Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Re: Inline IP_Forwarding and other simple questions?

from [mdpeters] Network Security [Permanent Link]
Subject: Re: [Snort-users] Re: Inline IP_Forwarding and other simple questions?
Date: Fri, 31 Dec 2004 15:54:15 -0500 
I can see stuff like this on the Snort-inline box after I set up this:

alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg: "test tcp connections";)
alert udp $HOME_NET any <> $EXTERNAL_NET any (msg: "test udp connections";)
alert icmp $HOME_NET any <> $EXTERNAL_NET any (msg: "test icmp connections";)


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

12/31-15:51:32.008107 4.250.141.227:1865 -> 68.16.185.133:2745
TCP TTL:117 TOS:0x0 ID:58343 IpLen:20 DgmLen:48 DF
******S* Seq: 0x497099C1  Ack: 0x0  Win: 0x1FE0  TcpLen: 28
TCP Options (4) => MSS: 1360 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

12/31-15:51:34.925463 68.16.185.129 -> 224.0.0.1
IGMP TTL:1 TOS:0x0 ID:424 IpLen:24 DgmLen:32
IP Options (1) => Opt 148: 00 00
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

12/31-15:51:37.974912 68.16.185.139:3126 -> 207.46.249.252:80
TCP TTL:125 TOS:0x0 ID:39509 IpLen:20 DgmLen:48 DF
******S* Seq: 0x3B992EA7  Ack: 0x0  Win: 0xFFFF  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

12/31-15:51:41.125367 68.16.185.139:3127 -> 68.16.185.131:23
TCP TTL:125 TOS:0x0 ID:39511 IpLen:20 DgmLen:48 DF
******S* Seq: 0xEFD59448  Ack: 0x0  Win: 0xFFFF  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

12/31-15:51:44.083824 68.16.185.139:3127 -> 68.16.185.131:23
TCP TTL:125 TOS:0x0 ID:39513 IpLen:20 DgmLen:48 DF
******S* Seq: 0xEFD59448  Ack: 0x0  Win: 0xFFFF  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

12/31-15:51:49.996117 68.16.185.139:3128 -> 207.46.144.222:80
TCP TTL:125 TOS:0x0 ID:39515 IpLen:20 DgmLen:48 DF
******S* Seq: 0x40708B8F  Ack: 0x0  Win: 0xFFFF  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

12/31-15:51:50.092677 68.16.185.139:3127 -> 68.16.185.131:23
TCP TTL:125 TOS:0x0 ID:39517 IpLen:20 DgmLen:48 DF
******S* Seq: 0xEFD59448  Ack: 0x0  Win: 0xFFFF  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

However, I still do not have traffic flowing freely through the box.

????????
Michael


----- Original Message ----- From: "Will Metcalf" <william.metcalf@gmail.com>
To: "mdpeters" <michael.peters@lazarusalliance.com>
Sent: Thursday, December 30, 2004 2:15 PM
Subject: Re: [Snort-users] Re: Inline IP_Forwarding and other simple questions?


using a 2.6 kernel?????

change

config checksum_mode: all

to

config checksum_mode: none

let me know if that fixes your problem


On Thu, 30 Dec 2004 13:07:13 -0500, mdpeters
<michael.peters@lazarusalliance.com> wrote:
var IPS_NET 65.89.128.128/27
var EXTERNAL_NET any
var SMTP_SERVERS any
var TELNET_SERVERS any
var HTTP_SERVERS any
var SQL_SERVERS any
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
config checksum_mode: all
var RULE_PATH /opt/snort-inline/rules/ips
config layer2resets: 00:04:23:AD:ED:BA
preprocessor flow: stats_interval 0 hash 2
preprocessor stream4:
disable_evasion_alerts,iptablesnewmark,iptablesestmark,forceiptstate
preprocessor stream4_reassemble: both
# preprocessor clamav: ports all !22 !443, toclientonly, dbdir
/usr/share/clamav
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default profile all ports { 80 8080
8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
output alert_full: snort-full
output alert_fast: snort-fast
output alert_syslog: LOG_AUTH LOG_ALERT
output database: alert, mysql, user=user password=userpassword dbname=snort
host=localhost sensor_name=INLINE
output log_tcpdump: tcpdump.log
include classification.config
include reference.config
include $RULE_PATH/ips.rules


----- Original Message -----
From: "Will Metcalf" <william.metcalf@gmail.com>
To: "mdpeters" <michael.peters@lazarusalliance.com>
Sent: Thursday, December 30, 2004 12:53 PM
Subject: Re: [Snort-users] Re: Inline IP_Forwarding and other simple
questions?

> send me a sanitized version of your snort.conf.
>
> Regards,
>
> Will
>
>
> On Thu, 30 Dec 2004 12:40:56 -0500, mdpeters
> <michael.peters@lazarusalliance.com> wrote:
>> I tried the "config layer2resets: 00:04:23:AD:ED:BA" instead of the
>> "config
>> layer2resets:" which seems to work.
>>
>>
>> ----- Original Message -----
>> From: "Will Metcalf" <william.metcalf@gmail.com>
>> To: "mdpeters" <michael.peters@lazarusalliance.com>
>> Cc: "Michael D. Peters" <mdpeters@lazarusalliance.com>;
>> <snort-users@lists.sourceforge.net>
>> Sent: Thursday, December 30, 2004 11:06 AM
>> Subject: Re: [Snort-users] Re: Inline IP_Forwarding and other simple
>> questions?
>>
>> > Just for grins try to leave the default in there and see if it still
>> > dies. if it does send me a core dump.
>> >
>> > Regards,
>> >
>> > Will
>> >
>> >
>> > On Thu, 30 Dec 2004 09:50:02 -0500, mdpeters
>> > <michael.peters@lazarusalliance.com> wrote:
>> >> I am trying to set up Snort-inline. When I enable "config
>> >> layer2resets:"
>> >> it
>> >> dies. Do I need to include the MAC of the bridge group, in my case,
>> >> 00:04:23:AD:ED:BA to get it to reset connections with IPTABLES?
>> >>
>> >> config layer2resets: 00:04:23:AD:ED:BA
>> >>
>> >> eth0 00:04:23:AD:ED:BA
>> >> eth1 00:04:23:AD:ED:BB
>> >> br0 00:04:23:AD:ED:BA
>> >>
>> >> Also, concerning rules for Snort-inline. Do I take to rules >> >> included
>> >> in
>> >> the
>> >> tarball and modify the *.rules to something like this:
>> >>
>> >> drop icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS >> >> Pinger";
>> >> itype:8; content:"ISSPNGRQ"; depth:32; reference:arachnids,158;
>> >> classtype:attempted-recon; sid:465; rev:3;)
>> >>
>> >> or
>> >>
>> >> sdrop icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS >> >> Pinger";
>> >> itype:8; content:"ISSPNGRQ"; depth:32; reference:arachnids,158;
>> >> classtype:attempted-recon; sid:465; rev:3;)
>> >>
>> >> or
>> >>
>> >> reject icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS >> >> Pinger";
>> >> itype:8; content:"ISSPNGRQ"; depth:32; reference:arachnids,158;
>> >> classtype:attempted-recon; sid:465; rev:3;)
>> >>
>> >> or
>> >>
>> >> drop icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP ISS >> >> Pinger";
>> >> itype:8; content:"ISSPNGRQ"; depth:32; reference:arachnids,158;
>> >> classtype:attempted-recon; sid:465; rev:3;)
>> >>
>> >> or something like these?
>> >>
>> >> Thanks,
>> >>
>> >> Michael
>> >>
>> >> ----- Original Message -----
>> >> From: "Will Metcalf" <william.metcalf@gmail.com>
>> >> To: "Michael D. Peters" <mdpeters@lazarusalliance.com>
>> >> Cc: "mdpeters" <michael.peters@lazarusalliance.com>;
>> >> <snort-users@lists.sourceforge.net>
>> >> Sent: Tuesday, December 28, 2004 6:16 PM
>> >> Subject: [Snort-users] Re: Inline IP_Forwarding and other simple
>> >> questions?
>> >>
>> >> >> What I am asking is since this uses IPTABLES, should I just set >> >> >> up
>> >> >> permanent
>> >> >> "firewall type" IPTABLE rules and then use the modified snort >> >> >> rules
>> >> >> to
>> >> >> take
>> >> >> care of the resets, drops, etc?
>> >> >
>> >> > Yes
>> >> >
>> >> >
>> >> > On Tue, 28 Dec 2004 18:02:12 -0500, Michael D. Peters
