[Snort-users] qualifying ipfw for freebsd port of 2.9.0.3

Michael Scheidell michael.scheidell at ...8144...
Fri Feb 4 17:43:22 EST 2011



On 2/4/11 5:34 PM, rob iscool wrote:
>   From the text.
>
> "bridging, snort_inline will not work with IPFW. This is due 
> interaction of DIVERT sockets and bridging in the kernel"
>
supposed to work with if_bridge.
<http://lists.freebsd.org/pipermail/freebsd-net/2008-March/017220.html>

"yes, it is possible to use divert with if_bridge"

so, with/without it.. you got it to work in 2.8.*

does it work in freebsd 2.9.0.3?
and EXACTLY how do I set it up?


> Robert
>
> ------------------------------------------------------------------------
> *From:* Michael Scheidell <michael.scheidell at ...8144...>
> *To:* rob iscool <robrob2626 at ...131...>
> *Sent:* Fri, February 4, 2011 2:22:01 PM
> *Subject:* Re: [Snort-users] qualifying ipfw for freebsd port of 2.9.0.3
>
> if_bridge in kernel?
>
> with ifconfig bridge0 options did you use? or not?
>
>
>
> On 2/4/11 5:18 PM, rob iscool wrote:
>> This worked for me.
>>
>> http://freebsd.rogness.net/snort_inline/
>>
>> Robert
>>
>> ------------------------------------------------------------------------
>> *From:* Michael Scheidell <michael.scheidell at ...8144...>
>> *To:* "<snort-users at lists.sourceforge.net>" 
>> <snort-users at lists.sourceforge.net>
>> *Sent:* Fri, February 4, 2011 2:01:36 PM
>> *Subject:* [Snort-users] qualifying ipfw for freebsd port of 2.9.0.3
>>
>> I am working on qualifying the frebsd port for --daq ipfw for freebsd 
>> 7.3, amd64 and snort 2.9.0.3
>>
>> I have never used inline mode, (tried it once, didn't seem to get it 
>> to do anything)
>> I must be doing something wrong.  Still can't get any packets out the 
>> other end.
>>
>> I have snort 2.9.0.3 compiled, and (I think running in inline/ipfw 
>> mode).  I push packets in wan0 but don't see them come out lan0.
>>
>> ./configure --enable-dynamicplugin --enable-build-dynamic-examples 
>> --enable-reload --enable-reload-restart --disable-corefiles 
>> --with-dnet-includes=/usr/local/include/libnet11 
>> --with-dnet-libraries=/usr/local/lib/libnet11 --enable-flexresp3 
>> --enable-active-response --with-mysql=no --with-odbc=no 
>> --with-postgresql=no --disable-prelude --enable-perfprofiling 
>> --enable-ppm --enable-gre --enable-mpls 
>> --enable-decoder-preprocessor-rules --enable-zlib --enable-normalizer 
>> --enable-react --prefix=/usr/local --mandir=/usr/local/man 
>> --infodir=/usr/local/info/ --build=amd64-portbld-freebsd7.3
>>
>> snort.conf sample with two minor changes:  set home_net and added 
>> config policy_mode:inline
>> ./snort -T -c /usr/local/etc/snort/snort.conf passes.
>>
>> snort started like this: (man says -Q is for iptables.. not ipfw) 
>> tried with and without. didn't change anything.
>> ./snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -dq -m 
>> 022 -k none -Q --daq ipfw
>>
>> its running, did something:
>> ls -lt /var/log/snort/
>> total 2
>> -rw-r--r--  1 root  wheel    0 Feb  4 16:35 snort.log.1296855300
>>
>> I see it listening:
>>
>> sockstat -4p8000
>> USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN 
>> ADDRESS
>> root     snort      14512 5  div4   *:8000                *:*
>>
>>
>> ipfw has this:
>>
>> 00100    10     552 allow ip from any to any via lo0
>> 00200     0       0 deny ip from any to 127.0.0.0/8
>> 00300     0       0 deny ip from 127.0.0.0/8 to any
>> 00400     0       0 deny ip from 169.254.0.0/16 to any via con0
>> 00500     0       0 deny ip from 224.0.0.0/4 to any via con0
>> 00600     0       0 deny ip from 240.0.0.0/4 to any via con0
>> 00700 22264 8686033 allow ip from any to any via con0
>> 10000     0       0 divert 8000 ip from any to any
>> 65535     4     883 allow ip from any to any
>>
>>
>> aux interfaces are wan0 and lan0
>> kernel (obviously) has divert, or else ipfw would not allow it.
