Re: Snort Inline incompatible libipq???

[spiderslack <spiderslack () yahoo com br>]

On 09/22/2010 07:54 AM, Tomas Heredia wrote:
> I can´t try it right now, but if I recall right, nfnetlink_queue and 
> ip_queue do the same thing, and shouldn´t be loaded together..
> Try unloading ip_queue (but keeping nfnetlink_queue)
>
>
> El 21/09/2010 04:47 p.m., spiderslack escribió:
> > On 09/21/2010 03:34 PM, Tomas Heredia wrote:
> > > That gave me a hint... I'm recalling from past failures :-)
> > > did you "modprobe ip_queue"?
> > > could you post  your "lsmod"?
Hi Tomas

I managed to compile a code in C of the next page.

http://www.nufw.org/doc/libnetfilter_queue/nfqnl__test_8c-source.html

Handles the packet and generates a NF_ACCEPT compiled with the following 
command.

root@nascimento:~/libnetfilter_queue# gcc test1.c -o test1 -lnetfilter_queue

after compiling run firewall rules below and run and snort.


create rule iptables

root @ birth: ~ # iptables-t filter-I FORWARD-p tcp - dport 3389-j QUEUE
root @ birth: ~ # iptables-t filter-I FORWARD-p tcp - sport 3389-j QUEUE

snort running

root@nascimento:~# ps ax | grep snort
24608 ?        Ss     0:00 /usr/sbin/snort -m 027 -D -Q -l 
/var/log/snort -u snort -g snort -c /etc/snort/snort.conf
root@nascimento:~#

and the module loaded nfnetlink_queue, without running the code compiled 
terminal service does not work if I run the binary connection terminal 
service works.

root@nascimento:~/libnetfilter_queue# ./test1
opening library handle
unbinding existing nf_queue handler for AF_INET (if any)
binding nfnetlink_queue as nf_queue handler for AF_INET
binding this socket to queue '0'
setting copy_packet mode
pkt received
hw_protocol=0x0800 hook=2 id=0 indev=4 outdev=4 payload_len=60
entering callback
pkt received
hw_protocol=0x0800 hook=2 id=1 indev=4 outdev=4 payload_len=52
entering callback
pkt received
hw_protocol=0x0800 hook=2 id=2 indev=4 outdev=4 payload_len=96
entering callback
pkt received
hw_protocol=0x0800 hook=2 id=3 indev=4 outdev=4 payload_len=458
entering callback
pkt received
^C
root@nascimento:~/libnetfilter_queue#


I tried to compile the code using libipq only. generates the error below.

root@nascimento:~# gcc test_libipq.c -o test_libipq -lipq
In file included from test_libipq.c:2:
/usr/include/linux/netfilter.h:55: error: field 'in' has incomplete type
/usr/include/linux/netfilter.h:56: error: field 'in6' has incomplete type
test_libipq.c: In function 'die':
test_libipq.c:32: warning: incompatible implicit declaration of built-in 
function 'exit'
root@nascimento:~#


I believe that the latest kernel using libnetfilter_queue and snort 
still uses libipq, I see no other answer. To complete my tests I will 
test in yet another distribution, but if they have any tips or anything 
that could help me I thank you.

Regards

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users