[Snort-users] qualifying ipfw for freebsd port of 2.9.0.3

Michael Scheidell michael.scheidell at ...8144...
Fri Feb 4 17:01:36 EST 2011


I am working on qualifying the frebsd port for --daq ipfw for freebsd 
7.3, amd64 and snort 2.9.0.3

I have never used inline mode, (tried it once, didn't seem to get it to 
do anything)
I must be doing something wrong.  Still can't get any packets out the 
other end.

I have snort 2.9.0.3 compiled, and (I think running in inline/ipfw 
mode).  I push packets in wan0 but don't see them come out lan0.

./configure --enable-dynamicplugin --enable-build-dynamic-examples 
--enable-reload --enable-reload-restart --disable-corefiles 
--with-dnet-includes=/usr/local/include/libnet11 
--with-dnet-libraries=/usr/local/lib/libnet11 --enable-flexresp3 
--enable-active-response --with-mysql=no --with-odbc=no 
--with-postgresql=no --disable-prelude --enable-perfprofiling 
--enable-ppm --enable-gre --enable-mpls 
--enable-decoder-preprocessor-rules --enable-zlib --enable-normalizer 
--enable-react --prefix=/usr/local --mandir=/usr/local/man 
--infodir=/usr/local/info/ --build=amd64-portbld-freebsd7.3

snort.conf sample with two minor changes:  set home_net and added config 
policy_mode:inline
./snort -T -c /usr/local/etc/snort/snort.conf passes.

snort started like this: (man says -Q is for iptables.. not ipfw) tried 
with and without. didn't change anything.
./snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -dq -m 022 
-k none -Q --daq ipfw

its running, did something:
ls -lt /var/log/snort/
total 2
-rw-r--r--  1 root  wheel    0 Feb  4 16:35 snort.log.1296855300

I see it listening:

sockstat -4p8000
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
root     snort      14512 5  div4   *:8000                *:*


ipfw has this:

00100    10     552 allow ip from any to any via lo0
00200     0       0 deny ip from any to 127.0.0.0/8
00300     0       0 deny ip from 127.0.0.0/8 to any
00400     0       0 deny ip from 169.254.0.0/16 to any via con0
00500     0       0 deny ip from 224.0.0.0/4 to any via con0
00600     0       0 deny ip from 240.0.0.0/4 to any via con0
00700 22264 8686033 allow ip from any to any via con0
10000     0       0 divert 8000 ip from any to any
65535     4     883 allow ip from any to any


aux interfaces are wan0 and lan0
kernel (obviously) has divert, or else ipfw would not allow it.
I have turned on, and off forwarding.
net.inet.ip.forwarding: 0
net.inet.ip.fastforwarding: 0

con0 is out of band maint intf.

lan0: flags=88c3<UP,BROADCAST,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 
mtu 1500
     options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4>
     ether somerandommac
     media: Ethernet autoselect (1000baseTX <full-duplex>)
     status: active
wan0: flags=88c3<UP,BROADCAST,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 
mtu 1500
     options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4>
     ether notherrandommac
     media: Ethernet autoselect (1000baseTX <full-duplex>)
     status: active

if I sniff wan0 I see it TRYING.
tshark -niwan0
Capturing on wan0
   0.000000 00:11: -> ff:ff:ff:ff:ff:ff ARP Who has 172.70.2.56?  Tell 
172.70.2.13
   1.000912 00:11: -> ff:ff:ff:ff:ff:ff ARP Who has 172.70.2.56?  Tell 
172.70.2.13
   2.001953 00:11: -> ff:ff:ff:ff:ff:ff ARP Who has 172.70.2.56?  Tell 
172.70.2.13
   3.002994 00:11: -> ff:ff:ff:ff:ff:ff ARP Who has 172.70.2.56?  Tell 
172.70.2.13
   4.004035 00:11: -> ff:ff:ff:ff:ff:ff ARP Who has 172.70.2.56?  Tell 
172.70.2.13
   5.005076 00:11: -> ff:ff:ff:ff:ff:ff ARP Who has 172.70.2.56?  Tell 
172.70.2.13
   6.006117 00:11: -> ff:ff:ff:ff:ff:ff ARP Who has 172.70.2.56?  Tell 
172.70.2.13

what am I missing? it must be on the freebsd side, since Rajkumar S has 
it working on freebsd. (6.2)
maybe I have tried so many options, that the one set of options needed 
wasn't tried.  ALL at once!

also note, I have no ip addresses on wan0 and lan0.  also note, I know 
that the 'freebsd bridge code doesn't work with divert' so, bridge isn't 
compiled in, and neither is if_bridge:

ifconfig -C
lo tun

the ip addresses on the wan0 and lan0 side are in a separate subnet from 
con0, and (in bridge mode! if a different kernel) I have confirmed that 
it passes traffic.  (different kernel, the one I am running now, does 
not have bridge code in it)


-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
 >*| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best in Email Security,2010: Network Products Guide
    * King of Spam Filters, SC Magazine 2008


______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110204/555f7df4/attachment.html>


More information about the Snort-users mailing list