snort-users May 2011 archive

Main Archive Page > Month Archives > snort-users archives

snort-users: Re: [Snort-users] Snort in IPS mode

Re: [Snort-users] Snort in IPS mode

From: turki <turki_00_at_nospam>
Date: Tue May 17 2011 - 21:40:59 GMT
To: Russ Combs <rcombs@sourcefire.com>

I apologize for the late response as the VM instance failed and i had to rebuild it (welcome to the cloud !)

attached the make3.out and install.out

>./configure
Build AFPacket DAQ module.. : yes
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : no
Build NFQ DAQ module....... : yes
Build PCAP DAQ module...... : yes

>snort --daq-dir /usr/local/lib daq --daq-list
Available DAQ modules:
nfq(v4): live inline multi
pcap(v3): readback live multi unpriv
ipfw(v2): live inline multi unpriv
dump(v1): readback live inline multi unpriv
afpacket(v4): live inline multi unpriv

--- On Tue, 5/17/11, Russ Combs <rcombs@sourcefire.com> wrote:

From: Russ Combs <rcombs@sourcefire.com>
Subject: Re: [Snort-users] Snort in IPS mode
To: "turki" <turki_00@yahoo.com>
Cc: "Will Metcalf" <william.metcalf@gmail.com>, snort-users@lists.sourceforge.net, "Jason Brvenik" <jbrvenik@sourcefire.com>
Received: Tuesday, May 17, 2011, 4:07 PM

On Tue, May 17, 2011 at 3:02 PM, turki <turki_00@yahoo.com> wrote:

Build AFPacket DAQ module.. : yes
Build Dump DAQ module...... : yes

Build IPQ DAQ module....... : no
Build NFQ DAQ module....... : yes
Build PCAP DAQ module...... : yes

>snort --daq-dir /usr/local/lib/daq --daq-list

pcap(v3): readback live multi unpriv
ipfw(v2): live inline multi unpriv
dump(v1): readback live inline multi unpriv
afpacket(v4): live inline multi unpriv

make2.out (after disabling ipq) is attached
Can you send the output of make install &> install.out?

--- On Tue, 5/17/11, Russ Combs <rcombs@sourcefire.com> wrote:

From: Russ Combs <rcombs@sourcefire.com>

To: "turki" <turki_00@yahoo.com>
Cc: "Will Metcalf" <william.metcalf@gmail.com>, snort-users@lists.sourceforge.net, "Jason Brvenik" <jbrvenik@sourcefire.com>

On Tue, May 17, 2011 at 2:24 PM, turki <turki_00@yahoo.com> wrote:

make.out attached
Try to reconfigure your DAQ with --disable-ipq-module. The make is stopping there with

"cannot find -lipq".

--- On Tue, 5/17/11, Russ Combs <rcombs@sourcefire.com> wrote:

From: Russ Combs <rcombs@sourcefire.com>

To: "turki" <turki_00@yahoo.com>
Cc: "Will Metcalf" <william.metcalf@gmail.com>, snort-users@lists.sourceforge.net, "Jason Brvenik" <jbrvenik@sourcefire.com>

On Tue, May 17, 2011 at 2:09 PM, turki <turki_00@yahoo.com> wrote:

>./snort --daq-dir /usr/local/lib/daq --daq-list

pcap(v3): readback live multi unpriv
ipfw(v2): live inline multi unpriv
dump(v1): readback live inline multi unpriv
afpacket(v4): live inline multi unpriv

>ls /usr/local/lib/daq

daq_nfq.so and daq_nfq.la is not there?!
How come when the configuration of daq telling me

Build NFQ DAQ module....... : yes

Is there anything I need to export in the path?

Can you send the make output of the DAQ source?

Eg:

make clean

LD_LIBRARY_PATH or CPPFLAGS

Russ, I read your previous post in Snort-users
list:
http://www.networksecurityarchive.org/html/Snort-Users/2011-03/msg00687.html

and trying to understand what is going on

appreciate all kinds of help

--- On Tue, 5/17/11, Russ Combs <rcombs@sourcefire.com> wrote:

From: Russ Combs <rcombs@sourcefire.com>
Subject: Re: [Snort-users] Snort in IPS mode
To: "turki" <turki_00@yahoo.com>

On Tue, May 17, 2011 at 1:03 PM, turki <turki_00@yahoo.com> wrote:

first, checking the configuration of daq
./configure

Build AFPacket DAQ module.. : yes
Build Dump DAQ module...... : yes

Build IPQ DAQ module....... : no
Build NFQ DAQ module....... : no
Build PCAP DAQ module...... : yes

then, install the provided packages:
apt-get -y install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0

Run the configuration of daq again:
./configure

Build AFPacket DAQ module.. : yes
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : no
Build NFQ DAQ module....... : yes

So clearly, NFQ DAQ module was not installed b4 installing the packages

When I run:
./configure --with-libpcap-includes=/usr/include/libnetfilter_queue --with-libpcap-libraries=/usr/lib

Build AFPacket DAQ module.. : yes
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : yes

Build PCAP DAQ module...... : yes

Now, when i run:
./snort --daq-list

Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v2): live inline multi unpriv

afpacket(v4): live inline multi unpriv

NFQ is not in the list ?! help
It may have built only the shared library. If you know the install directory, then run this:

./snort --daq-dir /usr/local/lib/daq --daq-list

where /usr/local/lib/daq is your daq so install directory.

--- On Tue, 5/17/11, Will Metcalf <william.metcalf@gmail.com> wrote:

From: Will Metcalf <william.metcalf@gmail.com>

To: "turki" <turki_00@yahoo.com>
Cc: snort-users@lists.sourceforge.net, "Jason Brvenik" <jbrvenik@sourcefire.com>

I'm not running 11.4 but try this. Afterwards you need to try and
rebuild daq and make sure it builds with nfq support.

libnfnetlink-dev libnfnetlink0

Regards,

Will
On Tue, May 17, 2011 at 9:43 AM, turki <turki_00@yahoo.com> wrote:

> Hi Jason,
>
> as far as i understand from your (and Michael) comments, I did the following:
>
> snort --daq nfq -Q -c snort.conf
>
> I received the following error:
> ERROR: Can't find nfq DAQ!

>
> - Is there any modification I need to do in the snort.conf file ?
> - do i have to compile snort in inline mode first?
> - do I have to set the iptables before i ran snort in inline mode?
>
>
> My goal is to run Snort in inline mode with a single interface eth0
>

> I appoligize if I am asking too many b
> Is there any beginners tutorial regarding snort inline mode as I just jumped in into the snort IPS mode without any background.
>
> Thank you,
>

> ubuntu 11.4
> Snort 2.9.0.5
>
>
>
> --- On Mon, 5/16/11, Will Metcalf <william.metcalf@gmail.com> wrote:

> From: Will Metcalf <william.metcalf@gmail.com>
> Subject: Re: [Snort-users] Snort in IPS mode
> To: "turki" <turki_00@yahoo.com>

>
> You should be able to do this very easily with NFQ as Michael suggested. See the README included with daq. One thing to note afaik the example uses the FORWARD, if you are using on local host you need something like the following if you want to look at port 80 traffic bound for your webserver.

> iptables -I INPUT -i lo -j ACCEPT
> iptables -I INPUT -p tcp --dport 80 -j NFQUEUE
> iptables -I OUTPUT -p tcp --sport 80 -j NFQUEUE
>
> Regards,
>
> Will
>
> On Mon, May 16, 2011 at 1:46 PM, turki <turki_00@yahoo.com> wrote:
>
> Jason,

>
> After creating an alias interface eth0:0
>
> and running the command:
>
> snort -Q --daq afpacket -i eth0:eth0:0 -c snort.conf
>
> I got the error msg:

> ERROR: Can't initialize DAQ afpacket (-1) - afpacket_daq_initialize: Couldn't create the bridge between eth0 and eth0!
> Fatal Error, Quitting..
>
>
> Thank you for the help

> --- On Mon, 5/16/11, Jason Brvenik <jbrvenik@sourcefire.com> wrote:
>
> From: Jason Brvenik <jbrvenik@sourcefire.com>

> To: "turki" <turki_00@yahoo.com>
> Cc: snort-users@lists.sourceforge.net, "Michael Altizer" <maltizer@sourcefire.com>

