...> wrote:
> On 12.10.2009 15:27, "Joel Esler" <eslerj at ...2499...> wrote:
>> On Mon, Oct 12, 2009 at 12:51 AM, Jan Ježek <jjezek at ...3062...> wrote:
>>> Hi everybody,
>>> I would like to gather some knowledge about the status of the inline
>>> There is Snort 2.8 in which the inline functionality does not work. It
>>> not work because it relies on libipq which is no longer supported and the
>>> compat layer from libnetfilter-queue has just been removed recently so
>>> with GIDS enabled wouldn¹t even compile. Also, IP defragmentation in
>>> mode seems to be broken in the current 2.8 (though it worked in 2.8.0).
>>> reason is because it tryes to safe memcopy zero bytes.
>>> Then there is the snort-inline project which development seems dead. It¹s
>>> only 2.6 and the maintainer isn¹t replying.
>>> We would like to integrate Snort in inline mode into a security product.
>>> are willing to fix and maintain the inline mode Snort. But the current
>>> status is unclear. Is the only way to branch and maintain our own
>>> Furthermore, we are willing to maintain the Windows version even with the
>>> inline mode. Internally, we were able to compile and run 2.8 on Windows
>>> inline mode successfully.
>>> Thanks in advance for any pointers on how to proceed.
>> The code you are looking at, I am assuming you are referring to the
>> "snort_inline" project?
>> As opposed to looking at the code in Snort. Snort can be compiled to
>> perform IPS functions with the --enable-inline compile tag.
>> Just for clarification.
> Both, actually. I don't know how the inline code (activated by
> --enable-inline) got to the Snort main line. I presume it was merged from
> snort_inline at some port of time? However, in its current state it does not
> work at all on Linux because it depends on libipq and support for that is
> discontinued in the latest 2.6.x kernels.
This thread might be of help:
There are some more of my queries in the archive.
snort 2.8.4 compiles with --enable-inline on ubuntu hardy(did this even today)
But like you say it might not on the lastest 2.6.x kernels as libipq
> As Victor clarified, we are now looking into the snort_inline project's SVN
> repository and that one seems to be OK. The current snapshot of
> snort_inline now uses linetfilter_queue instead of libipq.
This might be better, AFAIK the latest svn (of snort_inline)has
snort_inline code merged against snort-2.8.4. The reply to this
effect might well be there in the list archives.
More information about the Snort-devel