[Snort-users] snort-inline error

Kathy A kathya6200 at ...131...
Wed Apr 16 05:41:01 EDT 2003


Thanks to Tim and Rob I have the beginnings of a
snort-inline script running as IPS. However, I am
having problems running my customized script and am
looking for some help.  Script is below.  Error is: 
"Couldn't load target udpHandler
/usr/local/lib/iptables/libipt_udpHandler.so: cannot
open shared object file: No such file or directory" 

I'm running this script on a linux 7.3 box, with a
"normal" version of snort running and not much
else....  

kathy

----------------------------------
MODE="nat"
QUEUE="yes"
LAN_IFACE="eth0"

RESTRICT="no"
SCALE="hour"
TCPRATE="9"
UDPRATE="20"           
ICMPRATE="20"    
OTHERRATE="10"          
HPOT_IP="10.3.2.121"

.... (regular variables, etc.)

#### Create protocol handling chains
$IPTABLES -N udpHandler
$IPTABLES -N tcpHandler
$IPTABLES -N icmpHandler
$IPTABLES -N otherHandler
# IPTABLES -P INPUT ACCEPT
# $IPTABLES -P FORWARD ACCEPT
# $IPTABLES -P OUTPUT ACCEPT
# Allow all Traffic on your loopback interface
$IPTABLES -A INPUT -i lo -p all -j ACCEPT
# Start off on the INPUT table and allow anything back
in that was
# originated from your system 
# turn this off temp
#$IPTABLES -A INPUT -i $LAN_IFACE -p all -m state
--state ESTABLISHED,RELATED -j ACCEPT

### Inbound TCP
$IPTABLES -A INPUT -i $LAN_IFACE -p tcp -m state
--state NEW -j LOG --log-prefix "INBOUND TCP: "
$IPTABLES -A INPUT -i $LAN_IFACE -p tcp -m state
--state NEW -j ACCEPT
### Inbound UDP
# $IPTABLES -A INPUT -i $LAN_IFACE -p udp -m state
--state NEW -j LOG --log-prefix "INBOUND UDP: "
#$IPTABLES -A INPUT -i $LAN_IFACE -p udp -m state
--state NEW -j ACCEPT
..... (load ip queue, etc..)
# i'm testing this to try and drop packets
LIMIT_IP=$HPOT_IP
host=$HPOT_ID

for host in ${LIMIT_IP}; do
        $IPTABLES -A INPUT -p udp -i $LAN_IFACE -m
state --state NEW -m limit --limit ${UDPRATE}/${SCALE}
--limit-burst ${UDPRATE} -s ${host} -j udpHandler
        $IPTABLES -A INPUT -p udp -i $LAN_IFACE -m
state --state NEW -m limit --limit 1/${SCALE}
--limit-burst 1 -s ${host} -j
LOG --log-prefix "Drop udp after ${UDPRATE} attempts"
        $IPTABLES -A INPUT -p udp -i $LAN_IFACE -m
state --state NEW -s $s{host} -j DROP
done



### Inbound ICMP
$IPTABLES -A INPUT -i $LAN_IFACE -p icmp -m state
--state NEW -j LOG --log-prefix "INBOUND ICMP: "
$IPTABLES -A INPUT -i $LAN_IFACE -p icmp -m state
--state NEW -j ACCEPT
.....

if test $QUEUE = "yes"
    then
    $IPTABLES -A INPUT -i $LAN_IFACE -m state --state
RELATED,ESTABLISHED -j QUEUE
fi
$IPTABLES -A INUT -i $LAN_IFACE -m state --state
RELATED,ESTABLISHED -j ACCEPT
    ##  These define the handlers that actually limit
outbound connection.
$IPTABLES -A udpHandler -j LOG --log-prefix "OUTBOUND
CONN UDP: "
    if test $QUEUE = "yes"
       then
       $IPTABLES -A udpHandler -j QUEUE
    fi
    $IPTABLES -A udpHandler -j ACCEPT


__________________________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo
http://search.yahoo.com




More information about the Snort-users mailing list