[Snort-users] qualifying ipfw for freebsd port of 2.9.0.3

rob iscool robrob2626 at ...131...
Fri Feb 4 17:51:36 EST 2011


I have not test with snort 2.9.

I dont remember how I did it. It was like a year ago and remember I am using a 
heavy patched version of ipfw and pf
on Pfsense.

Robert






________________________________
From: Michael Scheidell <michael.scheidell at ...8144...>
To: rob iscool <robrob2626 at ...131...>; "<snort-users at lists.sourceforge.net>" 
<snort-users at lists.sourceforge.net>
Sent: Fri, February 4, 2011 2:43:22 PM
Subject: Re: [Snort-users] qualifying ipfw for freebsd port of 2.9.0.3

 

On 2/4/11 5:34 PM, rob iscool wrote: 
  From the text.
>
>"bridging, snort_inline will not work with IPFW. This is due             
>interaction of DIVERT sockets             and bridging in the kernel" 
>
>
>
supposed to work with if_bridge.
<http://lists.freebsd.org/pipermail/freebsd-net/2008-March/017220.html>

"yes, it is possible to use divert with if_bridge"

so, with/without it.. you got it to work in 2.8.*

does it work in freebsd 2.9.0.3?
and EXACTLY how do I set it up?



Robert
>
>
>
________________________________
From: Michael Scheidell <michael.scheidell at ...8144...>
>To: rob               iscool <robrob2626 at ...131...>
>Sent: Fri,               February 4, 2011 2:22:01 PM
>Subject: Re: [Snort-users] qualifying ipfw for freebsd port of               
>2.9.0.3
>
>if_bridge in kernel?
>
>with ifconfig bridge0 options did you use? or not?
>
>
>
>On 2/4/11 5:18 PM, rob iscool wrote: 
>This worked for me.
>>
>>http://freebsd.rogness.net/snort_inline/
>>
>>Robert
>>
>>
>>
>>
________________________________
From: Michael Scheidell <michael.scheidell at ...8144...>
>>To: "<snort-users at lists.sourceforge.net>" <snort-users at ...3783...net>
>>Sent: Fri, February 4, 2011 2:01:36 PM
>>Subject: [Snort-users] qualifying ipfw for freebsd port of                       
>>2.9.0.3
>>
>>I am working on qualifying the frebsd port for --daq                     ipfw 
>>for freebsd 7.3, amd64 and snort 2.9.0.3
>>
>>I have never used inline mode, (tried it once,                     didn't seem 
>>to get it to do anything)
>>I must be doing something wrong.  Still can't get                     any 
>>packets out the other end.
>>
>>I have snort 2.9.0.3 compiled, and (I think running                     in 
>>inline/ipfw mode).  I push packets in wan0 but                     don't see 
>>them come out lan0.
>>
>>./configure --enable-dynamicplugin                       
>>--enable-build-dynamic-examples --enable-reload                       
>>--enable-reload-restart --disable-corefiles                       
>>--with-dnet-includes=/usr/local/include/libnet11                       
>>--with-dnet-libraries=/usr/local/lib/libnet11                       
>>--enable-flexresp3 --enable-active-response                       
>>--with-mysql=no --with-odbc=no                       --with-postgresql=no 
>>--disable-prelude                       --enable-perfprofiling --enable-ppm 
>>--enable-gre                       --enable-mpls 
>>--enable-decoder-preprocessor-rules                       --enable-zlib 
>>--enable-normalizer --enable-react                       --prefix=/usr/local 
>>--mandir=/usr/local/man                       --infodir=/usr/local/info/                       
>>--build=amd64-portbld-freebsd7.3
>>
>>snort.conf sample with two minor changes:  set                     home_net and 
>>added config policy_mode:inline
>>./snort -T -c /usr/local/etc/snort/snort.conf                     passes.
>>
>>snort started like this: (man says -Q is for                     iptables.. not 
>>ipfw) tried with and without. didn't                     change anything.
>>./snort -c /usr/local/etc/snort/snort.conf -l                       
>>/var/log/snort -dq -m 022 -k none -Q --daq ipfw 
>>
>>
>>its running, did something:
>>ls -lt /var/log/snort/
>>total 2
>>-rw-r--r--  1 root  wheel    0 Feb  4 16:35                       
>>snort.log.1296855300
>>
>>I see it listening:
>>
>>sockstat -4p8000
>>USER     COMMAND    PID   FD PROTO  LOCAL                       ADDRESS         
>>FOREIGN ADDRESS      
>>
>>root     snort      14512 5  div4                         *:8000                
>>*:*
>>
>>
>>ipfw has this:
>>
>>00100    10     552 allow ip from any to any via                       lo0
>>00200     0       0 deny ip from any to                       127.0.0.0/8
>>00300     0       0 deny ip from 127.0.0.0/8 to                       any
>>00400     0       0 deny ip from 169.254.0.0/16 to                       any via 
>>con0
>>00500     0       0 deny ip from 224.0.0.0/4 to                       any via 
>>con0
>>00600     0       0 deny ip from 240.0.0.0/4 to                       any via 
>>con0
