[Snort-users] Snort Inline incompatible libipq???

spiderslack spiderslack at ...6873...
Wed Sep 22 11:30:54 EDT 2010


On 09/22/2010 08:08 AM, Tomas Heredia wrote:
> Mmmm.. Snort links to libipq... and to use nfnetlink queue, yo shoud 
> link to libnfnetlink_queue instead...
> Better try unloading nfnetlink_queue, nfnetlink and XT_NFQUEUE, and 
> then loading  ip_queue alone
output follows the procedures performed

*unload modules
*
root at ...14985...:~# modprobe -r nfnetlink_queue
root at ...14985...:~# modprobe -r nfnetlink
root at ...14985...:~# modprobe -r xt_NFQUEUE
root at ...14985...:~# modprobe -r ip_queue

*list modules load*

root at ...14985...:~# lsmod
Module                  Size  Used by
xt_tcpudp               2667  0
iptable_filter          2791  0
ip_tables              18358  1 iptable_filter
x_tables               22429  2 xt_tcpudp,ip_tables
bridge                 53152  0
stp                     2171  1 bridge
fbcon                  39270  71
tileblit                2487  1 fbcon
font                    8053  1 fbcon
bitblit                 5811  1 fbcon
softcursor              1565  1 bitblit
vga16fb                12757  1
vgastate                9857  1 vga16fb
radeon                739595  0
ttm                    60815  1 radeon
drm_kms_helper         30710  1 radeon
ipmi_si                41065  0
ipmi_msghandler        36955  1 ipmi_si
lp                      9336  0
parport                37160  1 lp
drm                   198226  3 radeon,ttm,drm_kms_helper
i2c_algo_bit            6024  1 radeon
hpilo                   7985  0
i3000_edac              3679  0
psmouse                64608  0
serio_raw               4950  0
shpchp                 33679  0
edac_core              45423  3 i3000_edac
usbhid                 40988  0
hid                    83376  1 usbhid
tg3                   122350  0
root at ...14985...:~#

*load module ip_queue*

root at ...14985...:~# modprobe ip_queue
root at ...14985...:~# lsmod | grep -i queue
*ip_queue *             6324  0
root at ...14985...:~# lsmod
Module                  Size  Used by
*ip_queue *               6324  0
xt_tcpudp               2667  0
iptable_filter          2791  0
ip_tables              18358  1 iptable_filter
x_tables               22429  2 xt_tcpudp,ip_tables
bridge                 53152  0
stp                     2171  1 bridge
fbcon                  39270  71
tileblit                2487  1 fbcon
font                    8053  1 fbcon
bitblit                 5811  1 fbcon
softcursor              1565  1 bitblit
vga16fb                12757  1
vgastate                9857  1 vga16fb
radeon                739595  0
ttm                    60815  1 radeon
drm_kms_helper         30710  1 radeon
ipmi_si                41065  0
ipmi_msghandler        36955  1 ipmi_si
lp                      9336  0
parport                37160  1 lp
drm                   198226  3 radeon,ttm,drm_kms_helper
i2c_algo_bit            6024  1 radeon
hpilo                   7985  0
i3000_edac              3679  0
psmouse                64608  0
serio_raw               4950  0
shpchp                 33679  0
edac_core              45423  3 i3000_edac
usbhid                 40988  0
hid                    83376  1 usbhid
tg3                   122350  0
root at ...14985...:~#

*create rules iptables*

root at ...14985...:~# iptables -t filter -I FORWARD -p tcp --dport 3389 -j 
QUEUE
root at ...14985...:~# iptables -t filter -I FORWARD -p tcp --sport 3389 -j 
QUEUE

*snort running*

oot at ...14985...:~# ps ax | grep -i snort
24224 ?        Ss     0:01 /usr/sbin/snort -m 027 -D -Q -l 
/var/log/snort -u snort -g snort -c /etc/snort/snort.conf
root at ...14985...:~#

*list rules iptables load*

root at ...14985...:~# iptables -t filter -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
QUEUE      tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:3389
QUEUE      tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3389

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
root at ...14985...:~#

*debug with tcpdump*

root at ...14985...:~# tcpdump -i br0 -n port 3389
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 96 bytes
11:20:52.147495 IP 100.100.100.100.44361 > 200.200.200.200.3389: Flags 
[S], seq 973176684, win 5840, options [mss 1460,sackOK,TS val 273500 ecr 
0,nop,wscale 7], length 0
11:20:55.286310 IP 100.100.100.100.44361 > 200.200.200.200.3389: Flags 
[S], seq 973176684, win 5840, options [mss 1460,sackOK,TS val 273800 ecr 
0,nop,wscale 7], length 0
11:21:01.143103 IP 100.100.100.100.44361 > 200.200.200.200.3389: Flags 
[S], seq 973176684, win 5840, options [mss 1460,sackOK,TS val 274400 ecr 
0,nop,wscale 7], length 0


and alert in the file and not generated anything I am sending herewith 
the snort.conf file, but I think that is not the cause of the problem, 
I'll do a test on another distribution to see if it is some 
incompatibility, I'm using the Ubuntu distribution'll version 10:04, i 
will test with the distribution CentOS or fedora.

Regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100922/e077c316/attachment.html>


More information about the Snort-users mailing list