Snort mailing list archives
Re: qualifying ipfw for freebsd port of 2.9.0.3
From: Michael Scheidell <michael.scheidell () secnap com>
Date: Fri, 4 Feb 2011 17:43:22 -0500
On 2/4/11 5:34 PM, rob iscool wrote:
From the text."bridging, snort_inline will not work with IPFW. This is due interaction of DIVERT sockets and bridging in the kernel"
supposed to work with if_bridge. <http://lists.freebsd.org/pipermail/freebsd-net/2008-March/017220.html> "yes, it is possible to use divert with if_bridge" so, with/without it.. you got it to work in 2.8.* does it work in freebsd 2.9.0.3? and EXACTLY how do I set it up?
Robert ------------------------------------------------------------------------ *From:* Michael Scheidell <michael.scheidell () secnap com> *To:* rob iscool <robrob2626 () yahoo com> *Sent:* Fri, February 4, 2011 2:22:01 PM *Subject:* Re: [Snort-users] qualifying ipfw for freebsd port of 2.9.0.3 if_bridge in kernel? with ifconfig bridge0 options did you use? or not? On 2/4/11 5:18 PM, rob iscool wrote:This worked for me. http://freebsd.rogness.net/snort_inline/ Robert ------------------------------------------------------------------------ *From:* Michael Scheidell <michael.scheidell () secnap com>*To:* "<snort-users () lists sourceforge net>" <snort-users () lists sourceforge net>*Sent:* Fri, February 4, 2011 2:01:36 PM *Subject:* [Snort-users] qualifying ipfw for freebsd port of 2.9.0.3I am working on qualifying the frebsd port for --daq ipfw for freebsd 7.3, amd64 and snort 2.9.0.3I have never used inline mode, (tried it once, didn't seem to get it to do anything) I must be doing something wrong. Still can't get any packets out the other end.I have snort 2.9.0.3 compiled, and (I think running in inline/ipfw mode). I push packets in wan0 but don't see them come out lan0../configure --enable-dynamicplugin --enable-build-dynamic-examples --enable-reload --enable-reload-restart --disable-corefiles --with-dnet-includes=/usr/local/include/libnet11 --with-dnet-libraries=/usr/local/lib/libnet11 --enable-flexresp3 --enable-active-response --with-mysql=no --with-odbc=no --with-postgresql=no --disable-prelude --enable-perfprofiling --enable-ppm --enable-gre --enable-mpls --enable-decoder-preprocessor-rules --enable-zlib --enable-normalizer --enable-react --prefix=/usr/local --mandir=/usr/local/man --infodir=/usr/local/info/ --build=amd64-portbld-freebsd7.3snort.conf sample with two minor changes: set home_net and added config policy_mode:inline./snort -T -c /usr/local/etc/snort/snort.conf passes.snort started like this: (man says -Q is for iptables.. not ipfw) tried with and without. didn't change anything. ./snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -dq -m 022 -k none -Q --daq ipfwits running, did something: ls -lt /var/log/snort/ total 2 -rw-r--r-- 1 root wheel 0 Feb 4 16:35 snort.log.1296855300 I see it listening: sockstat -4p8000USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESSroot snort 14512 5 div4 *:8000 *:* ipfw has this: 00100 10 552 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 0 0 deny ip from 169.254.0.0/16 to any via con0 00500 0 0 deny ip from 224.0.0.0/4 to any via con0 00600 0 0 deny ip from 240.0.0.0/4 to any via con0 00700 22264 8686033 allow ip from any to any via con0 10000 0 0 divert 8000 ip from any to any 65535 4 883 allow ip from any to any aux interfaces are wan0 and lan0 kernel (obviously) has divert, or else ipfw would not allow it. I have turned on, and off forwarding. net.inet.ip.forwarding: 0 net.inet.ip.fastforwarding: 0 con0 is out of band maint intf.lan0: flags=88c3<UP,BROADCAST,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4> ether somerandommac media: Ethernet autoselect (1000baseTX <full-duplex>) status: activewan0: