[Snort-users] qualifying ipfw for freebsd port of 2.9.0.3

rob iscool robrob2626 at ...131...
Fri Feb 4 17:31:31 EST 2011


With 2.8 I used "snort_inline -J 500 -c snort_inline.conf"

Just read the snort_man pdf, shit they took out "-J <port#>"

How do we send specific port traffic to snort now?

Robert




________________________________
From: Michael Scheidell <michael.scheidell at ...8144...>
To: rob iscool <robrob2626 at ...131...>
Sent: Fri, February 4, 2011 2:20:56 PM
Subject: Re: [Snort-users] qualifying ipfw for freebsd port of 2.9.0.3

 with

 snort_inline -J 500 -c snort_inline.conf


? or -Q --daq ipfw

tried it with the ported version yet? (with and without snortsam.. )

do I need 

--enable-inline --enable-ipfw 

?


On 2/4/11 5:18 PM, rob iscool wrote: 
This worked for me.
>
>http://freebsd.rogness.net/snort_inline/
>
>Robert
>
>
>
>
________________________________
From: Michael Scheidell <michael.scheidell at ...8144...>
>To: "<snort-users at lists.sourceforge.net>" <snort-users at ...973...et>
>Sent: Fri,               February 4, 2011 2:01:36 PM
>Subject: [Snort-users] qualifying ipfw for freebsd port of 2.9.0.3
>
>I am working on qualifying the frebsd port for --daq ipfw             for 
>freebsd 7.3, amd64 and snort 2.9.0.3
>
>I have never used inline mode, (tried it once, didn't seem             to get it 
>to do anything)
>I must be doing something wrong.  Still can't get any             packets out 
>the other end.
>
>I have snort 2.9.0.3 compiled, and (I think running in             inline/ipfw 
>mode).  I push packets in wan0 but don't see             them come out lan0.
>
>./configure --enable-dynamicplugin               --enable-build-dynamic-examples 
>--enable-reload               --enable-reload-restart --disable-corefiles               
>--with-dnet-includes=/usr/local/include/libnet11               
>--with-dnet-libraries=/usr/local/lib/libnet11               --enable-flexresp3 
>--enable-active-response               --with-mysql=no --with-odbc=no 
>--with-postgresql=no               --disable-prelude --enable-perfprofiling 
>--enable-ppm               --enable-gre --enable-mpls               
>--enable-decoder-preprocessor-rules --enable-zlib               
>--enable-normalizer --enable-react --prefix=/usr/local               
>--mandir=/usr/local/man --infodir=/usr/local/info/               
>--build=amd64-portbld-freebsd7.3
>
>snort.conf sample with two minor changes:  set home_net and             added 
>config policy_mode:inline
>./snort -T -c /usr/local/etc/snort/snort.conf passes.
>
>snort started like this: (man says -Q is for iptables.. not             ipfw) 
>tried with and without. didn't change anything.
>./snort -c /usr/local/etc/snort/snort.conf -l               /var/log/snort -dq 
>-m 022 -k none -Q --daq ipfw 
>
>
>its running, did something:
>ls -lt /var/log/snort/
>total 2
>-rw-r--r--  1 root  wheel    0 Feb  4 16:35               snort.log.1296855300
>
>I see it listening:
>
>sockstat -4p8000
>USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS                       FOREIGN 
>ADDRESS      
>
>root     snort      14512 5  div4   *:8000                              *:*
>
>
>ipfw has this:
>
>00100    10     552 allow ip from any to any via lo0
>00200     0       0 deny ip from any to 127.0.0.0/8
>00300     0       0 deny ip from 127.0.0.0/8 to any
>00400     0       0 deny ip from 169.254.0.0/16 to any via               con0
>00500     0       0 deny ip from 224.0.0.0/4 to any via               con0
>00600     0       0 deny ip from 240.0.0.0/4 to any via               con0
>00700 22264 8686033 allow ip from any to any via con0
>10000     0       0 divert 8000 ip from any to any
>65535     4     883 allow ip from any to any
>
>
>aux interfaces are wan0 and lan0
>kernel (obviously) has divert, or else ipfw would not allow             it.
>I have turned on, and off forwarding.
>net.inet.ip.forwarding: 0
>net.inet.ip.fastforwarding: 0
>
>con0 is out of band maint intf.
>
>lan0:               flags=88c3<UP,BROADCAST,RUNNING,NOARP,SIMPLEX,MULTICAST>               
>metric 0 mtu 1500
>    options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4>
>    ether somerandommac
>    media: Ethernet autoselect (1000baseTX               <full-duplex>)
>    status: active
>wan0:               flags=88c3<UP,BROADCAST,RUNNING,NOARP,SIMPLEX,MULTICAST>               
>metric 0 mtu 1500
>    options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4>
>    ether notherrandommac
>    media: Ethernet autoselect (1000baseTX               <full-duplex>)
>    status: active
>
>if I sniff wan0 I see it TRYING.
>tshark -niwan0
>Capturing on wan0
>  0.000000 00:11: -> ff:ff:ff:ff:ff:ff ARP Who has               172.70.2.56?  
>Tell 172.70.2.13
>  1.000912 00:11: -> ff:ff:ff:ff:ff:ff ARP Who has               172.70.2.56?  
>Tell 172.70.2.13
>  2.001953 00:11: -> ff:ff:ff:ff:ff:ff ARP Who has               172.70.2.56?  
>Tell 172.70.2.13
>  3.002994 00:11: -> ff:ff:ff:ff:ff:ff ARP Who has               172.70.2.56?  
>Tell 172.70.2.13
>  4.004035 00:11: -> ff:ff:ff:ff:ff:ff ARP Who has               172.70.2.56?  
>Tell 172.70.2.13
>  5.005076 00:11: -> ff:ff:ff:ff:ff:ff ARP Who has               172.70.2.56?  
>Tell 172.70.2.13
>  6.006117 00:11: -> ff:ff:ff:ff:ff:ff ARP Who has               172.70.2.56?  
>Tell 172.70.2.13
>
>what am I missing? it must be on the freebsd side, since             Rajkumar S 
>has it working on freebsd. (6.2)
>maybe I have tried so many options, that the one set of             options 
>needed wasn't tried.  ALL at once!
>
>also note, I have no ip addresses on wan0 and lan0.  also             note, I 
>know that the 'freebsd bridge code doesn't work with             divert' so, 
>bridge isn't compiled in, and neither is             if_bridge:
>
>ifconfig -C
>lo tun
>
>the ip addresses on the wan0 and lan0 side are in a separate             subnet 
>from con0, and (in bridge mode! if a different             kernel) I have 
>confirmed that it passes traffic.  (different             kernel, the one I am 
>running now, does not have bridge code             in it)
>
>
>
>-- 
>Michael Scheidell, CTO
>o: 561-999-5000
>d: 561-948-2259
>ISN: 1259*1300
>>| SECNAP Network Security Corporation  
>	* Certified SNORT Integrator
>	* 2008-9 Hot Company Award Winner, World Executive                   Alliance
>	* Five-Star Partner Program 2009, VARBusiness
>	* Best in Email Security,2010: Network Products Guide
>	* King of Spam Filters, SC Magazine 2008
>
>
________________________________
 
>This email has been scanned and certified safe by                 SpammerTrap®. 

>For Information please see http://www.secnap.com/products/spammertrap/
________________________________

>
>

-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>| SECNAP       Network Security Corporation  
	* Certified SNORT Integrator
	* 2008-9 Hot Company Award Winner, World Executive Alliance
	* Five-Star Partner Program 2009, VARBusiness
	* Best in Email Security,2010: Network Products Guide
	* King of Spam Filters, SC Magazine 2008


________________________________
 
This email has been scanned and certified safe by SpammerTrap®. 
For Information please see http://www.secnap.com/products/spammertrap/
________________________________


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110204/abdef13d/attachment.html>


More information about the Snort-users mailing list