Snort mailing list archives

snort inline problems

From: Jochen Vogel <jvogel () it-sec de>
Date: Thu, 27 Mar 2003 14:47:13 +0100
hi,

i did the following

-installed RedHat8.0 minimal
-updated all packages over RHN
-get kernel-2.4.18-26.8.0 from RHN
-installed libnet1.0.2a
-installed iptables-1.2.7a with make install-devel
-compiled snort1.9.1
-compiled snort-inline1.9.1 with --enable-inline
-compiled snort-inline1.9.0 with --enable-inline

---------------------
snort1.9.1 is working

-----------------------
snort-inline1.9.1 doesnt´t work

with "$SNORT -d -v -c /etc/snort/snort.conf -Q -i ppp0 -l $DIR/$DATE" i can
see that snort receive packets

-*> Snort! <*-
Version 1.9.1 (Build 231)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
03/27-14:42:18.195045 192.168.0.145:2093 -> 212.105.219.4:80
TCP TTL:127 TOS:0x0 ID:16968 IpLen:20 DgmLen:48 DF
******S* Seq: 0x87ACA3E3  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1406 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/27-14:42:21.111975 192.168.0.145:2093 -> 212.105.219.4:80
TCP TTL:127 TOS:0x0 ID:16987 IpLen:20 DgmLen:48 DF
******S* Seq: 0x87ACA3E3  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1406 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/27-14:42:27.121699 192.168.0.145:2093 -> 212.105.219.4:80
TCP TTL:127 TOS:0x0 ID:17019 IpLen:20 DgmLen:48 DF
******S* Seq: 0x87ACA3E3  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1406 NOP NOP SackOK 

but nothing goes on

---------------------------------------------
snort-inline1.9.0 work without stream4_reassemble

with the following preprocessors i get seg. faults after a few minutes

preprocessor frag2
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor conversation: allowed_ip_protocols all, timeout 60,
max_conversations 32000

/etc/init.d/snort: line 30: 20530 Segmentation fault      $SNORT -d -v -c
/etc/snort/snort.conf -Q -i ppp0 -l $DIR/$DATE
/etc/init.d/snort: line 30: 20909 Segmentation fault      $SNORT -d -v -c
/etc/snort/snort.conf -Q -i ppp0 -l $DIR/$DATE

without stream4_reassemble it works

thx for help
jo



-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

snort inline problems Jochen Vogel (Mar 27)
- <Possible follow-ups>
- Re: snort inline problems Jed Haile (Mar 27)