Snort mailing list archives

RE: Snort Inline

From: "Bob McDowell" <bmcdowell () coxhealthplans com>
Date: Thu, 2 Jan 2003 10:52:28 -0600

I have no 'official' documentation as of yet.  I'm still feeling around in
the dark, searching for answers.  I can, however, share with you the (mostly
undocumented) steps you'll need to take.  Maybe someone from the list can
correct my mistakes.

1)  Get the iptables source and re-compile it into the kernel src, with ipq
enabled:  make install-devel KERNEL_DIR=(your kernel source dir)
2)  Then compile your new kernel with that option.  You will have to enable
'Experimental code' as well as 'Userspace queuing' in your 'make menuconfig'
step.
3)  Get and install libpcap
4)  Get and compile snort-inline - './configure --enable-inline'
5)  Change one of the included rules from 'alert xyz' to 'drop xyz'
6)  Run snort with the -Q option

If you get no errors, you are now as far as I am...

As I've stated, I'm have issues with logging.  With the -Q option passed to
snort, it does not log anything at all.  I suppose it may not even be
working at all, but at least I've quieted all the errors.


-----Original Message-----
From: Kevin Pietersma [mailto:kev () attcanada net]
Sent: Thursday, January 02, 2003 10:36 AM
To: bmcdowell () coxhealthplans com; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort Inline


Hi Bob,

I'm on the verge of doing a SNORT inline implementation and am just
beginning my research.  You mentioned you'd be writing up the steps once you
were done.  Do you have any documentation that you could share?

TIA,
kev

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Bob McDowell
Sent: Tuesday, December 31, 2002 3:23 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort Inline




Has anyone on the list successfully installed/configured snort in inline
mode?  I've been wrestling with it for days, and I think I'm getting close.
My biggest gripe about it is that I can't seem to find any help with it.  It
took a lot of head scratching to get as far as I have...

When I'm done I'll write up the steps it took me to get it snorting.  In the
mean time, can anyone out there help me?  Any documentation, tips, warnings,
etc would be greatly appreciated.

Specifically, I'm now stuck with a message that reads 'InlineInit:  :
Failed to send netlink message:  Connection refused'

Thanks in advance.



Bob McDowell
IS Specialist
Cox HealthPlans, LLC
417.269.2848

Current thread:

RE: Snort Inline Amit Kumar Gupta (Dec 31)
- <Possible follow-ups>
- RE: Snort Inline Amit Kumar Gupta (Dec 31)
- RE: Snort Inline Bob McDowell (Jan 02)
- RE: Snort Inline Bob McDowell (Jan 02)
  - Re: Snort Inline Jihoon Chung (Jan 03)
- RE: Snort Inline Kevin Pietersma (Jan 02)
- RE: Snort Inline Bob McDowell (Jan 03)
  - RE: Snort Inline Bob McDowell (Jan 03)
- Snort Inline Joe Giles (Feb 27)
- Snort Inline Joe Giles (Feb 28)
- RE: Snort Inline Slighter, Tim (Feb 28)
  - RE: Snort Inline Joe Giles (Feb 28)
    - Snort Inline Bridge webcatalog (Mar 01)
    - Snort Inline Bridge webcatalog (Mar 03)

(Thread continues...)