Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: inline mode works(seems) without compiling with --enable-inline option

From: Joel Ebrahimi <joel.ebrahimi () gmail com>
Date: Mon, 21 Sep 2009 16:29:24 -0700
Hey Russ,
I finally have a chance to revisit this. I have been looking through
inline.c for information on how dropping would work on the Bivio hardware.

You mentioned that there are no non-standard pcap calls in Snort and that
only global variables are shared. Im assuming this means you must be setting
global variable pcap_bvzcp_drop out of Bivios zero copy pcap.  I dont see
this variable in inline.c nor anywhere else in the code. Could you elaborate
on which global variable your setting, or what else you are doing to let
Bivios zero copy pcap know that the packet is to be dropped.

Thanks,

// Joel

On Fri, Aug 7, 2009 at 1:42 PM, Russ Combs <rcombs () sourcefire com> wrote:


Comments below ...

On Fri, Aug 7, 2009 at 4:08 PM, Joel Ebrahimi <joel.ebrahimi () gmail com>wrote:


I have always been curious how this works. Working for Bivio Networks I
know that there is a Snort IPS that Sourcefire uses on our platform but I
was never sure how they integrated it. Since our performance relies on pcap
and since our pcap is modified to drop packets I had assumed it was all
handled through pcap.
So does --enable-inline need to be used at all to initialize any of the
drop structures or mechanisms?



That depends on what you are trying to do:

* use --enable-inline for ipq.
* use --enable-inline --enable-ipfw for ipfw.
* otherwise, if you have a modified libpcap, the drop is handled there.
* otherwise, the drop doesn't take place.



Would the keyword 'drop' still be able to be used from the rules just like
the -Q option is allowed ?



Using -Q and a drop action in a rule is perfectly fine without the use of
--enable-inline with a modified
libpcap.



I don't actually see any of the Bivio specific API calls to drop packets.
I assuming this is not released in the general Snort release. Is this code
available or is it licensed differently then the available public Snort?



There are no calls to non-standard libpcap API functions in Snort.
Everything to do this is there in the snort code base and the license is the
same.  There are a few global variables that need to be shared between the
pcap library and Snort.  Have a look at inline.c for details.



Thanks,

// Joel

On Wed, Aug 5, 2009 at 8:48 AM, Russ Combs <rcombs () sourcefire com> wrote:


Hey Justin,

Thanks for the patch.  The -Q option, and the inline implementation in
general, is a little confusing.  However, there is no warning without
--enable-inline because it allows Snort to be deployed inline using 3rd
party pcap implementations that don't require ipq or ipfw.

Compounding that, the help for -Q is only output for ipq builds.  The
help will be addressed in an upcoming release.

Russ

On Wed, Aug 5, 2009 at 8:11 AM, justin joseph <justinjoseph007 () gmail com

wrote:



Hi

Were trying to configure snort-inline on Ubuntu hardy (snort version
2.7.0) for some days.
Today figured out by looking at the code that even if snort was not
compiled with --enable-inline
option, it was seemingly running with the -Q option(drop, sdrop,
reject won't work off course)

IMHO this confuses a newbie user like me because if snort was not
compiled enabling
inline mode then it is supposed to print error and abort if user tries
to run with the -Q option.

Attached patch against 2.8.4(changes in snort.c) or something like
that would be nice IMHO.

thank you
Justin


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008
30-Day
trial. Simplify your report design, integration and deployment - and
focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008
30-Day
trial. Simplify your report design, integration and deployment - and
focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users







------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: