Snort mailing list archives
Re: inline mode works(seems) without compiling with --enable-inline option
From: Joel Ebrahimi <joel.ebrahimi () gmail com>
Date: Fri, 7 Aug 2009 13:08:53 -0700
I have always been curious how this works. Working for Bivio Networks I know that there is a Snort IPS that Sourcefire uses on our platform but I was never sure how they integrated it. Since our performance relies on pcap and since our pcap is modified to drop packets I had assumed it was all handled through pcap. So does --enable-inline need to be used at all to initialize any of the drop structures or mechanisms? Would the keyword 'drop' still be able to be used from the rules just like the -Q option is allowed ? I don't actually see any of the Bivio specific API calls to drop packets. I assuming this is not released in the general Snort release. Is this code available or is it licensed differently then the available public Snort? Thanks, // Joel On Wed, Aug 5, 2009 at 8:48 AM, Russ Combs <rcombs () sourcefire com> wrote:
Hey Justin, Thanks for the patch. The -Q option, and the inline implementation in general, is a little confusing. However, there is no warning without --enable-inline because it allows Snort to be deployed inline using 3rd party pcap implementations that don't require ipq or ipfw. Compounding that, the help for -Q is only output for ipq builds. The help will be addressed in an upcoming release. Russ On Wed, Aug 5, 2009 at 8:11 AM, justin joseph <justinjoseph007 () gmail com>wrote:Hi Were trying to configure snort-inline on Ubuntu hardy (snort version 2.7.0) for some days. Today figured out by looking at the code that even if snort was not compiled with --enable-inline option, it was seemingly running with the -Q option(drop, sdrop, reject won't work off course) IMHO this confuses a newbie user like me because if snort was not compiled enabling inline mode then it is supposed to print error and abort if user tries to run with the -Q option. Attached patch against 2.8.4(changes in snort.c) or something like that would be nice IMHO. thank you Justin ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- inline mode works(seems) without compiling with --enable-inline option justin joseph (Aug 05)
- Re: inline mode works(seems) without compiling with --enable-inline option Russ Combs (Aug 05)
- Re: inline mode works(seems) without compiling with --enable-inline option Joel Ebrahimi (Aug 07)
- Re: inline mode works(seems) without compiling with --enable-inline option Russ Combs (Aug 07)
- Re: inline mode works(seems) without compiling with --enable-inline option Joel Ebrahimi (Aug 07)
- Re: inline mode works(seems) without compiling with --enable-inline option Joel Ebrahimi (Sep 21)
- Re: inline mode works(seems) without compiling with --enable-inline option Joel Ebrahimi (Aug 07)
- Re: inline mode works(seems) without compiling with --enable-inline option Russ Combs (Aug 05)