>
> Just create an aliased interface to eth0
>
> On May 16, 2011 2:15 PM, "turki" <turki_00@yahoo.com> wrote:

> >
> > Thank you Michael for sharing your knowledge.
> >
> >
> >
> > --- On Mon, 5/16/11, Michael Altizer <maltizer@sourcefire.com> wrote:

> > From: Michael Altizer <maltizer@sourcefire.com>
> > Subject: Re: [Snort-users] Snort in IPS mode

> >
> >
> >
> >
> >
> >
> > This is not possible with the current AFPacket DAQ module since I
> > never really thought to do that, but it could be modified to do so
> > (check if an instance for that interface already exists when opening
> > each interface and reuse it instead of trying to reopen and

> > and the NFQ DAQ module, but I couldn't say for sure.
> >
> >
> >
> > On 05/16/2011 09:42 AM, turki wrote:

> >
> >
> >
> > What if I only have
> > single interface card "eth0" ?
> >
> > can I redirect/pair the traffic to itself (i know it is

> >
> > something like this:
> >
> >
> >
> > snort -Q --daq afpacket -i eth0:eth0 -c snort.conf
> >
> >
> >

> > wrote:
> >
> >
> >
> > From: Michael Altizer <xiche@verizon.net>

> > Subject: Re: [Snort-users] Snort in IPS mode
> >
> > To: snort-users@lists.sourceforge.net

> >
> >
> >
> > On 05/15/2011 08:09 PM, turki
> > wrote:
> >
> >
> >
> >
> > Hi,

> > I am new to snort, so i need help here.
> >
> >
> >
> > I am trying to run snort in inline mode with
> > the following command:
> >
> > snort -Q --daq afpacket -i eth0 -c
> > snort.conf
> >
> >
> >
> > but snort initialization keeps failing with

> >
> >
> >
> > afpacket DAQ configured to inline.
> >
> > ERROR: Can't initialize DAQ afpacket (-1) -
> > afpacket_daq_initialize: Invalid interface

> >
> > Fatal Error, Quitting..
> >
> >
> >
> >
> >
> >
> > In order to have an inline deployment you need at

> > through. To that end, you need to specify a second
> > interface for AFPacket to use to complete the bridge.
> >
> >

> > For example:
> >
> > snort -Q --daq afpacket -i eth0:eth1 -c snort.conf
> >
> >
> >
> > or (two inline pairs):
> >
> >
> >
> > snort -Q --daq afpacket -i eth0:eth1::eth2:eth3 -c

> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > -----Inline Attachment Follows-----

> > ------------------------------------------------------------------------------
> > Achieve unprecedented app performance and reliability
> > What every C/C++ and Fortran developer should know.

> > to help boost performance applications - inlcuding clusters.
> > http://p.sf.net/sfu/intel-dev2devmay

> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users@lists.sourceforge.net

> > https://lists.sourceforge.net/lists/listinfo/snort-users

> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> ------------------------------------------------------------------------------

> What every C/C++ and Fortran developer should know.
> Learn how Intel has extended the reach of its next-generation tools
> to help boost performance applications - inlcuding clusters.

> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net

> https://lists.sourceforge.net/lists/listinfo/snort-users

>
>
> ------------------------------------------------------------------------------

> What every C/C++ and Fortran developer should know.
> Learn how Intel has extended the reach of its next-generation tools
> to help boost performance applications - inlcuding clusters.

> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net

> https://lists.sourceforge.net/lists/listinfo/snort-users

------------------------------------------------------------------------------

_______________________________________________

------------------------------------------------------------------------------
What Every C/C++ and Fortran developer Should Know!
Read this article and learn how Intel has extended the reach of its
next-generation tools to help Windows* and Linux* C/C++ and Fortran
developers boost performance applications - including clusters.
http://p.sf.net/sfu/intel-dev2devmay

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

This message: [ Message body ]
Next message: Will Metcalf: "Re: [Snort-users] Snort in IPS mode"
Previous message: Russ Combs: "Re: [Snort-users] Snort in IPS mode"
Maybe in reply to: turki: "[Snort-users] Snort in IPS mode"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]