Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort Inline incompatible libipq???

From: spiderslack <spiderslack () yahoo com br>
Date: Tue, 21 Sep 2010 15:15:57 -0400
On 09/21/2010 12:16 PM, Tomas Heredia wrote:

  Also, all traffic for the txp session should go thru Snort...
Try adding

iptables -I FORWARD -p tcp --sport 3389 -j QUEUE



Hi Tomas,

I add rule as you specified.

iptables -I FORWARD -p tcp --sport 3389 -j QUEUE


but, not work :(

see via tcpdump logs

root@nascimento:~# tcpdump -i br0 -n port 3389
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 96 bytes
15:02:52.121229 IP 100.100.100.100.2844 > 200.200.200.200.3389: Flags [S], seq 3126417596, win 65535, options [mss 1452,nop,nop,sackOK], length 0 15:02:55.102729 IP 100.100.100.100.2844 > 200.200.200.200.3389: Flags [S], seq 3126417596, win 65535, options [mss 1452,nop,nop,sackOK], length 0 15:03:01.129871 IP 100.100.100.100.2844 > 200.200.200.200.3389: Flags [S], seq 3126417596, win 65535, options [mss 1452,nop,nop,sackOK], length 0 15:04:15.775264 IP 100.100.100.100.2850 > 200.200.200.200.3389: Flags [S], seq 2075772945, win 65535, options [mss 1452,nop,nop,sackOK], length 0 15:04:18.711696 IP 100.100.100.100.2850 > 200.200.200.200.3389: Flags [S], seq 2075772945, win 65535, options [mss 1452,nop,nop,sackOK], length 0 15:04:24.722153 IP 100.100.100.100.2850 > 200.200.200.200.3389: Flags [S], seq 2075772945, win 65535, options [mss 1452,nop,nop,sackOK], length 0 
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
root@nascimento:~#


The rule show

root@nascimento:~# iptables -t filter -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
QUEUE      tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:3389
QUEUE      tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3389

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
root@nascimento:~#

root@nascimento:~# ps ax | grep -i snort
23199 ? Ss 0:43 /usr/sbin/snort -m 027 -D -Q -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf 
root@nascimento:~#
I do not know what else to do, I tried to compile the code in C to give a NF_ACCEPT in packets that are queued, but not compile, according to my research due to the 2.6 kernel does not use more libipq libnetfilter_queue and yes, I am researching how to debug or least see if the package is going to the QUEUE and they are getting there. If you have any idea who can help me, I thank you. 

Regards.

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: