Re: Status of Snort Inline

[justin joseph <justinjoseph007 () gmail com>]

On 10/12/09, Jan Ježek <jjezek () kerio com> wrote:
> On 12.10.2009 15:27, "Joel Esler" <eslerj () gmail com> wrote:
>
> > On Mon, Oct 12, 2009 at 12:51 AM, Jan Ježek <jjezek () kerio com> wrote:
> >
> > > Hi everybody,
> > >
> > > I would like to gather some knowledge about the status of the inline
> > > functionalty.
> > >
> > > There is Snort 2.8 in which the inline functionality does not work. It
> > > does
> > > not work because it relies on libipq which is no longer supported and the
> > > compat layer from libnetfilter-queue has just been removed recently so
> > > Snort
> > > with GIDS enabled wouldn¹t even compile. Also, IP defragmentation in
> > > inline
> > > mode seems to be broken in the current 2.8 (though it worked in 2.8.0).
> > > The
> > > reason is because it tryes to safe memcopy zero bytes.
> > >
> > > Then there is the snort-inline project which development seems dead. It¹s
> > > only 2.6 and the maintainer isn¹t replying.
> > >
> > > We would like to integrate Snort in inline mode into a security product.
> > > We
> > > are willing to fix and maintain the inline mode Snort. But the current
> > > status is unclear. Is the only way to branch and maintain our own
> > > project?
> > >
> > > Furthermore, we are willing to maintain the Windows version even with the
> > > inline mode. Internally, we were able to compile and run 2.8 on Windows
> > > in
> > > inline mode successfully.
> > >
> > > Thanks in advance for any pointers on how to proceed.
> > The code you are looking at, I am assuming you are referring to the
> > "snort_inline" project?
> > As opposed to looking at the code in Snort.  Snort can be compiled to
> > perform IPS functions with the --enable-inline compile tag.
> >
> > Just for clarification.
> >
> > Joel
>
> Both, actually. I don't know how the inline code (activated by
> --enable-inline) got to the Snort main line. I presume it was merged from
> snort_inline at some port of time? However, in its current state it does not
> work at all on Linux because it depends on libipq and support for that is
> discontinued in the latest 2.6.x kernels.

This thread might be of help:

http://marc.info/?l=snort-devel&m=124989274715663&w=2

There are some more of my queries in the archive.

snort 2.8.4 compiles with --enable-inline on ubuntu hardy(did this even today)
But like you say it might not on the lastest 2.6.x kernels as libipq
support might
be absent.

> As Victor clarified, we are now looking into the snort_inline project's SVN
> repository and that one seems to be OK.  The current snapshot of
> snort_inline now uses linetfilter_queue instead of libipq.

This might be better, AFAIK the latest svn (of snort_inline)has
snort_inline code merged against snort-2.8.4.  The reply to this
effect might well be there in the list archives.

> JJ.

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel