Snort mailing list archives
Re: Snort in IPS mode
From: "Lay, James" <james.lay () wincofoods com>
Date: Tue, 17 May 2011 13:01:09 -0600
Just an FYI, libipq is part of netfilter..not sure of your distro, but Slackware comes with this out of the box: [12:58:17 /var/log/packages$] grep libipq * iptables-1.4.0-i486-1:usr/man/man3/libipq.3.gz iptables-1.4.0-i486-1:usr/lib/libipq.a iptables-1.4.0-i486-1:usr/include/libipq.h I did not see this with a default install of Ubuntu server, so your mileage may vary. James From: Russ Combs [mailto:rcombs () sourcefire com] Sent: Tuesday, May 17, 2011 12:44 PM To: turki Cc: Will Metcalf; snort-users () lists sourceforge net; Jason Brvenik Subject: Re: [Snort-users] Snort in IPS mode On Tue, May 17, 2011 at 2:24 PM, turki <turki_00 () yahoo com> wrote: make.out attached Try to reconfigure your DAQ with --disable-ipq-module. The make is stopping there with "cannot find -lipq". --- On Tue, 5/17/11, Russ Combs <rcombs () sourcefire com> wrote: From: Russ Combs <rcombs () sourcefire com> Subject: Re: [Snort-users] Snort in IPS mode To: "turki" <turki_00 () yahoo com> Cc: "Will Metcalf" <william.metcalf () gmail com>, snort-users () lists sourceforge net, "Jason Brvenik" <jbrvenik () sourcefire com> Received: Tuesday, May 17, 2011, 3:18 PM On Tue, May 17, 2011 at 2:09 PM, turki <turki_00 () yahoo com <http://mc/compose?to=turki_00 () yahoo com> > wrote: Producing the same daq list:
./snort --daq-dir /usr/local/lib/daq --daq-list
Available DAQ modules: pcap(v3): readback live multi unpriv ipfw(v2): live inline multi unpriv dump(v1): readback live inline multi unpriv afpacket(v4): live inline multi unpriv
ls /usr/local/lib/daq
daq_afpacket.la daq_dump.la daq_ipfw.la daq_pcap.la
daq_afpacket.so daq_dump.so daq_ipfw.so daq_pcap.so
daq_nfq.so and daq_nfq.la is not there?!
How come when the configuration of daq telling me
Build NFQ DAQ module....... : yes
Is there anything I need to export in the path?
Can you send the make output of the DAQ source?
Eg:
make clean
make &> make.out
e.g.
LD_LIBRARY_PATH or CPPFLAGS
Russ, I read your previous post in Snort-users
list:
http://www.networksecurityarchive.org/html/Snort-Users/2011-03/msg00687.
html
and trying to understand what is going on
appreciate all kinds of help
--- On Tue, 5/17/11, Russ Combs <rcombs () sourcefire com
<http://mc/compose?to=rcombs () sourcefire com> > wrote:
From: Russ Combs <rcombs () sourcefire com
<http://mc/compose?to=rcombs () sourcefire com> >
Subject: Re: [Snort-users] Snort in IPS mode
To: "turki" <turki_00 () yahoo com
<http://mc/compose?to=turki_00 () yahoo com> >
Cc: "Will Metcalf" <william.metcalf () gmail com
<http://mc/compose?to=william.metcalf () gmail com> >,
snort-users () lists sourceforge net
<http://mc/compose?to=snort-users () lists sourceforge net> , "Jason
Brvenik" <jbrvenik () sourcefire com
<http://mc/compose?to=jbrvenik () sourcefire com> >
Received: Tuesday, May 17, 2011, 2:32 PM
On Tue, May 17, 2011 at 1:03 PM, turki <turki_00 () yahoo com
<http://mc/compose?to=turki_00 () yahoo com> > wrote:
Hi Will,
first, checking the configuration of daq
./configure
Build AFPacket DAQ module.. : yes
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : no
Build NFQ DAQ module....... : no
Build PCAP DAQ module...... : yes
then, install the provided packages:
apt-get -y install libnetfilter-queue-dev libnetfilter-queue1
libnfnetlink-dev libnfnetlink0
Run the configuration of daq again:
./configure
Build AFPacket DAQ module.. : yes