>> >> > <mdpeters@lazarusalliance.com> wrote:
>> >> >> What I am asking is since this uses IPTABLES, should I just set >> >> >> up
>> >> >> permanent
>> >> >> "firewall type" IPTABLE rules and then use the modified snort >> >> >> rules
>> >> >> to
>> >> >> take
>> >> >> care of the resets, drops, etc?
>> >> >>
>> >> >>
>> >> >> Will Metcalf writes:
>> >> >>
>> >> >> >> If I have something like this: <GATEWAY-ROUTER> connected >> >> >> >> to
>> >> >> >> <FIREWALL>
>> >> >> >> connected to <SNORT_INLINE> connected to <NETWORK HUB OR
>> >> >> >> SWITCH>.
>> >> >> >> Would I
>> >> >> >> set the "var HOME_NET any" to "var HOME_NET >> >> >> >> nnn.nnn.nnn.nnn/xx?
>> >> >> >
>> >> >> > Yes
>> >> >> >
>> >> >> >> Do I need to make a startup script for IPTABLE rules or do I
>> >> >> >> rely
>> >> >> >> on
>> >> >> >> drop.rules or both? I'm inclined to think that the firewall
>> >> >> >> rules
>> >> >> >> will
>> >> >> >> be
>> >> >> >> essentially duplicated with IPTABLES and the drop.rules
>> >> >> >> interactively
>> >> >> >> supplement the IPTABLES.
>> >> >> >
>> >> >> > I'm not really sure what you are asking for here...... >> >> >> > Usually
>> >> >> > it
>> >> >> > is
>> >> >> > a good idea to have a couple of iptables rules to check state >> >> >> > for
>> >> >> > tcp
>> >> >> > state etc. Just off the top of my head.....
>> >> >> >
>> >> >> > iptables -P FORWARD DROP
>> >> >> > iptables -A FORWARD -p tcp --syn -m state --state NEW -j QUEUE
>> >> >> > iptables -A FORWARD -p tcp -m state --state
>> >> >> > RELATED,ESTABLISHED -j
>> >> >> > QUEUE
>> >> >> > iptables -A FORWARD -p udp -j QUEUE
>> >> >> > iptables -A FORWARD -p icmp -j QUEUE
>> >> >> >
>> >> >> >>Would MySQL logging be done the same way for Snort-inline as >> >> >> >>it
>> >> >> >>is
>> >> >> >>with
>> >> >> >>regular Snort?
>> >> >> >>
>> >> >> >>output database: alert, mysql, dbname=snort user=snortuser
>> >> >> >>host=localhost
>> >> >> >>password=snortuserpassword
>> >> >> >
>> >> >> > Yes
>> >> >> >
>> >> >> > Regards,
>> >> >> >
>> >> >> > Will
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > On Tue, 28 Dec 2004 10:58:28 -0500, mdpeters
>> >> >> > <michael.peters@lazarusalliance.com> wrote:
>> >> >> >> Concerning the snort-inline.conf file, are the "var" >> >> >> >> statements
>> >> >> >> relevant?
>> >> >> >> Should I specify the network and subnet that the snort-inline
>> >> >> >> box
>> >> >> >> runs
>> >> >> >> on?
>> >> >> >>
>> >> >> >> If I have something like this: <GATEWAY-ROUTER> connected >> >> >> >> to
>> >> >> >> <FIREWALL>
>> >> >> >> connected to <SNORT_INLINE> connected to <NETWORK HUB OR
>> >> >> >> SWITCH>.
>> >> >> >> Would I
>> >> >> >> set the "var HOME_NET any" to "var HOME_NET >> >> >> >> nnn.nnn.nnn.nnn/xx?
>> >> >> >>
>> >> >> >> Do I need to make a startup script for IPTABLE rules or do I
>> >> >> >> rely
>> >> >> >> on
>> >> >> >> drop.rules or both? I'm inclined to think that the firewall
>> >> >> >> rules
>> >> >> >> will
>> >> >> >> be
>> >> >> >> essentially duplicated with IPTABLES and the drop.rules
>> >> >> >> interactively
>> >> >> >> supplement the IPTABLES.
>> >> >> >>
>> >> >> >> Thank you for the continued education and assistance. :)
>> >> >> >>
