[Snort-users] sending netlink message: Connection Refused

Alberto Colosi/SI/RM/GSI/it alberto.colosi at ...14413...
Wed Sep 17 05:19:48 EDT 2008


Hi, even strange it is working now. Strange! ip_queue was already loaded. 
Can it unload from itself???

owever, I have inside syslog:        Sep 17 11:11:57 nova5 modprobe: 
modprobe: Can't locate module iptable_QUEUE

and till now I was unable to see in real SNORT to block any traffic. Is 
inside rules a way to know if a rule drop or log or ........

now SNORT is running with:

modprobe ip_queue
iptables -A FORWARD -p tcp -m tcp --dport 80 -j QUEUE

 snort -c /usr/local/snort/etc/snort.conf -g snort -u snort -X -U -y -s -Q 
-D --disable-inline-initialization

I have added         --disable-inline-initialization         so to be sure 
(becouse I'm testing on a production machine and not wanting to have 
strange results).
Owever even if I run it without          --disable-inline-initialization   
   it seems to not block for example P2P traffic. It log it but nothing 
else. Is then a way to see packets and QUEUE activity?.

iptables -A FORWARD -p tcp -m tcp --dport 80 -j QUEUE

send only port 80 traffic to be sniffed from snort inline? and if I would 
like to have all traffic sniffed as when snort run in NOT INLINE?.

* I'm really new to snort :D


-------------------------------
Alberto Colosi
IBM Global Business Services
Sistemi Informativi S.P.A.
IT NetWork & Security Department
 *-* *-* *-*
SECURITY IS EVERYONE'S BUSINESS

Member of
IBM Information Security WW CoP






"Will Metcalf" <william.metcalf at ...11827...> 
16/09/2008 17.52

To
"Alberto Colosi/SI/RM/GSI/it" <alberto.colosi at ...14413...>
cc
"Snort Users" <Snort-users at lists.sourceforge.net>
Subject
Re: [Snort-users] sending netlink message: Connection Refused






You must first load the ip_queue module if it is not already loaded.

modprobe ip_queue

Also what user are you running snort as?  You must run as root to
interact with ipqueue

Regards,

Will

On Tue, Sep 16, 2008 at 9:32 AM, Alberto Colosi/SI/RM/GSI/it
<alberto.colosi at ...14413...> wrote:
>
> hi, an information.
>
> while working snort 2.8.3 have stopped to log inside syslog.
>
> I have restarted my machine and I have restarted snort many times. It is
> inline compiled but not working in inline.
>
> After different tests I have runned it not in DAEMON mode and I got a
>         "sending netlink message:              Connection Refused"
>
> why it happened? I have changed nothing ....... or at least I think so. 
No
> other users could have changed anything becouse noone compile or 
configure
> anything there.
>
> Running snort without -Q, not reading from IPTABLES, it has started to 
work
> again.
>
> What's on??.
>
>
>
>
> -------------------------------
> Alberto Colosi
> IBM Global Business Services
> Sistemi Informativi S.P.A.
> IT NetWork & Security Department
> *-* *-* *-*
> SECURITY IS EVERYONE'S BUSINESS
>
> Member of
> IBM Information Security WW CoP
>
>
> 
-------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's 
challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the 
world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080917/962c336c/attachment.html>


More information about the Snort-users mailing list