[Snort-users] Snort Inline incompatible libipq???

Tomas Heredia tomas.heredia at ...12297...
Tue Sep 21 11:35:31 EDT 2010

El 21/09/2010 12:07 p.m., spiderslack escribió:
> Hello people.
> I've been testing snort inline mode using bridge. I installed Ubuntu I 
> installed 10.04 and ran snort the following commands to boot.
> modprobe ip_queue
> iptables -I FORWARD -p tcp --dport 3389 -j QUEUE
> /usr/sbin/snort -m 027 -D -Q -l /var/log/snort -u snort -g snort -c 
> /etc/snort/snort.conf -S HOME_NET=[] -i br0
Wrong syntax
You should use -Q instead of -i br0


> However when trying to access a server via terminal service behind snort 
> does not work, only works when the remove rule iptables. After some 
> analysis and wireshark iptraf noticed by only the SYN packet sent and 
> nothing more. Then I began to seek help on google and found the 
> following link.
> http://www.linuxquestions.org/questions/linux-networking-3/netfilter-problem-compiling-libipq-example-807418/
> Where a user said.
> -----------------------------------------------------------------
> If libipq is not used for linux 2.6.x what's the alternative to be able 
> to use netfilter?
> should use the new libnetfilter_queue library instead. You can find 
> documentation and code examples at 
> http://www.nufw.org/doc/libnetfilter_queue/index.html
> Maybe it's possible to use the old libipq but its now deprecated and 
> much of the network system has changed in the recent kernels. I don't 
> recommend libipq.
> ---------------------------------------------------------------
> If the assertion that the 2.6 kernel no longer uses libipq and should 
> use the libnetfilter_queue, if this is true could be the cause of the 
> problem. I imagine that means the rule of queuing netfilter throws the 
> packet to the queue in userspace but there is no software to be able to 
> reply NF_ACCEPT, NF_DROP snort up there but the kernel does not use more 
> libipq not correctly interpret "commands "NF_ACCEPT or NF_DROP. If the 
> 2.6 kernel does not use more libipq. only libnetfilter_queue commands 
> via libipq not snort are being interpreted and the data packets are 
> failing in QUEUE forever. To draw that conclusion anyone know any 
> command or via /proc viewing the queue to see if the data packets is 
> going there? I'm trying to compile a code in C to give only one 
> NF_ACCEPT in any data packets to queue to check it if I'm correct. But 
> if someone has been there or have any idea of the problem or where it 
> may be wrong, I thank you.
> Regards.
> __________________________________________________
> Fale com seus amigos  de graça com o novo Yahoo! Messenger 
> http://br.messenger.yahoo.com/ 
> ------------------------------------------------------------------------------
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list