>> >> >> >> ----- Original Message -----
>> >> >> >> From: "Will Metcalf" <william.metcalf@gmail.com>
>> >> >> >> To: "mdpeters" <michael.peters@lazarusalliance.com>
>> >> >> >> Sent: Monday, December 27, 2004 12:04 PM
>> >> >> >> Subject: Re: [Snort-users] Inline IP_Forwarding and other >> >> >> >> simple
>> >> >> >> questions?
>> >> >> >>
>> >> >> >> > because, you are not pulling traffic off of the bridge. >> >> >> >> > You
>> >> >> >> > are
>> >> >> >> > pulling traffic out of iptables, via the QUEUE target. As >> >> >> >> > far
>> >> >> >> > as
>> >> >> >> > the
>> >> >> >> > rules go, you need to convert alert to drop/sdrop/reject.
>> >> >> >> >
>> >> >> >> > Regards,
>> >> >> >> >
>> >> >> >> > Will
>> >> >> >> >
>> >> >> >> >
>> >> >> >> > On Mon, 27 Dec 2004 11:36:10 -0500, mdpeters
>> >> >> >> > <michael.peters@lazarusalliance.com> wrote:
>> >> >> >> >> One instance for both interfaces or just one like you >> >> >> >> >> wrote?
>> >> >> >> >> How
>> >> >> >> >> does it
>> >> >> >> >> know what interface the bridge is on?
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >> ----- Original Message -----
>> >> >> >> >> From: "Will Metcalf" <william.metcalf@gmail.com>
>> >> >> >> >> To: "mdpeters" <michael.peters@lazarusalliance.com>
>> >> >> >> >> Sent: Monday, December 27, 2004 11:00 AM
>> >> >> >> >> Subject: Re: [Snort-users] Inline IP_Forwarding and other
>> >> >> >> >> simple
>> >> >> >> >> questions?
>> >> >> >> >>
>> >> >> >> >> > look at inline readme file under doc in your source.
>> >> >> >> >> >
>> >> >> >> >> > you were close....
>> >> >> >> >> >
>> >> >> >> >> > /opt/snort/bin/snort-inline -Q -l /var/log/snort/ -D -c
>> >> >> >> >> > /opt/snort/etc/snort_inline.conf
>> >> >> >> >> >
>> >> >> >> >> > something like that...
>> >> >> >> >> >
>> >> >> >> >> > Regards,
>> >> >> >> >> >
>> >> >> >> >> > Will
>> >> >> >> >> >
>> >> >> >> >> >
>> >> >> >> >> > On Mon, 27 Dec 2004 09:46:33 -0500, mdpeters
>> >> >> >> >> > <michael.peters@lazarusalliance.com> wrote:
>> >> >> >> >> >> Right now I have this running:
>> >> >> >> >> >>
>> >> >> >> >> >> /opt/snort/bin/snort-inline -Q -c
>> >> >> >> >> >> /opt/snort/etc/inline1.conf -i
>> >> >> >> >> >> eth1 -l
>> >> >> >> >> >> /var/log/snort-inline1 -D
>> >> >> >> >> >> /opt/snort/bin/snort-inline -Q -c
>> >> >> >> >> >> /opt/snort/etc/inline2.conf -i
>> >> >> >> >> >> eth2 -l
>> >> >> >> >> >> /var/log/snort-inline2 -D
>> >> >> >> >> >>
>> >> >> >> >> >> I apparently do not understand how inline works.
>> >> >> >> >> >>
>> >> >> >> >> >> What would the snort-inline command be to work on a
>> >> >> >> >> >> transparent
>> >> >> >> >> >> bridge
>> >> >> >> >> >> snort-inline with iptables?
>> >> >> >> >> >>
>> >> >> >> >> >> Where can I read up?
>> >> >> >> >> >>
>> >> >> >> >> >> I appreciate your help!
>> >> >> >> >> >>
>> >> >> >> >> >> ----- Original Message -----
>> >> >> >> >> >> From: "Will Metcalf" <william.metcalf@gmail.com>
>> >> >> >> >> >> To: "mdpeters" <michael.peters@lazarusalliance.com>
>> >> >> >> >> >> Sent: Monday, December 27, 2004 8:14 AM
>> >> >> >> >> >> Subject: Re: [Snort-users] Inline IP_Forwarding and >> >> >> >> >> >> other
>> >> >> >> >> >> simple
>> >> >> >> >> >> questions?
