Snort mailing list archives
Re: inline mode works(seems) without compiling with --enable-inline option
From: Joel Ebrahimi <joel.ebrahimi () gmail com>
Date: Fri, 7 Aug 2009 15:06:02 -0700
Cool. Thanks for the info. Im curious now so I will take a look and make an IPS build. // Joel On Fri, Aug 7, 2009 at 1:42 PM, Russ Combs <rcombs () sourcefire com> wrote:
Comments below ... On Fri, Aug 7, 2009 at 4:08 PM, Joel Ebrahimi <joel.ebrahimi () gmail com>wrote:I have always been curious how this works. Working for Bivio Networks I know that there is a Snort IPS that Sourcefire uses on our platform but I was never sure how they integrated it. Since our performance relies on pcap and since our pcap is modified to drop packets I had assumed it was all handled through pcap. So does --enable-inline need to be used at all to initialize any of the drop structures or mechanisms?That depends on what you are trying to do: * use --enable-inline for ipq. * use --enable-inline --enable-ipfw for ipfw. * otherwise, if you have a modified libpcap, the drop is handled there. * otherwise, the drop doesn't take place.Would the keyword 'drop' still be able to be used from the rules just like the -Q option is allowed ?Using -Q and a drop action in a rule is perfectly fine without the use of --enable-inline with a modified libpcap.I don't actually see any of the Bivio specific API calls to drop packets. I assuming this is not released in the general Snort release. Is this code available or is it licensed differently then the available public Snort?There are no calls to non-standard libpcap API functions in Snort. Everything to do this is there in the snort code base and the license is the same. There are a few global variables that need to be shared between the pcap library and Snort. Have a look at inline.c for details.Thanks, // Joel On Wed, Aug 5, 2009 at 8:48 AM, Russ Combs <rcombs () sourcefire com> wrote:Hey Justin, Thanks for the patch. The -Q option, and the inline implementation in general, is a little confusing. However, there is no warning without --enable-inline because it allows Snort to be deployed inline using 3rd party pcap implementations that don't require ipq or ipfw. Compounding that, the help for -Q is only output for ipq builds. The help will be addressed in an upcoming release. Russ On Wed, Aug 5, 2009 at 8:11 AM, justin joseph <justinjoseph007 () gmail comwrote:Hi Were trying to configure snort-inline on Ubuntu hardy (snort version 2.7.0) for some days. Today figured out by looking at the code that even if snort was not compiled with --enable-inline option, it was seemingly running with the -Q option(drop, sdrop, reject won't work off course) IMHO this confuses a newbie user like me because if snort was not compiled enabling inline mode then it is supposed to print error and abort if user tries to run with the -Q option. Attached patch against 2.8.4(changes in snort.c) or something like that would be nice IMHO. thank you Justin ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- inline mode works(seems) without compiling with --enable-inline option justin joseph (Aug 05)
- Re: inline mode works(seems) without compiling with --enable-inline option Russ Combs (Aug 05)
- Re: inline mode works(seems) without compiling with --enable-inline option Joel Ebrahimi (Aug 07)
- Re: inline mode works(seems) without compiling with --enable-inline option Russ Combs (Aug 07)
- Re: inline mode works(seems) without compiling with --enable-inline option Joel Ebrahimi (Aug 07)
- Re: inline mode works(seems) without compiling with --enable-inline option Joel Ebrahimi (Sep 21)
- Re: inline mode works(seems) without compiling with --enable-inline option Joel Ebrahimi (Aug 07)
- Re: inline mode works(seems) without compiling with --enable-inline option Russ Combs (Aug 05)