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : no
Build NFQ DAQ module....... : yes
Build PCAP DAQ module...... : yes
So clearly, NFQ DAQ module was not installed b4 installing the packages
When I run:
./configure --with-libpcap-includes=/usr/include/libnetfilter_queue
--with-libpcap-libraries=/usr/lib
Build AFPacket DAQ module.. : yes
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : yes
Build NFQ DAQ module....... : yes
Build PCAP DAQ module...... : yes
Now, when i run:
./snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v2): live inline multi unpriv
dump(v1): readback live inline multi unpriv
afpacket(v4): live inline multi unpriv
NFQ is not in the list ?! help
It may have built only the shared library. If you know the install
directory, then run this:
./snort --daq-dir /usr/local/lib/daq --daq-list
where /usr/local/lib/daq is your daq so install directory.
--- On Tue, 5/17/11, Will Metcalf <william.metcalf () gmail com
<http://mc/compose?to=william.metcalf () gmail com> > wrote:
From: Will Metcalf <william.metcalf () gmail com
<http://mc/compose?to=william.metcalf () gmail com> >
Subject: Re: [Snort-users] Snort in IPS mode
To: "turki" <turki_00 () yahoo com
<http://mc/compose?to=turki_00 () yahoo com> >
Cc: snort-users () lists sourceforge net
<http://mc/compose?to=snort-users () lists sourceforge net> , "Jason
Brvenik" <jbrvenik () sourcefire com
<http://mc/compose?to=jbrvenik () sourcefire com> >
Received: Tuesday, May 17, 2011, 11:56 AM
I'm not running 11.4 but try this. Afterwards you need to try
and
rebuild daq and make sure it builds with nfq support.
sudo apt-get -y install libnetfilter-queue-dev
libnetfilter-queue1
libnfnetlink-dev libnfnetlink0
Regards,
Will
On Tue, May 17, 2011 at 9:43 AM, turki <turki_00 () yahoo com
<http://mc/compose?to=turki_00 () yahoo com> > wrote:
>
> Hi Jason,
>
> as far as i understand from your (and Michael) comments, I did
the following:
>
> snort --daq nfq -Q -c snort.conf
>
> I received the following error:
> ERROR: Can't find nfq DAQ!
> Fatal Error, Quitting..
>
> - Is there any modification I need to do in the snort.conf
file ?
> - do i have to compile snort in inline mode first?
> - do I have to set the iptables before i ran snort in inline
mode?
>
>
> My goal is to run Snort in inline mode with a single interface
eth0
>
>
> I appoligize if I am asking too many b
> Is there any beginners tutorial regarding snort inline mode as
I just jumped in into the snort IPS mode without any background.
>
> Thank you,
>
> daq-0.5
> ubuntu 11.4
> Snort 2.9.0.5
>
>
>
> --- On Mon, 5/16/11, Will Metcalf <william.metcalf () gmail com
<http://mc/compose?to=william.metcalf () gmail com> > wrote:
>
> From: Will Metcalf <william.metcalf () gmail com
<http://mc/compose?to=william.metcalf () gmail com> >
> Subject: Re: [Snort-users] Snort in IPS mode
> To: "turki" <turki_00 () yahoo com
<http://mc/compose?to=turki_00 () yahoo com> >
> Cc: "Jason Brvenik" <jbrvenik () sourcefire com
<http://mc/compose?to=jbrvenik () sourcefire com> >,
snort-users () lists sourceforge net
<http://mc/compose?to=snort-users () lists sourceforge net>
> Received: Monday, May 16, 2011, 4:14 PM
>
> You should be able to do this very easily with NFQ as Michael
suggested. See the README included with daq. One thing to note afaik
the example uses the FORWARD, if you are using on local host you need
something like the following if you want to look at port 80 traffic
bound for your webserver.