flags=88c3<UP,BROADCAST,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4> ether notherrandommac media: Ethernet autoselect (1000baseTX <full-duplex>) status: active if I sniff wan0 I see it TRYING. tshark -niwan0 Capturing on wan00.000000 00:11: -> ff:ff:ff:ff:ff:ff ARP Who has 172.70.2.56? Tell 172.70.2.13 1.000912 00:11: -> ff:ff:ff:ff:ff:ff ARP Who has 172.70.2.56? Tell 172.70.2.13 2.001953 00:11: -> ff:ff:ff:ff:ff:ff ARP Who has 172.70.2.56? Tell 172.70.2.13 3.002994 00:11: -> ff:ff:ff:ff:ff:ff ARP Who has 172.70.2.56? Tell 172.70.2.13 4.004035 00:11: -> ff:ff:ff:ff:ff:ff ARP Who has 172.70.2.56? Tell 172.70.2.13 5.005076 00:11: -> ff:ff:ff:ff:ff:ff ARP Who has 172.70.2.56? Tell 172.70.2.13 6.006117 00:11: -> ff:ff:ff:ff:ff:ff ARP Who has 172.70.2.56? Tell 172.70.2.13what am I missing? it must be on the freebsd side, since Rajkumar S has it working on freebsd. (6.2) maybe I have tried so many options, that the one set of options needed wasn't tried. ALL at once!also note, I have no ip addresses on wan0 and lan0. also note, I know that the 'freebsd bridge code doesn't work with divert' so, bridge isn't compiled in, and neither is if_bridge:ifconfig -C lo tunthe ip addresses on the wan0 and lan0 side are in a separate subnet from con0, and (in bridge mode! if a different kernel) I have confirmed that it passes traffic. (different kernel, the one I am running now, does not have bridge code in it)-- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 >*| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best in Email Security,2010: Network Products Guide * King of Spam Filters, SC Magazine 2008 ------------------------------------------------------------------------ This email has been scanned and certified safe by SpammerTrap®. For Information please see http://www.secnap.com/products/spammertrap/ -------------------------------------------------------------------------- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 >*| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best in Email Security,2010: Network Products Guide * King of Spam Filters, SC Magazine 2008 ------------------------------------------------------------------------ This email has been scanned and certified safe by SpammerTrap®. For Information please see http://www.secnap.com/products/spammertrap/ ------------------------------------------------------------------------
-- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 >*| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best in Email Security,2010: Network Products Guide * King of Spam Filters, SC Magazine 2008 ______________________________________________________________________This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
------------------------------------------------------------------------------ The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- qualifying ipfw for freebsd port of 2.9.0.3 Michael Scheidell (Feb 04)
- Fw: qualifying ipfw for freebsd port of 2.9.0.3 rob iscool (Feb 04)
- Message not available
- Message not available
- Re: qualifying ipfw for freebsd port of 2.9.0.3 rob iscool (Feb 04)
- Re: qualifying ipfw for freebsd port of 2.9.0.3 Michael Scheidell (Feb 04)
- Message not available
- Message not available
- Message not available
- Message not available
- Re: qualifying ipfw for freebsd port of 2.9.0.3 Michael Scheidell (Feb 04)
- Re: qualifying ipfw for freebsd port of 2.9.0.3 rob iscool (Feb 04)
- Re: qualifying ipfw for freebsd port of 2.9.0.3 Michael Scheidell (Feb 04)
- Re: qualifying ipfw for freebsd port of 2.9.0.3 rob iscool (Feb 04)
- Message not available
- Re: solved. Re: qualifying ipfw for freebsd port of 2.9.0.3 waldo kitty (Feb 04)
- Re: solved. Re: qualifying ipfw for freebsd port of 2.9.0.3 Michael Scheidell (Feb 05)