[Snort-users] Snort Inline incompatible libipq???
spiderslack at ...6873...
Wed Sep 22 12:15:08 EDT 2010
On 09/22/2010 07:54 AM, Tomas Heredia wrote:
> I can´t try it right now, but if I recall right, nfnetlink_queue and
> ip_queue do the same thing, and shouldn´t be loaded together..
> Try unloading ip_queue (but keeping nfnetlink_queue)
> El 21/09/2010 04:47 p.m., spiderslack escribió:
>> On 09/21/2010 03:34 PM, Tomas Heredia wrote:
>>> That gave me a hint... I'm recalling from past failures :-)
>>> did you "modprobe ip_queue"?
>>> could you post your "lsmod"?
I managed to compile a code in C of the next page.
Handles the packet and generates a NF_ACCEPT compiled with the following
root at ...14985...:~/libnetfilter_queue# gcc test1.c -o test1 -lnetfilter_queue
after compiling run firewall rules below and run and snort.
create rule iptables
root @ birth: ~ # iptables-t filter-I FORWARD-p tcp - dport 3389-j QUEUE
root @ birth: ~ # iptables-t filter-I FORWARD-p tcp - sport 3389-j QUEUE
root at ...14985...:~# ps ax | grep snort
24608 ? Ss 0:00 /usr/sbin/snort -m 027 -D -Q -l
/var/log/snort -u snort -g snort -c /etc/snort/snort.conf
root at ...14985...:~#
and the module loaded nfnetlink_queue, without running the code compiled
terminal service does not work if I run the binary connection terminal
root at ...14985...:~/libnetfilter_queue# ./test1
opening library handle
unbinding existing nf_queue handler for AF_INET (if any)
binding nfnetlink_queue as nf_queue handler for AF_INET
binding this socket to queue '0'
setting copy_packet mode
hw_protocol=0x0800 hook=2 id=0 indev=4 outdev=4 payload_len=60
hw_protocol=0x0800 hook=2 id=1 indev=4 outdev=4 payload_len=52
hw_protocol=0x0800 hook=2 id=2 indev=4 outdev=4 payload_len=96
hw_protocol=0x0800 hook=2 id=3 indev=4 outdev=4 payload_len=458
root at ...14985...:~/libnetfilter_queue#
I tried to compile the code using libipq only. generates the error below.
root at ...14985...:~# gcc test_libipq.c -o test_libipq -lipq
In file included from test_libipq.c:2:
/usr/include/linux/netfilter.h:55: error: field 'in' has incomplete type
/usr/include/linux/netfilter.h:56: error: field 'in6' has incomplete type
test_libipq.c: In function 'die':
test_libipq.c:32: warning: incompatible implicit declaration of built-in
root at ...14985...:~#
I believe that the latest kernel using libnetfilter_queue and snort
still uses libipq, I see no other answer. To complete my tests I will
test in yet another distribution, but if they have any tips or anything
that could help me I thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users