[Snort-users] Snort Inline
bmcdowell at ...7861...
Thu Jan 2 08:52:10 EST 2003
I have no 'official' documentation as of yet. I'm still feeling around in
the dark, searching for answers. I can, however, share with you the (mostly
undocumented) steps you'll need to take. Maybe someone from the list can
correct my mistakes.
1) Get the iptables source and re-compile it into the kernel src, with ipq
enabled: make install-devel KERNEL_DIR=(your kernel source dir)
2) Then compile your new kernel with that option. You will have to enable
'Experimental code' as well as 'Userspace queuing' in your 'make menuconfig'
3) Get and install libpcap
4) Get and compile snort-inline - './configure --enable-inline'
5) Change one of the included rules from 'alert xyz' to 'drop xyz'
6) Run snort with the -Q option
If you get no errors, you are now as far as I am...
As I've stated, I'm have issues with logging. With the -Q option passed to
snort, it does not log anything at all. I suppose it may not even be
working at all, but at least I've quieted all the errors.
From: Kevin Pietersma [mailto:kev at ...526...]
Sent: Thursday, January 02, 2003 10:36 AM
To: bmcdowell at ...7861...; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Snort Inline
I'm on the verge of doing a SNORT inline implementation and am just
beginning my research. You mentioned you'd be writing up the steps once you
were done. Do you have any documentation that you could share?
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Bob McDowell
Sent: Tuesday, December 31, 2002 3:23 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort Inline
Has anyone on the list successfully installed/configured snort in inline
mode? I've been wrestling with it for days, and I think I'm getting close.
My biggest gripe about it is that I can't seem to find any help with it. It
took a lot of head scratching to get as far as I have...
When I'm done I'll write up the steps it took me to get it snorting. In the
mean time, can anyone out there help me? Any documentation, tips, warnings,
etc would be greatly appreciated.
Specifically, I'm now stuck with a message that reads 'InlineInit: :
Failed to send netlink message: Connection refused'
Thanks in advance.
Cox HealthPlans, LLC
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users