>
> iptables -I INPUT -i lo -j ACCEPT
> iptables -I INPUT -p tcp --dport 80 -j NFQUEUE
> iptables -I OUTPUT -p tcp --sport 80 -j NFQUEUE
>
> Regards,
>
> Will
>
> On Mon, May 16, 2011 at 1:46 PM, turki <turki_00 () yahoo com
<http://mc/compose?to=turki_00 () yahoo com> > wrote:
>
> Jason,
>
> No, it didn't work :(
>
> After creating an alias interface eth0:0
>
> and running the command:
>
> snort -Q --daq afpacket -i eth0:eth0:0 -c snort.conf
>
> I got the error msg:
>
> ERROR: Can't initialize DAQ afpacket (-1) -
afpacket_daq_initialize: Couldn't create the bridge between eth0 and
eth0!
> Fatal Error, Quitting..
>
>
> Thank you for the help
>
> --- On Mon, 5/16/11, Jason Brvenik <jbrvenik () sourcefire com
<http://mc/compose?to=jbrvenik () sourcefire com> > wrote:
>
> From: Jason Brvenik <jbrvenik () sourcefire com
<http://mc/compose?to=jbrvenik () sourcefire com> >
> Subject: Re: [Snort-users] Snort in IPS mode
> To: "turki" <turki_00 () yahoo com
<http://mc/compose?to=turki_00 () yahoo com> >
> Cc: snort-users () lists sourceforge net
<http://mc/compose?to=snort-users () lists sourceforge net> , "Michael
Altizer" <maltizer () sourcefire com
<http://mc/compose?to=maltizer () sourcefire com> >
> Received: Monday, May 16, 2011, 3:29 PM
>
> Just create an aliased interface to eth0
>
> On May 16, 2011 2:15 PM, "turki" <turki_00 () yahoo com
<http://mc/compose?to=turki_00 () yahoo com> > wrote:
> > The reason behind my single interface approach is that I
want to run Snort (inline mode) in Amazon cloud and I was stopped by the
fact that they only allow 1 interface for every running virtual machine
instance in EC2.
> >
> > Thank you Michael for sharing your knowledge.
> >
> >
> >
> > --- On Mon, 5/16/11, Michael Altizer
<maltizer () sourcefire com <http://mc/compose?to=maltizer () sourcefire com>
wrote:
> >
> > From: Michael Altizer <maltizer () sourcefire com
<http://mc/compose?to=maltizer () sourcefire com> >
> > Subject: Re: [Snort-users] Snort in IPS mode
> > To: snort-users () lists sourceforge net
<http://mc/compose?to=snort-users () lists sourceforge net>
> > Received: Monday, May 16, 2011, 9:53 PM
> >
> >
> >
> >
> >
> >
> > This is not possible with the current AFPacket DAQ module
since I
> > never really thought to do that, but it could be modified to
do so
> > (check if an instance for that interface already exists when
opening
> > each interface and reuse it instead of trying to reopen and
> > failing). You may be able to do something like that with
IPTables
> > and the NFQ DAQ module, but I couldn't say for sure.
> >
> >
> >
> > On 05/16/2011 09:42 AM, turki wrote:
> >
> >
> >
> >
> > What if I only have
> > single interface card "eth0" ?