>> >> >> >> >> >>
>> >> >> >> >> >> > neither you would use the -Q switch to tell snort to
>> >> >> >> >> >> > read
>> >> >> >> >> >> > from
>> >> >> >> >> >> > ip_queue. Then you have to send traffic to snort >> >> >> >> >> >> > with
>> >> >> >> >> >> > iptables with
>> >> >> >> >> >> > a
>> >> >> >> >> >> > rule like this.
>> >> >> >> >> >> >
>> >> >> >> >> >> > iptables -A FORWARD -j QUEUE
>> >> >> >> >> >> >
>> >> >> >> >> >> >
>> >> >> >> >> >> > On Mon, 27 Dec 2004 00:06:30 -0500, mdpeters
>> >> >> >> >> >> > <michael.peters@lazarusalliance.com> wrote:
>> >> >> >> >> >> >> Would I need to use the bridge "br0" group interface >> >> >> >> >> >> >> or
>> >> >> >> >> >> >> the
>> >> >> >> >> >> >> individual
>> >> >> >> >> >> >> interfaces "eth0' and "eth1" that make up the group >> >> >> >> >> >> >> for
>> >> >> >> >> >> >> the
>> >> >> >> >> >> >> Snort-inline
>> >> >> >> >> >> >> start command?
>> >> >> >> >> >> >>
>> >> >> >> >> >> >> Thanks,
>> >> >> >> >> >> >> Michael
>> >> >> >> >> >> >>
>> >> >> >> >> >> >> ----- Original Message -----
>> >> >> >> >> >> >> From: "Will Metcalf" <william.metcalf@gmail.com>
>> >> >> >> >> >> >> To: "Matt Kettler" <mkettler@evi-inc.com>
>> >> >> >> >> >> >> Cc: "mdpeters" <michael.peters@lazarusalliance.com>;
>> >> >> >> >> >> >> <snort-users@lists.sourceforge.net>
>> >> >> >> >> >> >> Sent: Thursday, December 23, 2004 4:43 PM
>> >> >> >> >> >> >> Subject: Re: [Snort-users] Inline IP_Forwarding and
>> >> >> >> >> >> >> other
>> >> >> >> >> >> >> simple
>> >> >> >> >> >> >> questions?
>> >> >> >> >> >> >>
>> >> >> >> >> >> >> > Well said, except that drop does not reset the
>> >> >> >> >> >> >> > connection.
>> >> >> >> >> >> >> > Using
>> >> >> >> >> >> >> > reject will drop and reset the connection.
>> >> >> >> >> >> >> >
>> >> >> >> >> >> >> > Regards,
>> >> >> >> >> >> >> >
>> >> >> >> >> >> >> > Will
>> >> >> >> >> >> >> >
>> >> >> >> >> >> >> > On Thu, 23 Dec 2004 15:21:37 -0500, Matt Kettler
>> >> >> >> >> >> >> > <mkettler@evi-inc.com>
>> >> >> >> >> >> >> > wrote:
>> >> >> >> >> >> >> >> At 02:04 PM 12/23/2004, mdpeters wrote:
>> >> >> >> >> >> >> >> >Do I need to enable ip_forwarding on for the
>> >> >> >> >> >> >> >> >transparent
>> >> >> >> >> >> >> >> >bridge
>> >> >> >> >> >> >> >> >to
>> >> >> >> >> >> >> >> >work?
>> >> >> >> >> >> >> >>
>> >> >> >> >> >> >> >> As I understand it, you explicitly MUST NOT >> >> >> >> >> >> >> >> enable
>> >> >> >> >> >> >> >> ip_forwarding,
>> >> >> >> >> >> >> >> otherwise
>> >> >> >> >> >> >> >> your snort-inline is a "pass all".
>> >> >> >> >> >> >> >>
>> >> >> >> >> >> >> >> >
>> >> >> >> >> >> >> >> >Do I need to install ebtables for inline to >> >> >> >> >> >> >> >> >disrupt
>> >> >> >> >> >> >> >> >traffic or
>> >> >> >> >> >> >> >> >is
>> >> >> >> >> >> >> >> >iptables, libnet, and libpcap all that I might
>> >> >> >> >> >> >> >> >need?
>> >> >> >> >> >> >> >>
>> >> >> >> >> >> >> >> AFAIK you don't need ebtables. You do need >> >> >> >> >> >> >> >> libipq
>> >> >> >> >> >> >> >> for
>> >> >> >> >> >> >> >> inline
>> >> >> >> >> >> >> >> and
>> >> >> >> >> >> >> >> libnet.
>> >> >> >> >> >> >> >> This is how snort-inline attaches to iptables by
