[Snort-users] inline mode works(seems) without compiling with --enable-inline option

Joel Ebrahimi joel.ebrahimi at ...11827...
Fri Aug 7 18:06:02 EDT 2009


Cool. Thanks for the info.
Im curious now so I will take a look and make an IPS build.

// Joel

On Fri, Aug 7, 2009 at 1:42 PM, Russ Combs <rcombs at ...1935...> wrote:

> Comments below ...
>
> On Fri, Aug 7, 2009 at 4:08 PM, Joel Ebrahimi <joel.ebrahimi at ...11827...>wrote:
>
>> I have always been curious how this works. Working for Bivio Networks I
>> know that there is a Snort IPS that Sourcefire uses on our platform but I
>> was never sure how they integrated it. Since our performance relies on pcap
>> and since our pcap is modified to drop packets I had assumed it was all
>> handled through pcap.
>> So does --enable-inline need to be used at all to initialize any of the
>> drop structures or mechanisms?
>>
>
> That depends on what you are trying to do:
>
> * use --enable-inline for ipq.
> * use --enable-inline --enable-ipfw for ipfw.
> * otherwise, if you have a modified libpcap, the drop is handled there.
> * otherwise, the drop doesn't take place.
>
>
>> Would the keyword 'drop' still be able to be used from the rules just like
>> the -Q option is allowed ?
>>
>
> Using -Q and a drop action in a rule is perfectly fine without the use of
> --enable-inline with a modified
> libpcap.
>
>>
>> I don't actually see any of the Bivio specific API calls to drop packets.
>> I assuming this is not released in the general Snort release. Is this code
>> available or is it licensed differently then the available public Snort?
>>
>
> There are no calls to non-standard libpcap API functions in Snort.
> Everything to do this is there in the snort code base and the license is the
> same.  There are a few global variables that need to be shared between the
> pcap library and Snort.  Have a look at inline.c for details.
>
>
>> Thanks,
>>
>> // Joel
>>
>> On Wed, Aug 5, 2009 at 8:48 AM, Russ Combs <rcombs at ...1935...> wrote:
>>
>>> Hey Justin,
>>>
>>> Thanks for the patch.  The -Q option, and the inline implementation in
>>> general, is a little confusing.  However, there is no warning without
>>> --enable-inline because it allows Snort to be deployed inline using 3rd
>>> party pcap implementations that don't require ipq or ipfw.
>>>
>>> Compounding that, the help for -Q is only output for ipq builds.  The
>>> help will be addressed in an upcoming release.
>>>
>>> Russ
>>>
>>> On Wed, Aug 5, 2009 at 8:11 AM, justin joseph <justinjoseph007 at ...11827...
>>> > wrote:
>>>
>>>> Hi
>>>>
>>>> Were trying to configure snort-inline on Ubuntu hardy (snort version
>>>> 2.7.0) for some days.
>>>> Today figured out by looking at the code that even if snort was not
>>>> compiled with --enable-inline
>>>> option, it was seemingly running with the -Q option(drop, sdrop,
>>>> reject won't work off course)
>>>>
>>>> IMHO this confuses a newbie user like me because if snort was not
>>>> compiled enabling
>>>> inline mode then it is supposed to print error and abort if user tries
>>>> to run with the -Q option.
>>>>
>>>> Attached patch against 2.8.4(changes in snort.c) or something like
>>>> that would be nice IMHO.
>>>>
>>>> thank you
>>>> Justin
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>>>> 30-Day
>>>> trial. Simplify your report design, integration and deployment - and
>>>> focus on
>>>> what you do best, core application coding. Discover what's new with
>>>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>>> 30-Day
>>> trial. Simplify your report design, integration and deployment - and
>>> focus on
>>> what you do best, core application coding. Discover what's new with
>>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090807/b95d181a/attachment.html>


More information about the Snort-users mailing list