Snort mailing list archives
snortsam iptables plugin
From: "Huseyin A. Ozbey" <huseyin () btegitim com>
Date: Sun, 2 Jan 2005 15:26:24 +0200
Dear Sirs I have problems using snort with the snortsam iptables plugin. When I patch snort, It says "Patching Snort version 2.0...", does it mean I coundn't use snort-2.3.0RC2 ? [root@menekse snortsam-patch]# ./patchsnort.sh /root/snortinstall/silinecek/snort-2.3.0RC2 Patching Snort version 2.0... patching file spo_alert_fwsam.c patching file spo_alert_fwsam.h patching file twofish.c patching file twofish.h rm: cannot remove `spo_alert_fwsam.?.orig': No such file or directory rm: cannot remove `twofish.?.orig': No such file or directory patching file plugbase.c patching file plugin_enum.h Hunk #1 succeeded at 37 with fuzz 1. Patching Makefiles... Done My ip configuration is eth0 : inet addr:192.168.0.15 Mask:255.255.255.0 -->Outside eth1 : inet addr:192.168.1.15 BcastMask:255.255.255.0 -->Inside I have attached the files, snort.conf, snortsam.conf and sid-block.map. Would you please help me why I couldn't see any command in the FORWARD chain. [root@menekse snortsam-patch]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@menekse snortsam-patch]# Best Regards Huseyin A. Ozbey [root@menekse root]# /usr/local/bin/snortsam SnortSam, v 2.29. Copyright (c) 2001-2004 Frank Knobbe <frank () knobbe us>. All rights reserved. Plugin 'fwsam': v 2.2, by Frank Knobbe Plugin 'fwexec': v 2.3, by Frank Knobbe Plugin 'pix': v 2.7, by Frank Knobbe Plugin 'ciscoacl': v 2.8, by Ali Basel <alib () sabanciuniv edu> Plugin 'netscreen': v 2.7, by Frank Knobbe Plugin 'ipchains': v 2.7, by Hector A. Paterno <apaterno () dsnsecurity com> Plugin 'iptables': v 2.6, by Fabrizio Tivano <fabrizio () sad it> Plugin 'ebtables': v 2.2, by Bruno Scatolin <ipsystems () uol com br> Plugin 'watchguard': v 2.3, by Thomas Maier <thomas.maier () arcos de> Plugin 'email': v 2.7, by Frank Knobbe Parsing config file /etc/snortsam.conf... Linking plugin 'email'... Linking plugin 'iptables'... Checking for existing state file: Present. Reading state. Starting to listen for Snort alerts. Accepted connection from 192.168.1.15. Adding sensor 192.168.1.15 to list. Had to use initial key! Snort station 192.168.1.15 using wrong password, trying to re-sync. Accepted connection from 192.168.1.15. [root@menekse root]# /usr/local/bin/snort -c /etc/snort/snort.conf Running in IDS mode Initializing Network Interface eth0 --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Enforce TCP State: INACTIVE Midstream Drop Alerts: INACTIVE Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE flush_data_diff_size: 500 Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 Portscan Detection Config: Detect Protocols: TCP UDP ICMP IP Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan Sensitivity Level: Low Memcap (in bytes): 10000000 Number of Nodes: 36900 database: compiled support for ( mysql ) database: configured to use mysql database: user = snort database: password is set database: database name = snort database: host = localhost database: sensor name = 192.168.0.15 database: sensor id = 1 database: schema version = 106 database: using the "log" facility INFO => [Alert_FWsam](AlertFWsamSetup) Using sid-map file: /etc/snort/sid-block.map INFO => [Alert_FWsam](FWsamCheckIn) Connected to host 192.168.1.15. 2190 Snort rules read... 2190 Option Chains linked into 191 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-----------------------[thresholding-config]--------------------------- ------- | memory-cap : 1048576 bytes +-----------------------[thresholding-global]--------------------------- ------- | none +-----------------------[thresholding-local]---------------------------- ------- | gen-id=1 sig-id=2495 type=Both tracking=dst count=20 seconds=60 | gen-id=1 sig-id=2496 type=Both tracking=dst count=20 seconds=60 | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60 | gen-id=1 sig-id=2924 type=Threshold tracking=src count=10 seconds=60 | gen-id=1 sig-id=2494 type=Both tracking=dst count=20 seconds=60 | gen-id=1 sig-id=2923 type=Threshold tracking=src count=10 seconds=60 | gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10 +-----------------------[suppression]----------------------------------- ------- ------------------------------------------------------------------------ ------- Rule application order: ->activation->dynamic->alert->pass->log Log directory = /var/log/snort --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.3.0RC2 (Build 9) '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2004 Sourcefire Inc, et al.
Attachment:
sid-block.map
Description:
Attachment:
snort.conf
Description:
Attachment:
snortsam.conf
Description:
Current thread:
- snortsam iptables plugin Huseyin A. Ozbey (Jan 02)
- Re: snortsam iptables plugin Frank Knobbe (Jan 02)
- RE: snortsam iptables plugin Huseyin A. Ozbey (Jan 02)
- RE: snortsam iptables plugin Frank Knobbe (Jan 02)
- RE: snortsam iptables plugin Huseyin A. Ozbey (Jan 02)
- Re: snortsam iptables plugin Frank Knobbe (Jan 02)