[Snort-users] sending netlink message: Connection Refused

Will Metcalf william.metcalf at ...11827...
Wed Sep 17 11:16:09 EDT 2008


Well first off you need to pass both sides of the conversation to
snort otherwise your rules with the established keyword i.e.
essentially every tcp based rule will not fire so you need

iptables -A FORWARD -p tcp -m tcp --dport 80 -j QUEUE
iptables -A FORWARD -p tcp -m tcp --sport 80 -j QUEUE

There is nothing stoping you from firing up another instance of snort
that just listens on an interface in IDS mode.

Regards,

Will

On Wed, Sep 17, 2008 at 4:19 AM, Alberto Colosi/SI/RM/GSI/it
<alberto.colosi at ...14413...> wrote:
>
> Hi, even strange it is working now. Strange! ip_queue was already loaded.
> Can it unload from itself???
>
> owever, I have inside syslog:        Sep 17 11:11:57 nova5 modprobe:
> modprobe: Can't locate module iptable_QUEUE
>
> and till now I was unable to see in real SNORT to block any traffic. Is
> inside rules a way to know if a rule drop or log or ........
>
> now SNORT is running with:
>
> modprobe ip_queue
> iptables -A FORWARD -p tcp -m tcp --dport 80 -j QUEUE
>
>  snort -c /usr/local/snort/etc/snort.conf -g snort -u snort -X -U -y -s -Q
> -D --disable-inline-initialization
>
> I have added         --disable-inline-initialization         so to be sure
> (becouse I'm testing on a production machine and not wanting to have strange
> results).
> Owever even if I run it without          --disable-inline-initialization
>     it seems to not block for example P2P traffic. It log it but nothing
> else. Is then a way to see packets and QUEUE activity?.
>
> iptables -A FORWARD -p tcp -m tcp --dport 80 -j QUEUE
>
> send only port 80 traffic to be sniffed from snort inline? and if I would
> like to have all traffic sniffed as when snort run in NOT INLINE?.
>
> * I'm really new to snort :D
>
>
> -------------------------------
> Alberto Colosi
> IBM Global Business Services
> Sistemi Informativi S.P.A.
> IT NetWork & Security Department
> *-* *-* *-*
> SECURITY IS EVERYONE'S BUSINESS
>
> Member of
> IBM Information Security WW CoP
>
>
>
>
>
> "Will Metcalf" <william.metcalf at ...11827...>
>
> 16/09/2008 17.52
>
> To
> "Alberto Colosi/SI/RM/GSI/it" <alberto.colosi at ...14413...>
> cc
> "Snort Users" <Snort-users at lists.sourceforge.net>
> Subject
> Re: [Snort-users] sending netlink message: Connection Refused
>
>
>
>
> You must first load the ip_queue module if it is not already loaded.
>
> modprobe ip_queue
>
> Also what user are you running snort as?  You must run as root to
> interact with ipqueue
>
> Regards,
>
> Will
>
> On Tue, Sep 16, 2008 at 9:32 AM, Alberto Colosi/SI/RM/GSI/it
> <alberto.colosi at ...14413...> wrote:
>>
>> hi, an information.
>>
>> while working snort 2.8.3 have stopped to log inside syslog.
>>
>> I have restarted my machine and I have restarted snort many times. It is
>> inline compiled but not working in inline.
>>
>> After different tests I have runned it not in DAEMON mode and I got a
>>         "sending netlink message:              Connection Refused"
>>
>> why it happened? I have changed nothing ....... or at least I think so. No
>> other users could have changed anything becouse noone compile or configure
>> anything there.
>>
>> Running snort without -Q, not reading from IPTABLES, it has started to
>> work
>> again.
>>
>> What's on??.
>>
>>
>>
>>
>> -------------------------------
>> Alberto Colosi
>> IBM Global Business Services
>> Sistemi Informativi S.P.A.
>> IT NetWork & Security Department
>> *-* *-* *-*
>> SECURITY IS EVERYONE'S BUSINESS
>>
>> Member of
>> IBM Information Security WW CoP
>>
>>
>> -------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move Developer's
>> challenge
>> Build the coolest Linux based applications with Moblin SDK & win great
>> prizes
>> Grand prize is a trip for two to an Open Source event anywhere in the
>> world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>




More information about the Snort-users mailing list