[Snort-users] Snort Inline incompatible libipq???

spiderslack spiderslack at ...6873...
Tue Sep 21 11:07:35 EDT 2010


Hello people.

I've been testing snort inline mode using bridge. I installed Ubuntu I 
installed 10.04 and ran snort the following commands to boot.

modprobe ip_queue
iptables -I FORWARD -p tcp --dport 3389 -j QUEUE
/usr/sbin/snort -m 027 -D -Q -l /var/log/snort -u snort -g snort -c 
/etc/snort/snort.conf -S HOME_NET=[192.168.0.0/24] -i br0



However when trying to access a server via terminal service behind snort 
does not work, only works when the remove rule iptables. After some 
analysis and wireshark iptraf noticed by only the SYN packet sent and 
nothing more. Then I began to seek help on google and found the 
following link.

http://www.linuxquestions.org/questions/linux-networking-3/netfilter-problem-compiling-libipq-example-807418/

Where a user said.

-----------------------------------------------------------------
If libipq is not used for linux 2.6.x what's the alternative to be able 
to use netfilter?

should use the new libnetfilter_queue library instead. You can find 
documentation and code examples at 
http://www.nufw.org/doc/libnetfilter_queue/index.html

Maybe it's possible to use the old libipq but its now deprecated and 
much of the network system has changed in the recent kernels. I don't 
recommend libipq.
---------------------------------------------------------------

If the assertion that the 2.6 kernel no longer uses libipq and should 
use the libnetfilter_queue, if this is true could be the cause of the 
problem. I imagine that means the rule of queuing netfilter throws the 
packet to the queue in userspace but there is no software to be able to 
reply NF_ACCEPT, NF_DROP snort up there but the kernel does not use more 
libipq not correctly interpret "commands "NF_ACCEPT or NF_DROP. If the 
2.6 kernel does not use more libipq. only libnetfilter_queue commands 
via libipq not snort are being interpreted and the data packets are 
failing in QUEUE forever. To draw that conclusion anyone know any 
command or via /proc viewing the queue to see if the data packets is 
going there? I'm trying to compile a code in C to give only one 
NF_ACCEPT in any data packets to queue to check it if I'm correct. But 
if someone has been there or have any idea of the problem or where it 
may be wrong, I thank you.

Regards.
__________________________________________________
Fale com seus amigos  de graça com o novo Yahoo! Messenger 
http://br.messenger.yahoo.com/ 





More information about the Snort-users mailing list