[Snort-users] Snort 2.9.0 Now Available

Russ Combs rcombs at ...1935...
Tue Oct 5 13:09:52 EDT 2010


On Tue, Oct 5, 2010 at 12:33 PM, waldo kitty <wkitty42 at ...14940...>wrote:

> On 10/5/2010 12:12, Russ Combs wrote:
> >
> > On Tue, Oct 5, 2010 at 12:00 PM, waldo kitty <wkitty42 at ...14940...
> > <mailto:wkitty42 at ...14940...>> wrote:
> >     as written above, there is no libnet in use at all in the product i'm
> working
> >     with... there's no libdnet, either... we've simply never had a need
> for
> >     either...
> >
> > OK - libnet was only required for inline builds.  I'm looking into a
> change that
> > may obviate dnet for Snort when active response is not configured.
>
> interesting... i assume that "active response" means "inline"?? i also
> assume
> that "active response" means that snort does the dropping/blocking of
> unwanted
> traffic and notifies iptables to create drop/block and log rules? how much
> more
> memory is consumed by snort in inline mode?
>

This one might be worth your time to dig into a little ... the DAQ README
and Snort README.active are a good place to start.  There is a lot there and
I can't do it justice here, but some responses to the above:

* Active response enables sending TCP resets or ICMP unreachables and is
possible in passive or inline mode.
* The DAQ provides more flavors than just pcap or iptables (via NFQ or
IPQ).  See, for example, afpacket.
* Also, NFQ and IPQ don't update iptables rules; all packets pass through
Snort which renders a verdict to the kernel.


> >      > > With 2.9.0, you *must* use the DAQ.  By default, you will wind
> up using a
> >      >     pcap
> >      > > DAQ, but the DAQ is a separate package that must be installed.
>  This is
> >      >     new for
> >      > > 2.9.0.
> >      >
> >      >     ugh! when does the madness end? :lol: i'll have to see if i
> can hunt
> >     up the
> >      >     archive for that... hopefully it is available at
> >      > www.snort.org/ports/snort-current/
> >      >
> >      > You can find it here, along with Snort:
> http://www.snort.org/snort-downloads.
> >
> >     i'd rather find it in a place that is automation and script
> friendly... that web
> >     page link is not :?
> >
> > This is another issue worth sending to the web site maintainers.
>
> :?
>
> FWIW: luckily enough, DAQ is available at the above location...
>
> http://www.snort.org/ports/snort-current/daq-0.2.tar.gz
>
>
>
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
> http://p.sf.net/sfu/beautyoftheweb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101005/3f50517b/attachment.html>


More information about the Snort-users mailing list