[Snort-devel] Status of Snort Inline

justin joseph justinjoseph007 at ...2499...
Mon Oct 12 13:12:04 EDT 2009


On 10/12/09, Jan Ježek <jjezek at ...3062...> wrote:
>
>
>
> On 12.10.2009 15:27, "Joel Esler" <eslerj at ...2499...> wrote:
>
>> On Mon, Oct 12, 2009 at 12:51 AM, Jan Ježek <jjezek at ...3062...> wrote:
>>
>>> Hi everybody,
>>>
>>> I would like to gather some knowledge about the status of the inline
>>> functionalty.
>>>
>>> There is Snort 2.8 in which the inline functionality does not work. It
>>> does
>>> not work because it relies on libipq which is no longer supported and the
>>> compat layer from libnetfilter-queue has just been removed recently so
>>> Snort
>>> with GIDS enabled wouldn¹t even compile. Also, IP defragmentation in
>>> inline
>>> mode seems to be broken in the current 2.8 (though it worked in 2.8.0).
>>> The
>>> reason is because it tryes to safe memcopy zero bytes.
>>>
>>> Then there is the snort-inline project which development seems dead. It¹s
>>> only 2.6 and the maintainer isn¹t replying.
>>>
>>> We would like to integrate Snort in inline mode into a security product.
>>> We
>>> are willing to fix and maintain the inline mode Snort. But the current
>>> status is unclear. Is the only way to branch and maintain our own
>>> project?
>>>
>>> Furthermore, we are willing to maintain the Windows version even with the
>>> inline mode. Internally, we were able to compile and run 2.8 on Windows
>>> in
>>> inline mode successfully.
>>>
>>> Thanks in advance for any pointers on how to proceed.
>>>
>>>
>> The code you are looking at, I am assuming you are referring to the
>> "snort_inline" project?
>> As opposed to looking at the code in Snort.  Snort can be compiled to
>> perform IPS functions with the --enable-inline compile tag.
>>
>> Just for clarification.
>>
>> Joel
>
> Both, actually. I don't know how the inline code (activated by
> --enable-inline) got to the Snort main line. I presume it was merged from
> snort_inline at some port of time? However, in its current state it does not
> work at all on Linux because it depends on libipq and support for that is
> discontinued in the latest 2.6.x kernels.

This thread might be of help:

http://marc.info/?l=snort-devel&m=124989274715663&w=2

There are some more of my queries in the archive.

snort 2.8.4 compiles with --enable-inline on ubuntu hardy(did this even today)
But like you say it might not on the lastest 2.6.x kernels as libipq
support might
be absent.

>
> As Victor clarified, we are now looking into the snort_inline project's SVN
> repository and that one seems to be OK.  The current snapshot of
> snort_inline now uses linetfilter_queue instead of libipq.

This might be better, AFAIK the latest svn (of snort_inline)has
snort_inline code merged against snort-2.8.4.  The reply to this
effect might well be there in the list archives.

>
> JJ.
>




More information about the Snort-devel mailing list