Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort Inline incompatible libipq???

From: spiderslack <spiderslack () yahoo com br>
Date: Wed, 22 Sep 2010 11:30:54 -0400
On 09/22/2010 08:08 AM, Tomas Heredia wrote:
Mmmm.. Snort links to libipq... and to use nfnetlink queue, yo shoud link to libnfnetlink_queue instead... Better try unloading nfnetlink_queue, nfnetlink and XT_NFQUEUE, and then loading ip_queue alone 
output follows the procedures performed

*unload modules
*
root@nascimento:~# modprobe -r nfnetlink_queue
root@nascimento:~# modprobe -r nfnetlink
root@nascimento:~# modprobe -r xt_NFQUEUE
root@nascimento:~# modprobe -r ip_queue

*list modules load*

root@nascimento:~# lsmod
Module                  Size  Used by
xt_tcpudp               2667  0
iptable_filter          2791  0
ip_tables              18358  1 iptable_filter
x_tables               22429  2 xt_tcpudp,ip_tables
bridge                 53152  0
stp                     2171  1 bridge
fbcon                  39270  71
tileblit                2487  1 fbcon
font                    8053  1 fbcon
bitblit                 5811  1 fbcon
softcursor              1565  1 bitblit
vga16fb                12757  1
vgastate                9857  1 vga16fb
radeon                739595  0
ttm                    60815  1 radeon
drm_kms_helper         30710  1 radeon
ipmi_si                41065  0
ipmi_msghandler        36955  1 ipmi_si
lp                      9336  0
parport                37160  1 lp
drm                   198226  3 radeon,ttm,drm_kms_helper
i2c_algo_bit            6024  1 radeon
hpilo                   7985  0
i3000_edac              3679  0
psmouse                64608  0
serio_raw               4950  0
shpchp                 33679  0
edac_core              45423  3 i3000_edac
usbhid                 40988  0
hid                    83376  1 usbhid
tg3                   122350  0
root@nascimento:~#

*load module ip_queue*

root@nascimento:~# modprobe ip_queue
root@nascimento:~# lsmod | grep -i queue
*ip_queue *             6324  0
root@nascimento:~# lsmod
Module                  Size  Used by
*ip_queue *               6324  0
xt_tcpudp               2667  0
iptable_filter          2791  0
ip_tables              18358  1 iptable_filter
x_tables               22429  2 xt_tcpudp,ip_tables
bridge                 53152  0
stp                     2171  1 bridge
fbcon                  39270  71
tileblit                2487  1 fbcon
font                    8053  1 fbcon
bitblit                 5811  1 fbcon
softcursor              1565  1 bitblit
vga16fb                12757  1
vgastate                9857  1 vga16fb
radeon                739595  0
ttm                    60815  1 radeon
drm_kms_helper         30710  1 radeon
ipmi_si                41065  0
ipmi_msghandler        36955  1 ipmi_si
lp                      9336  0
parport                37160  1 lp
drm                   198226  3 radeon,ttm,drm_kms_helper
i2c_algo_bit            6024  1 radeon
hpilo                   7985  0
i3000_edac              3679  0
psmouse                64608  0
serio_raw               4950  0
shpchp                 33679  0
edac_core              45423  3 i3000_edac
usbhid                 40988  0
hid                    83376  1 usbhid
tg3                   122350  0
root@nascimento:~#

*create rules iptables*
root@nascimento:~# iptables -t filter -I FORWARD -p tcp --dport 3389 -j QUEUE root@nascimento:~# iptables -t filter -I FORWARD -p tcp --sport 3389 -j QUEUE 

*snort running*

oot@nascimento:~# ps ax | grep -i snort
24224 ? Ss 0:01 /usr/sbin/snort -m 027 -D -Q -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf 
root@nascimento:~#

*list rules iptables load*

root@nascimento:~# iptables -t filter -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
QUEUE      tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:3389
QUEUE      tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3389

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
root@nascimento:~#

*debug with tcpdump*

root@nascimento:~# tcpdump -i br0 -n port 3389
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 96 bytes
11:20:52.147495 IP 100.100.100.100.44361 > 200.200.200.200.3389: Flags [S], seq 973176684, win 5840, options [mss 1460,sackOK,TS val 273500 ecr 0,nop,wscale 7], length 0 11:20:55.286310 IP 100.100.100.100.44361 > 200.200.200.200.3389: Flags [S], seq 973176684, win 5840, options [mss 1460,sackOK,TS val 273800 ecr 0,nop,wscale 7], length 0 11:21:01.143103 IP 100.100.100.100.44361 > 200.200.200.200.3389: Flags [S], seq 973176684, win 5840, options [mss 1460,sackOK,TS val 274400 ecr 0,nop,wscale 7], length 0
and alert in the file and not generated anything I am sending herewith the snort.conf file, but I think that is not the cause of the problem, I'll do a test on another distribution to see if it is some incompatibility, I'm using the Ubuntu distribution'll version 10:04, i will test with the distribution CentOS or fedora. 

Regards.

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: