[Snort-users] Snort Inline

Bob McDowell bmcdowell at ...7861...
Fri Jan 3 11:59:05 EST 2003

I've just have some success with the flexible response feature.  At this
time it works and inline does not.  I went back to pre-compiled binaries and
that got flexresp working, so I must have been doing something wrong.  At
any rate, my pre-compiled snort-inline (from the Honeynet project website)
has the same symptoms as the one I compiled.

I've tested flexresp with FTP and it looks very promising.  I used the
'Password wh00t' rule (in ftp.rules) for testing.  First I set up an FTP
user with that pw and made sure it could log on.  Then I modified the rule
with 'resp:rst_all;' just before the '  rev:4;)'.  Now when I use the ftp
client (and sniff the traffic) I see exactly what I'm supposed to see.  The
FTP conversation happens normally, but when the flexresp sees 'PASS wh00t'
it interrupts the rest of the session with the RST's.  The client reports
'Connection closed by remote host' and exits.

In short: flexresp 1, inline 0.

-----Original Message-----
From: Bob McDowell [mailto:bmcdowell at ...7861...]
Sent: Friday, January 03, 2003 11:07 AM
To: 'snort-users at lists.sourceforge.net'
Subject: RE: [Snort-users] Snort Inline

Well, I've done some testing, and my config does not work.  Specifically I'm
using the ftp 'pass wh00t' rule.  Using -Q does not alert, not does it drop
the packet (as I still get logged in).  Leaving off the -Q generates an
alert (even though the rule says drop, it still alerts) but does not drop.

Rich Adamson said that this wouldn't work correctly, and I'm beginning to
believe it.  It's quite likely that I've made a mistake in my setup, and I'd
love to get some help from someone who has this working correctly.  At the
moment, however, I'm inclined to go look at the flexible response...

Please, fellow inline users, post your config steps so we can compare notes.

-----Original Message-----
From: Jihoon Chung [mailto:difro at ...7892...]On Behalf Of Jihoon Chung
Sent: Thursday, January 02, 2003 7:48 PM
To: Bob McDowell
Cc: 'Kevin Pietersma'; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort Inline

Don't you have to put something like below to get all the packets?

iptables -t filter -A FORWARD -j QUEUE

Last time I used snort-inline (was very long ago..), I put the above
line and it worked nicely..

On Thu, Jan 02, 2003 at 10:52:28AM -0600, Bob McDowell wrote:
> I have no 'official' documentation as of yet.  I'm still feeling around in
> the dark, searching for answers.  I can, however, share with you the
> undocumented) steps you'll need to take.  Maybe someone from the list can
> correct my mistakes.
> 1)  Get the iptables source and re-compile it into the kernel src, with
> enabled:  make install-devel KERNEL_DIR=(your kernel source dir)
> 2)  Then compile your new kernel with that option.  You will have to
> 'Experimental code' as well as 'Userspace queuing' in your 'make
> step.
> 3)  Get and install libpcap
> 4)  Get and compile snort-inline - './configure --enable-inline'
> 5)  Change one of the included rules from 'alert xyz' to 'drop xyz'
> 6)  Run snort with the -Q option
> If you get no errors, you are now as far as I am...
> As I've stated, I'm have issues with logging.  With the -Q option passed
> snort, it does not log anything at all.  I suppose it may not even be
> working at all, but at least I've quieted all the errors.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030103/35aedac1/attachment.html>

More information about the Snort-users mailing list