>> >> >> >> >> >> >> >> using
>> >> >> >> >> >> >> >> libipq
>> >> >> >> >> >> >> >> instead
>> >> >> >> >> >> >> >> of
>> >> >> >> >> >> >> >> using libpcap.
>> >> >> >> >> >> >> >>
>> >> >> >> >> >> >> >>
>> >> >> >> >> >> >> >> > It is my impression that iptables just >> >> >> >> >> >> >> >> > firewalls
>> >> >> >> >> >> >> >> > with
>> >> >> >> >> >> >> >> > static
>> >> >> >> >> >> >> >> > rules.
>> >> >> >> >> >> >> >>
>> >> >> >> >> >> >> >> On it's own, yes, but IPTables is VERY extensible
>> >> >> >> >> >> >> >> via
>> >> >> >> >> >> >> >> libipq..
>> >> >> >> >> >> >> >>
>> >> >> >> >> >> >> >> That's where snort-inline comes in. Snort-inline
>> >> >> >> >> >> >> >> interacts
>> >> >> >> >> >> >> >> with
>> >> >> >> >> >> >> >> iptables.
>> >> >> >> >> >> >> >> It doesn't do things like create iptables rules >> >> >> >> >> >> >> >> to
>> >> >> >> >> >> >> >> block
>> >> >> >> >> >> >> >> packets,
>> >> >> >> >> >> >> >> it
>> >> >> >> >> >> >> >> the
>> >> >> >> >> >> >> >> whole system becomes an iptables rule, it just
>> >> >> >> >> >> >> >> happens
>> >> >> >> >> >> >> >> to
>> >> >> >> >> >> >> >> be a
>> >> >> >> >> >> >> >> rule
>> >> >> >> >> >> >> >> that
>> >> >> >> >> >> >> >> runs snort instead of some simple expression.
>> >> >> >> >> >> >> >>
>> >> >> >> >> >> >> >>
>> >> >> >> >> >> >> >> >
>> >> >> >> >> >> >> >> >Do the snort rules running on the transparent
>> >> >> >> >> >> >> >> >inline
>> >> >> >> >> >> >> >> >snort box
>> >> >> >> >> >> >> >> >reset
>> >> >> >> >> >> >> >> >the
>> >> >> >> >> >> >> >> >traffic that passes through using inline?
>> >> >> >> >> >> >> >>
>> >> >> >> >> >> >> >> Depends on if you use DROP or SDROP :).. However,
>> >> >> >> >> >> >> >> inline
>> >> >> >> >> >> >> >> doesn't
>> >> >> >> >> >> >> >> JUST
>> >> >> >> >> >> >> >> reset
>> >> >> >> >> >> >> >> the traffic.. it also prevents the packet from >> >> >> >> >> >> >> >> being
>> >> >> >> >> >> >> >> forwarded
>> >> >> >> >> >> >> >> at
>> >> >> >> >> >> >> >> all.
>> >> >> >> >> >> >> >> DROP
>> >> >> >> >> >> >> >> will also reset, SDROP won't.
>> >> >> >> >> >> >> >>
>> >> >> >> >> >> >> >> Snort 2.3's inline capacity is a direct port of
>> >> >> >> >> >> >> >> snort-inline.
>> >> >> >> >> >> >> >> You
>> >> >> >> >> >> >> >> might
>> >> >> >> >> >> >> >> want to check their FAQ for other info:
>> >> >> >> >> >> >> >>
>> >> >> >> >> >> >> >> http://snort-inline.sourceforge.net/FAQ.html
>> >> >> >> >> >> >> >>
>> >> >> >> >> >> >> >> -------------------------------------------------------
>> >> >> >> >> >> >> >> SF email is sponsored by - The IT Product Guide
>> >> >> >> >> >> >> >> Read honest & candid reviews on hundreds of IT
>> >> >> >> >> >> >> >> Products
>> >> >> >> >> >> >> >> from
>> >> >> >> >> >> >> >> real
>> >> >> >> >> >> >> >> users.
>> >> >> >> >> >> >> >> Discover which products truly live up to the >> >> >> >> >> >> >> >> hype.
>> >> >> >> >> >> >> >> Start
>> >> >> >> >> >> >> >> reading
>> >> >> >> >> >> >> >> now.
>> >> >> >> >> >> >> >> http://productguide.itmanagersjournal.com/
>> >> >> >> >> >> >> >> _______________________________________________
>> >> >> >> >> >> >> >> Snort-users mailing list
>> >> >> >> >> >> >> >> Snort-users@lists.sourceforge.net
