[Snort-users] Snort Inline incompatible libipq???

spiderslack spiderslack at ...6873...
Wed Sep 22 12:15:08 EDT 2010


On 09/22/2010 07:54 AM, Tomas Heredia wrote:
> I can´t try it right now, but if I recall right, nfnetlink_queue and 
> ip_queue do the same thing, and shouldn´t be loaded together..
> Try unloading ip_queue (but keeping nfnetlink_queue)
>
>
> El 21/09/2010 04:47 p.m., spiderslack escribió:
>> On 09/21/2010 03:34 PM, Tomas Heredia wrote:
>>> That gave me a hint... I'm recalling from past failures :-)
>>> did you "modprobe ip_queue"?
>>> could you post  your "lsmod"?
>>
Hi Tomas

I managed to compile a code in C of the next page.

http://www.nufw.org/doc/libnetfilter_queue/nfqnl__test_8c-source.html

Handles the packet and generates a NF_ACCEPT compiled with the following 
command.

root at ...14985...:~/libnetfilter_queue# gcc test1.c -o test1 -lnetfilter_queue

after compiling run firewall rules below and run and snort.


create rule iptables

root @ birth: ~ # iptables-t filter-I FORWARD-p tcp - dport 3389-j QUEUE
root @ birth: ~ # iptables-t filter-I FORWARD-p tcp - sport 3389-j QUEUE

snort running

root at ...14985...:~# ps ax | grep snort
24608 ?        Ss     0:00 /usr/sbin/snort -m 027 -D -Q -l 
/var/log/snort -u snort -g snort -c /etc/snort/snort.conf
root at ...14985...:~#

and the module loaded nfnetlink_queue, without running the code compiled 
terminal service does not work if I run the binary connection terminal 
service works.

root at ...14985...:~/libnetfilter_queue# ./test1
opening library handle
unbinding existing nf_queue handler for AF_INET (if any)
binding nfnetlink_queue as nf_queue handler for AF_INET
binding this socket to queue '0'
setting copy_packet mode
pkt received
hw_protocol=0x0800 hook=2 id=0 indev=4 outdev=4 payload_len=60
entering callback
pkt received
hw_protocol=0x0800 hook=2 id=1 indev=4 outdev=4 payload_len=52
entering callback
pkt received
hw_protocol=0x0800 hook=2 id=2 indev=4 outdev=4 payload_len=96
entering callback
pkt received
hw_protocol=0x0800 hook=2 id=3 indev=4 outdev=4 payload_len=458
entering callback
pkt received
^C
root at ...14985...:~/libnetfilter_queue#


I tried to compile the code using libipq only. generates the error below.

root at ...14985...:~# gcc test_libipq.c -o test_libipq -lipq
In file included from test_libipq.c:2:
/usr/include/linux/netfilter.h:55: error: field 'in' has incomplete type
/usr/include/linux/netfilter.h:56: error: field 'in6' has incomplete type
test_libipq.c: In function 'die':
test_libipq.c:32: warning: incompatible implicit declaration of built-in 
function 'exit'
root at ...14985...:~#


I believe that the latest kernel using libnetfilter_queue and snort 
still uses libipq, I see no other answer. To complete my tests I will 
test in yet another distribution, but if they have any tips or anything 
that could help me I thank you.

Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100922/714e69b4/attachment.html>


More information about the Snort-users mailing list