>>00700 22264 8686033 allow ip from any to any via                       con0
>>10000     0       0 divert 8000 ip from any to any
>>65535     4     883 allow ip from any to any
>>
>>
>>aux interfaces are wan0 and lan0
>>kernel (obviously) has divert, or else ipfw would                     not allow 
>>it.
>>I have turned on, and off forwarding.
>>net.inet.ip.forwarding: 0
>>net.inet.ip.fastforwarding: 0
>>
>>con0 is out of band maint intf.
>>
>>lan0:                       
>>flags=88c3<UP,BROADCAST,RUNNING,NOARP,SIMPLEX,MULTICAST>                       
>>metric 0 mtu 1500
>>    options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4>
>>    ether somerandommac
>>    media: Ethernet autoselect (1000baseTX                       
<full-duplex>)
>>    status: active
>>wan0:                       
>>flags=88c3<UP,BROADCAST,RUNNING,NOARP,SIMPLEX,MULTICAST>                       
>>metric 0 mtu 1500
>>    options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4>
>>    ether notherrandommac
>>    media: Ethernet autoselect (1000baseTX                       
<full-duplex>)
>>    status: active
>>
>>if I sniff wan0 I see it TRYING.
>>tshark -niwan0
>>Capturing on wan0
>>  0.000000 00:11: -> ff:ff:ff:ff:ff:ff ARP Who                       has 
>>172.70.2.56?  Tell 172.70.2.13
>>  1.000912 00:11: -> ff:ff:ff:ff:ff:ff ARP Who                       has 
>>172.70.2.56?  Tell 172.70.2.13
>>  2.001953 00:11: -> ff:ff:ff:ff:ff:ff ARP Who                       has 
>>172.70.2.56?  Tell 172.70.2.13
>>  3.002994 00:11: -> ff:ff:ff:ff:ff:ff ARP Who                       has 
>>172.70.2.56?  Tell 172.70.2.13
>>  4.004035 00:11: -> ff:ff:ff:ff:ff:ff ARP Who                       has 
>>172.70.2.56?  Tell 172.70.2.13
>>  5.005076 00:11: -> ff:ff:ff:ff:ff:ff ARP Who                       has 
>>172.70.2.56?  Tell 172.70.2.13
>>  6.006117 00:11: -> ff:ff:ff:ff:ff:ff ARP Who                       has 
>>172.70.2.56?  Tell 172.70.2.13
>>
>>what am I missing? it must be on the freebsd side,                     since 
>>Rajkumar S has it working on freebsd. (6.2)
>>maybe I have tried so many options, that the one set                     of 
>>options needed wasn't tried.  ALL at once!
>>
>>also note, I have no ip addresses on wan0 and lan0.                      also 
>>note, I know that the 'freebsd bridge code                     doesn't work with 
>>divert' so, bridge isn't compiled                     in, and neither is 
>>if_bridge:
>>
>>ifconfig -C
>>lo tun
>>
>>the ip addresses on the wan0 and lan0 side are in a                     separate 
>>subnet from con0, and (in bridge mode! if a                     different 
>>kernel) I have confirmed that it passes                     traffic.  (different 
>>kernel, the one I am running                     now, does not have bridge code 
>>in it)
>>
>>
>>
>>-- 
>>Michael Scheidell, CTO
>>o: 561-999-5000
>>d: 561-948-2259
>>ISN: 1259*1300
>>>| SECNAP                       Network Security Corporation  
>>	* Certified SNORT Integrator
>>	* 2008-9 Hot Company Award Winner, World                           Executive 
>>Alliance
>>	* Five-Star Partner Program 2009, VARBusiness
>>	* Best in Email Security,2010: Network                           Products 
>Guide
>>	* King of Spam Filters, SC Magazine 2008
>>
>>
________________________________
 
>>This email has been scanned and certified safe                         by 
>>SpammerTrap®. 
>>
>>For Information please see http://www.secnap.com/products/spammertrap/
________________________________

>>
>>

-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>| SECNAP Network Security Corporation  
	* Certified SNORT Integrator
	* 2008-9 Hot Company Award Winner, World Executive                   Alliance
	* Five-Star Partner Program 2009, VARBusiness
	* Best in Email Security,2010: Network Products Guide
	* King of Spam Filters, SC Magazine 2008


________________________________
 
This email has been scanned and certified safe by                 SpammerTrap®. 
For Information please see http://www.secnap.com/products/spammertrap/
________________________________


>

-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>| SECNAP       Network Security Corporation  
	* Certified SNORT Integrator
	* 2008-9 Hot Company Award Winner, World Executive Alliance
	* Five-Star Partner Program 2009, VARBusiness
	* Best in Email Security,2010: Network Products Guide
	* King of Spam Filters, SC Magazine 2008


________________________________
 
This email has been scanned and certified safe by SpammerTrap®. 
For Information please see http://www.secnap.com/products/spammertrap/
________________________________


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110204/78d940f5/attachment.html>


More information about the Snort-users mailing list