Snort mailing list archives
Re: Snort Inline incompatible libipq???
From: spiderslack <spiderslack () yahoo com br>
Date: Wed, 22 Sep 2010 12:15:08 -0400
On 09/22/2010 07:54 AM, Tomas Heredia wrote:
I can´t try it right now, but if I recall right, nfnetlink_queue and ip_queue do the same thing, and shouldn´t be loaded together..Try unloading ip_queue (but keeping nfnetlink_queue) El 21/09/2010 04:47 p.m., spiderslack escribió:On 09/21/2010 03:34 PM, Tomas Heredia wrote:That gave me a hint... I'm recalling from past failures :-) did you "modprobe ip_queue"? could you post your "lsmod"?
Hi Tomas I managed to compile a code in C of the next page. http://www.nufw.org/doc/libnetfilter_queue/nfqnl__test_8c-source.htmlHandles the packet and generates a NF_ACCEPT compiled with the following command.
root@nascimento:~/libnetfilter_queue# gcc test1.c -o test1 -lnetfilter_queue after compiling run firewall rules below and run and snort. create rule iptables root @ birth: ~ # iptables-t filter-I FORWARD-p tcp - dport 3389-j QUEUE root @ birth: ~ # iptables-t filter-I FORWARD-p tcp - sport 3389-j QUEUE snort running root@nascimento:~# ps ax | grep snort24608 ? Ss 0:00 /usr/sbin/snort -m 027 -D -Q -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf
root@nascimento:~#and the module loaded nfnetlink_queue, without running the code compiled terminal service does not work if I run the binary connection terminal service works.
root@nascimento:~/libnetfilter_queue# ./test1 opening library handle unbinding existing nf_queue handler for AF_INET (if any) binding nfnetlink_queue as nf_queue handler for AF_INET binding this socket to queue '0' setting copy_packet mode pkt received hw_protocol=0x0800 hook=2 id=0 indev=4 outdev=4 payload_len=60 entering callback pkt received hw_protocol=0x0800 hook=2 id=1 indev=4 outdev=4 payload_len=52 entering callback pkt received hw_protocol=0x0800 hook=2 id=2 indev=4 outdev=4 payload_len=96 entering callback pkt received hw_protocol=0x0800 hook=2 id=3 indev=4 outdev=4 payload_len=458 entering callback pkt received ^C root@nascimento:~/libnetfilter_queue# I tried to compile the code using libipq only. generates the error below. root@nascimento:~# gcc test_libipq.c -o test_libipq -lipq In file included from test_libipq.c:2: /usr/include/linux/netfilter.h:55: error: field 'in' has incomplete type /usr/include/linux/netfilter.h:56: error: field 'in6' has incomplete type test_libipq.c: In function 'die':test_libipq.c:32: warning: incompatible implicit declaration of built-in function 'exit'
root@nascimento:~#I believe that the latest kernel using libnetfilter_queue and snort still uses libipq, I see no other answer. To complete my tests I will test in yet another distribution, but if they have any tips or anything that could help me I thank you.
Regards
------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort Inline incompatible libipq???, (continued)
- Re: Snort Inline incompatible libipq??? Tomas Heredia (Sep 21)
- Re: Snort Inline incompatible libipq??? spiderslack (Sep 21)
- Re: Snort Inline incompatible libipq??? Tomas Heredia (Sep 21)
- Re: Snort Inline incompatible libipq??? spiderslack (Sep 21)
- Re: Snort Inline incompatible libipq??? Shaqe Wan (Sep 22)
- Re: Snort Inline incompatible libipq??? Tomas Heredia (Sep 22)
- Re: Snort Inline incompatible libipq??? spiderslack (Sep 22)
- Re: Snort Inline incompatible libipq??? Tomas Heredia (Sep 22)
- Re: Snort Inline incompatible libipq??? Tomas Heredia (Sep 22)
- Re: Snort Inline incompatible libipq??? spiderslack (Sep 22)
- Re: Snort Inline incompatible libipq??? spiderslack (Sep 22)