Snort mailing list archives
anyone using snort 2.9.03 on freebsd with --daq ipfw?
From: Michael Scheidell <michael.scheidell () secnap com>
Date: Tue, 8 Feb 2011 10:11:59 -0500
I have been trying to get this to work, and either there is something wrong with the ipfw daq module, or I have something set up wrong.
I am using freebsd 7.3 amd64, IF_BRIDGE (yes, it works.. it used to work with snort 2.8.4 with inline patches.yes, freebsd fixed the problem with divert and if_bridge)
snort started: snort -dQv -c snort_test.conf --daq ipfw snort_test.conf: #config detection: search-method ac-bnfa config detection: search-method ac-split #config detection: search-method ac max_queue_events 5 config policy_mode:inline var HOME_NET [10.0.0.0/8] alert icmp any any <> any any (msg: "ping testing";rev:1;sid:1) ipfw: 00100 0 0 allow ip from any to any via lo0 00200 18464 2478940 allow ip from any to any via con0 09000 1352 113492 count ip from any to any 10000 850 71400 divert 8000 ip from any to any 65535 1224 102740 allow ip from any to anywhat happens, is as soon as I put in the divert rule, traffic stops being passed.
it is in /var/log/snort/alert: 02/08-10:09:24.936282 172.70.2.56 -> 172.70.2.13 ICMP TTL:64 TOS:0x0 ID:41296 IpLen:20 DgmLen:84 Type:8 Code:0 ID:53529 Seq:3706 ECHO 4D 51 5C A4 00 0E 3C 03 08 09 0A 0B 0C 0D 0E 0F MQ\...<......... 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................ 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./ 30 31 32 33 34 35 36 37 01234567 but no reply back, destination does not see it. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 >*| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best in Email Security,2010: Network Products Guide * King of Spam Filters, SC Magazine 2008 ______________________________________________________________________This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- anyone using snort 2.9.03 on freebsd with --daq ipfw? Michael Scheidell (Feb 08)
- Re: anyone using snort 2.9.03 on freebsd with --daq ipfw? Michael Scheidell (Feb 08)