Snort mailing list archives
Re: Snort Inline incompatible libipq???
From: spiderslack <spiderslack () yahoo com br>
Date: Tue, 21 Sep 2010 15:15:57 -0400
On 09/21/2010 12:16 PM, Tomas Heredia wrote:
Also, all traffic for the txp session should go thru Snort... Try adding iptables -I FORWARD -p tcp --sport 3389 -j QUEUE
Hi Tomas, I add rule as you specified. iptables -I FORWARD -p tcp --sport 3389 -j QUEUE but, not work :( see via tcpdump logs root@nascimento:~# tcpdump -i br0 -n port 3389 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on br0, link-type EN10MB (Ethernet), capture size 96 bytes15:02:52.121229 IP 100.100.100.100.2844 > 200.200.200.200.3389: Flags [S], seq 3126417596, win 65535, options [mss 1452,nop,nop,sackOK], length 0 15:02:55.102729 IP 100.100.100.100.2844 > 200.200.200.200.3389: Flags [S], seq 3126417596, win 65535, options [mss 1452,nop,nop,sackOK], length 0 15:03:01.129871 IP 100.100.100.100.2844 > 200.200.200.200.3389: Flags [S], seq 3126417596, win 65535, options [mss 1452,nop,nop,sackOK], length 0 15:04:15.775264 IP 100.100.100.100.2850 > 200.200.200.200.3389: Flags [S], seq 2075772945, win 65535, options [mss 1452,nop,nop,sackOK], length 0 15:04:18.711696 IP 100.100.100.100.2850 > 200.200.200.200.3389: Flags [S], seq 2075772945, win 65535, options [mss 1452,nop,nop,sackOK], length 0 15:04:24.722153 IP 100.100.100.100.2850 > 200.200.200.200.3389: Flags [S], seq 2075772945, win 65535, options [mss 1452,nop,nop,sackOK], length 0
^C 6 packets captured 6 packets received by filter 0 packets dropped by kernel root@nascimento:~# The rule show root@nascimento:~# iptables -t filter -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination QUEUE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:3389 QUEUE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 Chain OUTPUT (policy ACCEPT) target prot opt source destination root@nascimento:~# root@nascimento:~# ps ax | grep -i snort23199 ? Ss 0:43 /usr/sbin/snort -m 027 -D -Q -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf
root@nascimento:~#I do not know what else to do, I tried to compile the code in C to give a NF_ACCEPT in packets that are queued, but not compile, according to my research due to the 2.6 kernel does not use more libipq libnetfilter_queue and yes, I am researching how to debug or least see if the package is going to the QUEUE and they are getting there. If you have any idea who can help me, I thank you.
Regards.
------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Inline incompatible libipq??? spiderslack (Sep 21)
- Re: Snort Inline incompatible libipq??? Tomas Heredia (Sep 21)
- Re: Snort Inline incompatible libipq??? spiderslack (Sep 21)
- Re: Snort Inline incompatible libipq??? Tomas Heredia (Sep 21)
- Re: Snort Inline incompatible libipq??? spiderslack (Sep 21)
- Re: Snort Inline incompatible libipq??? Tomas Heredia (Sep 21)
- Re: Snort Inline incompatible libipq??? spiderslack (Sep 21)
- Re: Snort Inline incompatible libipq??? Shaqe Wan (Sep 22)
- Re: Snort Inline incompatible libipq??? Tomas Heredia (Sep 22)
- Re: Snort Inline incompatible libipq??? spiderslack (Sep 22)
- Re: Snort Inline incompatible libipq??? Tomas Heredia (Sep 22)
- Re: Snort Inline incompatible libipq??? Tomas Heredia (Sep 22)
- Re: Snort Inline incompatible libipq??? spiderslack (Sep 22)
- Re: Snort Inline incompatible libipq??? spiderslack (Sep 21)
- Re: Snort Inline incompatible libipq??? spiderslack (Sep 22)
- Re: Snort Inline incompatible libipq??? Tomas Heredia (Sep 21)