Snort mailing list archives
snortsam iptables plugin
From: "Huseyin A. Ozbey" <huseyin () btegitim com>
Date: Sun, 2 Jan 2005 15:26:24 +0200
Dear Sirs
I have problems using snort with the snortsam iptables plugin. When I
patch snort, It says "Patching Snort version 2.0...", does it mean I
coundn't use snort-2.3.0RC2 ?
[root@menekse snortsam-patch]# ./patchsnort.sh
/root/snortinstall/silinecek/snort-2.3.0RC2
Patching Snort version 2.0...
patching file spo_alert_fwsam.c
patching file spo_alert_fwsam.h
patching file twofish.c
patching file twofish.h
rm: cannot remove `spo_alert_fwsam.?.orig': No such file or directory
rm: cannot remove `twofish.?.orig': No such file or directory
patching file plugbase.c
patching file plugin_enum.h
Hunk #1 succeeded at 37 with fuzz 1.
Patching Makefiles...
Done
My ip configuration is
eth0 : inet addr:192.168.0.15 Mask:255.255.255.0 -->Outside
eth1 : inet addr:192.168.1.15 BcastMask:255.255.255.0 -->Inside
I have attached the files, snort.conf, snortsam.conf and sid-block.map.
Would you please help me why I couldn't see any command in the FORWARD
chain.
[root@menekse snortsam-patch]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@menekse snortsam-patch]#
Best Regards
Huseyin A. Ozbey
[root@menekse root]# /usr/local/bin/snortsam
SnortSam, v 2.29.
Copyright (c) 2001-2004 Frank Knobbe <frank () knobbe us>. All rights
reserved.
Plugin 'fwsam': v 2.2, by Frank Knobbe
Plugin 'fwexec': v 2.3, by Frank Knobbe
Plugin 'pix': v 2.7, by Frank Knobbe
Plugin 'ciscoacl': v 2.8, by Ali Basel <alib () sabanciuniv edu>
Plugin 'netscreen': v 2.7, by Frank Knobbe
Plugin 'ipchains': v 2.7, by Hector A. Paterno
<apaterno () dsnsecurity com>
Plugin 'iptables': v 2.6, by Fabrizio Tivano <fabrizio () sad it>
Plugin 'ebtables': v 2.2, by Bruno Scatolin <ipsystems () uol com br>
Plugin 'watchguard': v 2.3, by Thomas Maier <thomas.maier () arcos de>
Plugin 'email': v 2.7, by Frank Knobbe
Parsing config file /etc/snortsam.conf...
Linking plugin 'email'...
Linking plugin 'iptables'...
Checking for existing state file: Present. Reading state.
Starting to listen for Snort alerts.
Accepted connection from 192.168.1.15.
Adding sensor 192.168.1.15 to list.
Had to use initial key!
Snort station 192.168.1.15 using wrong password, trying to re-sync.
Accepted connection from 192.168.1.15.
[root@menekse root]# /usr/local/bin/snort -c /etc/snort/snort.conf
Running in IDS mode
Initializing Network Interface eth0
--== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
,-----------[Flow Config]----------------------
| Stats Interval: 0
| Hash Method: 2
| Memcap: 10485760
| Rows : 4099
| Overhead Bytes: 16400(%0.16)
`----------------------------------------------
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
Fragment min_ttl: 0
Fragment ttl_limit: 5
Fragment Problems: 0
Self preservation threshold: 500
Self preservation period: 90
Suspend threshold: 1000
Suspend period: 30
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: INACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Enforce TCP State: INACTIVE
Midstream Drop Alerts: INACTIVE
Stream4_reassemble config:
Server reassembly: INACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Zero out flushed packets: INACTIVE
flush_data_diff_size: 500
Ports: 21 23 25 53 80 110 111 143 513 1433
Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: /etc/snort/unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Ports: 80 8080 8180
Flow Depth: 300
Max Chunk Length: 500000
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES alert: YES
Base36: OFF
UTF 8: OFF
IIS Unicode: YES alert: YES
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: YES
Apache WhiteSpace: YES alert: NO
IIS Delimiter: YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: NONE
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
telnet_decode arguments:
Ports to decode telnet on: 21 23 25 119
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan
distributed_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
Number of Nodes: 36900
database: compiled support for ( mysql )
database: configured to use mysql
database: user = snort
database: password is set
database: database name = snort
database: host = localhost
database: sensor name = 192.168.0.15
database: sensor id = 1
database: schema version = 106
database: using the "log" facility
INFO => [Alert_FWsam](AlertFWsamSetup) Using sid-map file:
/etc/snort/sid-block.map
INFO => [Alert_FWsam](FWsamCheckIn) Connected to host 192.168.1.15.
2190 Snort rules read...
2190 Option Chains linked into 191 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
+-----------------------[thresholding-config]---------------------------
-------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]---------------------------
-------
| none
+-----------------------[thresholding-local]----------------------------
-------
| gen-id=1 sig-id=2495 type=Both tracking=dst count=20
seconds=60
| gen-id=1 sig-id=2496 type=Both tracking=dst count=20
seconds=60
| gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5
seconds=60
| gen-id=1 sig-id=2924 type=Threshold tracking=src count=10
seconds=60
| gen-id=1 sig-id=2494 type=Both tracking=dst count=20
seconds=60
| gen-id=1 sig-id=2923 type=Threshold tracking=src count=10
seconds=60
| gen-id=1 sig-id=2523 type=Both tracking=dst count=10
seconds=10
+-----------------------[suppression]-----------------------------------
-------
------------------------------------------------------------------------
-------
Rule application order: ->activation->dynamic->alert->pass->log
Log directory = /var/log/snort
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.3.0RC2 (Build 9)
'''' By Martin Roesch & The Snort Team:
http://www.snort.org/team.html
(C) Copyright 1998-2004 Sourcefire Inc, et al.
Attachment:
sid-block.map
Description:
Attachment:
snort.conf
Description:
Attachment:
snortsam.conf
Description:
Current thread:
- snortsam iptables plugin Huseyin A. Ozbey (Jan 02)
- Re: snortsam iptables plugin Frank Knobbe (Jan 02)
- RE: snortsam iptables plugin Huseyin A. Ozbey (Jan 02)
- RE: snortsam iptables plugin Frank Knobbe (Jan 02)
- RE: snortsam iptables plugin Huseyin A. Ozbey (Jan 02)
- Re: snortsam iptables plugin Frank Knobbe (Jan 02)