>> >> >> >> >> >> >> >> Go to this URL to change user options or
>> >> >> >> >> >> >> >> unsubscribe:
>> >> >> >> >> >> >> >> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> >> >> >> >> >> >> Snort-users list archive:
>> >> >> >> >> >> >> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >> >> >> >> >> >> >>
>> >> >> >> >> >> >> >
>> >> >> >> >> >> >> >
>> >> >> >> >> >> >> > -------------------------------------------------------
>> >> >> >> >> >> >> > SF email is sponsored by - The IT Product Guide
>> >> >> >> >> >> >> > Read honest & candid reviews on hundreds of IT
>> >> >> >> >> >> >> > Products
>> >> >> >> >> >> >> > from real
>> >> >> >> >> >> >> > users.
>> >> >> >> >> >> >> > Discover which products truly live up to the hype.
>> >> >> >> >> >> >> > Start
>> >> >> >> >> >> >> > reading
>> >> >> >> >> >> >> > now.
>> >> >> >> >> >> >> > http://productguide.itmanagersjournal.com/
>> >> >> >> >> >> >> > _______________________________________________
>> >> >> >> >> >> >> > Snort-users mailing list
>> >> >> >> >> >> >> > Snort-users@lists.sourceforge.net
>> >> >> >> >> >> >> > Go to this URL to change user options or >> >> >> >> >> >> >> > unsubscribe:
>> >> >> >> >> >> >> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> >> >> >> >> >> > Snort-users list archive:
>> >> >> >> >> >> >> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >> >> >> >> >> >> >
>> >> >> >> >> >> >>
>> >> >> >> >> >> >>
>> >> >> >> >> >> >
>> >> >> >> >> >>
>> >> >> >> >> >>
>> >> >> >> >> >
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >
>> >> >> >>
>> >> >> >>
>> >> >>
>> >> >>
>> >> >> Best regards,
>> >> >>
>> >> >> Michael D. Peters
>> >> >> Director of Security Services
>> >> >> CISSP
>> >> >> Lazarus Alliance Inc.
>> >> >> M: 502-767-3448
>> >> >> O: 502-231-8017 x8
>> >> >> H: 502-231-6923
>> >> >> F: 502-231-5347
>> >> >>
>> >> >> michael.peters@lazarusalliance.com
>> >> >> www.lazarusalliance.com
>> >> >>
>> >> >> Verify here: http://wwwkeys.us.pgp.net
>> >> >>
>> >> >>
>> >> >
>> >> >
>> >> > -------------------------------------------------------
>> >> > SF email is sponsored by - The IT Product Guide
>> >> > Read honest & candid reviews on hundreds of IT Products from real
>> >> > users.
>> >> > Discover which products truly live up to the hype. Start reading
>> >> > now.
>> >> > http://productguide.itmanagersjournal.com/
>> >> > _______________________________________________
>> >> > Snort-users mailing list
>> >> > Snort-users@lists.sourceforge.net
>> >> > Go to this URL to change user options or unsubscribe:
>> >> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> > Snort-users list archive:
>> >> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >> >
>> >>
>> >>
>> >
>>
>>
>






-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-users] need help some idmef problem, 黃 huang
Next by Date:  [Snort-users] help :some problems about install snort-2.3 with mysql-5.0, defa yin
Previous by Thread:  Re: [Snort-users] Re: Inline IP_Forwarding and other simple questions?, mdpeters
Next by Thread:  Re: [Snort-users] Inline IP_Forwarding and other simple questions?, mdpeters
Indexes:  [Date] [Thread] [Top] [All Lists]