>> I have turned on, and off forwarding.
>> net.inet.ip.forwarding: 0
>> net.inet.ip.fastforwarding: 0
>>
>> con0 is out of band maint intf.
>>
>> lan0: flags=88c3<UP,BROADCAST,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 
>> 0 mtu 1500
>>     options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4>
>>     ether somerandommac
>>     media: Ethernet autoselect (1000baseTX <full-duplex>)
>>     status: active
>> wan0: flags=88c3<UP,BROADCAST,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 
>> 0 mtu 1500
>>     options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4>
>>     ether notherrandommac
>>     media: Ethernet autoselect (1000baseTX <full-duplex>)
>>     status: active
>>
>> if I sniff wan0 I see it TRYING.
>> tshark -niwan0
>> Capturing on wan0
>>   0.000000 00:11: -> ff:ff:ff:ff:ff:ff ARP Who has 172.70.2.56?  Tell 
>> 172.70.2.13
>>   1.000912 00:11: -> ff:ff:ff:ff:ff:ff ARP Who has 172.70.2.56?  Tell 
>> 172.70.2.13
>>   2.001953 00:11: -> ff:ff:ff:ff:ff:ff ARP Who has 172.70.2.56?  Tell 
>> 172.70.2.13
>>   3.002994 00:11: -> ff:ff:ff:ff:ff:ff ARP Who has 172.70.2.56?  Tell 
>> 172.70.2.13
>>   4.004035 00:11: -> ff:ff:ff:ff:ff:ff ARP Who has 172.70.2.56?  Tell 
>> 172.70.2.13
>>   5.005076 00:11: -> ff:ff:ff:ff:ff:ff ARP Who has 172.70.2.56?  Tell 
>> 172.70.2.13
>>   6.006117 00:11: -> ff:ff:ff:ff:ff:ff ARP Who has 172.70.2.56?  Tell 
>> 172.70.2.13
>>
>> what am I missing? it must be on the freebsd side, since Rajkumar S 
>> has it working on freebsd. (6.2)
>> maybe I have tried so many options, that the one set of options 
>> needed wasn't tried.  ALL at once!
>>
>> also note, I have no ip addresses on wan0 and lan0.  also note, I 
>> know that the 'freebsd bridge code doesn't work with divert' so, 
>> bridge isn't compiled in, and neither is if_bridge:
>>
>> ifconfig -C
>> lo tun
>>
>> the ip addresses on the wan0 and lan0 side are in a separate subnet 
>> from con0, and (in bridge mode! if a different kernel) I have 
>> confirmed that it passes traffic.  (different kernel, the one I am 
>> running now, does not have bridge code in it)
>>
>>
>> -- 
>> Michael Scheidell, CTO
>> o: 561-999-5000
>> d: 561-948-2259
>> ISN: 1259*1300
>> >*| *SECNAP Network Security Corporation
>>
>>     * Certified SNORT Integrator
>>     * 2008-9 Hot Company Award Winner, World Executive Alliance
>>     * Five-Star Partner Program 2009, VARBusiness
>>     * Best in Email Security,2010: Network Products Guide
>>     * King of Spam Filters, SC Magazine 2008
>>
>>
>> ------------------------------------------------------------------------
>>
>> This email has been scanned and certified safe by SpammerTrap®.
>> For Information please see http://www.secnap.com/products/spammertrap/
>>
>> ------------------------------------------------------------------------
>>
>>
>
> -- 
> Michael Scheidell, CTO
> o: 561-999-5000
> d: 561-948-2259
> ISN: 1259*1300
> >*| *SECNAP Network Security Corporation
>
>     * Certified SNORT Integrator
>     * 2008-9 Hot Company Award Winner, World Executive Alliance
>     * Five-Star Partner Program 2009, VARBusiness
>     * Best in Email Security,2010: Network Products Guide
>     * King of Spam Filters, SC Magazine 2008
>
>
> ------------------------------------------------------------------------
>
> This email has been scanned and certified safe by SpammerTrap®.
> For Information please see http://www.secnap.com/products/spammertrap/
>
> ------------------------------------------------------------------------
>
>

-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
 >*| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best in Email Security,2010: Network Products Guide
    * King of Spam Filters, SC Magazine 2008


______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110204/640e54d2/attachment.html>


More information about the Snort-users mailing list