> >
> > can I redirect/pair the traffic to itself (i know it is
> > kind of silly statement)
> >
> > something like this:
> >
> >
> >
> > snort -Q --daq afpacket -i eth0:eth0 -c snort.conf
> >
> >
> >
> > --- On Mon, 5/16/11, Michael Altizer <xiche () verizon net
<http://mc/compose?to=xiche () verizon net> >
> > wrote:
> >
> >
> >
> > From: Michael Altizer <xiche () verizon net
<http://mc/compose?to=xiche () verizon net> >
> >
> > Subject: Re: [Snort-users] Snort in IPS mode
> >
> > To: snort-users () lists sourceforge net
<http://mc/compose?to=snort-users () lists sourceforge net>
> >
> > Received: Monday, May 16, 2011, 6:27 AM
> >
> >
> >
> > On 05/15/2011 08:09 PM, turki
> > wrote:
> >
> >
> >
> >
> > Hi,
> >
> > I am new to snort, so i need help here.
> >
> >
> >
> > I am trying to run snort in inline mode with
> > the following command:
> >
> > snort -Q --daq afpacket -i eth0 -c
> > snort.conf
> >
> >
> >
> > but snort initialization keeps failing with
> > error message:
> >
> >
> >
> > afpacket DAQ configured to inline.
> >
> > ERROR: Can't initialize DAQ afpacket (-1) -
> > afpacket_daq_initialize: Invalid interface
> > specification: 'eth0'!
> >
> > Fatal Error, Quitting..
> >
> >
> >
> >
> >
> >
> > In order to have an inline deployment you need at
> > least one pair of interfaces for the traffic to flow
> > through. To that end, you need to specify a second
> > interface for AFPacket to use to complete the bridge.
> >
> >
> >
> > For example:
> >
> > snort -Q --daq afpacket -i eth0:eth1 -c snort.conf
> >
> >
> >
> > or (two inline pairs):
> >
> >
> >
> > snort -Q --daq afpacket -i eth0:eth1::eth2:eth3 -c
> > snort.conf
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > -----Inline Attachment Follows-----
> >
> >
------------------------------------------------------------------------
------
> > Achieve unprecedented app performance and reliability
> > What every C/C++ and Fortran developer should know.
> > Learn how Intel has extended the reach of its
next-generation tools
> > to help boost performance applications - inlcuding clusters.
> > http://p.sf.net/sfu/intel-dev2devmay
> > -----Inline Attachment Follows-----
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
<http://mc/compose?to=Snort-users () lists sourceforge net>
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
------------------------------------------------------------------------
------
> Achieve unprecedented app performance and reliability
> What every C/C++ and Fortran developer should know.
> Learn how Intel has extended the reach of its next-generation
tools
> to help boost performance applications - inlcuding clusters.
> http://p.sf.net/sfu/intel-dev2devmay
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
<http://mc/compose?to=Snort-users () lists sourceforge net>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
------------------------------------------------------------------------
------
> Achieve unprecedented app performance and reliability
> What every C/C++ and Fortran developer should know.
> Learn how Intel has extended the reach of its next-generation
tools
> to help boost performance applications - inlcuding clusters.
> http://p.sf.net/sfu/intel-dev2devmay
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
<http://mc/compose?to=Snort-users () lists sourceforge net>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------
------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation
tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
<http://mc/compose?to=Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort in IPS mode, (continued)
- Re: Snort in IPS mode Will Metcalf (May 16)
- Re: Snort in IPS mode turki (May 17)
- Re: Snort in IPS mode Will Metcalf (May 17)
- Re: Snort in IPS mode turki (May 17)
- Re: Snort in IPS mode Russ Combs (May 17)
- Re: Snort in IPS mode turki (May 17)
- Re: Snort in IPS mode Russ Combs (May 17)
- Re: Snort in IPS mode Russ Combs (May 17)
- Re: Snort in IPS mode Russ Combs (May 17)
- Re: Snort in IPS mode Lay, James (May 17)
- Re: Snort in IPS mode Will Metcalf (May 17)
- Re: Snort in IPS mode Russ Combs (May 17)
- Re: Fw: Re: Snort in IPS mode Russ Combs (May 19)
- Re: Fw: Re: Snort in IPS mode turki (May 19)