Snort mailing list archives
Re: snort inline problems
From: Jed Haile <jhaile () nitrodata com>
Date: Thu, 27 Mar 2003 09:17:39 -0700
I am looking into why snort-inline 1.9.1 will not work with stream4 enabled, I have had a couple of others point this problem out to me recently.
If you use the ip_conntrack module in iptables, it will handle defragmentation for you, making frag2 useless.
I will drop a note to the list as soon as I get this problem fixed. JedOn Thursday, March 27, 2003, at 08:37 AM, snort-users-request () lists sourceforge net wrote:
From: Jochen Vogel <jvogel () it-sec de> To: "'snort-users () sourceforge net'" <snort-users () sourceforge net> Date: Thu, 27 Mar 2003 14:47:13 +0100 Subject: [Snort-users] snort inline problems hi, i did the following -installed RedHat8.0 minimal -updated all packages over RHN -get kernel-2.4.18-26.8.0 from RHN -installed libnet1.0.2a -installed iptables-1.2.7a with make install-devel -compiled snort1.9.1 -compiled snort-inline1.9.1 with --enable-inline -compiled snort-inline1.9.0 with --enable-inline --------------------- snort1.9.1 is working ----------------------- snort-inline1.9.1 doesnt=B4t workwith "$SNORT -d -v -c /etc/snort/snort.conf -Q -i ppp0 -l $DIR/$DATE" i =can see that snort receive packets -*> Snort! <*- Version 1.9.1 (Build 231) By Martin Roesch (roesch () sourcefire com, www.snort.org) 03/27-14:42:18.195045 192.168.0.145:2093 -> 212.105.219.4:80 TCP TTL:127 TOS:0x0 ID:16968 IpLen:20 DgmLen:48 DF ******S* Seq: 0x87ACA3E3 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) =3D> MSS: 1406 NOP NOP SackOK=20=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D += =3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D +==3D+ 03/27-14:42:21.111975 192.168.0.145:2093 -> 212.105.219.4:80 TCP TTL:127 TOS:0x0 ID:16987 IpLen:20 DgmLen:48 DF ******S* Seq: 0x87ACA3E3 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) =3D> MSS: 1406 NOP NOP SackOK=20=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D += =3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D +==3D+ 03/27-14:42:27.121699 192.168.0.145:2093 -> 212.105.219.4:80 TCP TTL:127 TOS:0x0 ID:17019 IpLen:20 DgmLen:48 DF ******S* Seq: 0x87ACA3E3 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) =3D> MSS: 1406 NOP NOP SackOK=20 but nothing goes on --------------------------------------------- snort-inline1.9.0 work without stream4_reassemble with the following preprocessors i get seg. faults after a few minutes preprocessor frag2 preprocessor stream4: detect_scans, disable_evasion_alerts preprocessor stream4_reassemble preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace preprocessor bo: -nobrute preprocessor telnet_decode preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 32000/etc/init.d/snort: line 30: 20530 Segmentation fault $SNORT -d -v =-c /etc/snort/snort.conf -Q -i ppp0 -l $DIR/$DATE/etc/init.d/snort: line 30: 20909 Segmentation fault $SNORT -d -v =-c /etc/snort/snort.conf -Q -i ppp0 -l $DIR/$DATE without stream4_reassemble it works thx for help jo
------------------------------------------------------- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort inline problems Jochen Vogel (Mar 27)
- <Possible follow-ups>
- Re: snort inline problems Jed Haile (Mar 27)