Snort mailing list archives

Previous By Date Next
Previous By Thread Next

AW: snort inline problems

From: Jochen Vogel <jvogel () it-sec de>
Date: Fri, 28 Mar 2003 10:35:13 +0100
hi jed,

-----------

How long after snort-inline starts does the seg fault happen? Is it 
upon initialization, or does it take some time?

it does take some time. ca. 2min

---------------

If you leave this enabled:
preprocessor stream4: detect_scans, disable_evasion_alerts

and take out:
preprocessor stream4_reassemble
does snort-inline run ok?

this are my preprocessors with the working 1.9.0

preprocessor frag2
preprocessor stream4: detect_scans, disable_evasion_alerts
#preprocessor stream4_reassemble <--disabled
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor conversation: allowed_ip_protocols all, timeout 60,
max_conversations 32000

--------------

With regards to snort-inline not "doing anything":
Have you set up a -QUEUE target in iptables to make sure snort is 
getting the packets, and is your iptables configuration otherwise set 
up so that packets will actually go somewhere?

$IPT -A FORWARD -i $INT -o $EXT -m state --state NEW,ESTABLISHED,RELATED -j
QUEUE
$IPT -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED     -j
QUEUE

if i start snort -d -v -c /etc/snort/snort.conf -Q -i ppp0 -l $DIR/$DATE"
1.9.0 you can see incoming packets but crash with stream4_reassemble
1.9.1 you can see incoming packets but nothing goes on

---------------------

I am looking into why snort-inline 1.9.1 will not work with stream4  
enabled, I have had a couple of others point this problem out to me  
recently.

snortinline1.9.1 works generally not

------------------------

If you use the ip_conntrack module in iptables, it will handle  
defragmentation for you, making frag2 useless.

this are my modules

Module                  Size  Used by    Not tainted
ipt_MASQUERADE          2200   1  (autoclean)
ipt_state               1080  13  (autoclean)
ipt_LOG                 4184   2  (autoclean)
iptable_nat            19960   1  (autoclean) [ipt_MASQUERADE]
ip_conntrack           21244   2  (autoclean) [ipt_MASQUERADE ipt_state
iptable_nat]
iptable_filter          2412   1  (autoclean)
ip_tables              15224   7  [ipt_MASQUERADE ipt_state ipt_LOG
iptable_nat iptable_filter]
ip_queue                7420   0  (unused)

thx for help
jo 


-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: