Snort mailing list archives
Re: sending netlink message: Connection Refused
From: Alberto Colosi/SI/RM/GSI/it <alberto.colosi () sistinf it>
Date: Wed, 17 Sep 2008 11:19:48 +0200
Hi, even strange it is working now. Strange! ip_queue was already loaded. Can it unload from itself??? owever, I have inside syslog: Sep 17 11:11:57 nova5 modprobe: modprobe: Can't locate module iptable_QUEUE and till now I was unable to see in real SNORT to block any traffic. Is inside rules a way to know if a rule drop or log or ........ now SNORT is running with: modprobe ip_queue iptables -A FORWARD -p tcp -m tcp --dport 80 -j QUEUE snort -c /usr/local/snort/etc/snort.conf -g snort -u snort -X -U -y -s -Q -D --disable-inline-initialization I have added --disable-inline-initialization so to be sure (becouse I'm testing on a production machine and not wanting to have strange results). Owever even if I run it without --disable-inline-initialization it seems to not block for example P2P traffic. It log it but nothing else. Is then a way to see packets and QUEUE activity?. iptables -A FORWARD -p tcp -m tcp --dport 80 -j QUEUE send only port 80 traffic to be sniffed from snort inline? and if I would like to have all traffic sniffed as when snort run in NOT INLINE?. * I'm really new to snort :D ------------------------------- Alberto Colosi IBM Global Business Services Sistemi Informativi S.P.A. IT NetWork & Security Department *-* *-* *-* SECURITY IS EVERYONE'S BUSINESS Member of IBM Information Security WW CoP "Will Metcalf" <william.metcalf () gmail com> 16/09/2008 17.52 To "Alberto Colosi/SI/RM/GSI/it" <alberto.colosi () sistinf it> cc "Snort Users" <Snort-users () lists sourceforge net> Subject Re: [Snort-users] sending netlink message: Connection Refused You must first load the ip_queue module if it is not already loaded. modprobe ip_queue Also what user are you running snort as? You must run as root to interact with ipqueue Regards, Will On Tue, Sep 16, 2008 at 9:32 AM, Alberto Colosi/SI/RM/GSI/it <alberto.colosi () sistinf it> wrote:
hi, an information.
while working snort 2.8.3 have stopped to log inside syslog.
I have restarted my machine and I have restarted snort many times. It is
inline compiled but not working in inline.
After different tests I have runned it not in DAEMON mode and I got a
"sending netlink message: Connection Refused"
why it happened? I have changed nothing ....... or at least I think so.
No
other users could have changed anything becouse noone compile or
configure
anything there. Running snort without -Q, not reading from IPTABLES, it has started to
work
again. What's on??. ------------------------------- Alberto Colosi IBM Global Business Services Sistemi Informativi S.P.A. IT NetWork & Security Department *-* *-* *-* SECURITY IS EVERYONE'S BUSINESS Member of IBM Information Security WW CoP
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort generates alerts when I use rsync to download files carlopmart (Sep 15)
- Re: Snort generates alerts when I use rsync to download files Matt Olney (Sep 15)
- Re: Snort generates alerts when I use rsync to download files carlopmart (Sep 15)
- Re: Snort generates alerts when I use rsync to download files carlopmart (Sep 16)
- Re: Snort generates alerts when I use rsync to download files Alberto Colosi/SI/RM/GSI/it (Sep 16)
- sending netlink message: Connection Refused Alberto Colosi/SI/RM/GSI/it (Sep 16)
- Re: sending netlink message: Connection Refused Will Metcalf (Sep 16)
- Re: sending netlink message: Connection Refused Alberto Colosi/SI/RM/GSI/it (Sep 17)
- Re: sending netlink message: Connection Refused Will Metcalf (Sep 17)
- Re: Snort generates alerts when I use rsync to download files carlopmart (Sep 15)
- Re: Snort generates alerts when I use rsync to download files Matt Olney (Sep 15)