Re: Snort 2.9.0 Now Available

[Russ Combs <rcombs () sourcefire com>]

On Tue, Oct 5, 2010 at 12:33 PM, waldo kitty <wkitty42 () windstream net>wrote:

> On 10/5/2010 12:12, Russ Combs wrote:
> > On Tue, Oct 5, 2010 at 12:00 PM, waldo kitty <wkitty42 () windstream net
> > <mailto:wkitty42 () windstream net>> wrote:
> >     as written above, there is no libnet in use at all in the product i'm
> working
> >     with... there's no libdnet, either... we've simply never had a need
> for
> >     either...
> >
> > OK - libnet was only required for inline builds.  I'm looking into a
> change that
> > may obviate dnet for Snort when active response is not configured.
>
> interesting... i assume that "active response" means "inline"?? i also
> assume
> that "active response" means that snort does the dropping/blocking of
> unwanted
> traffic and notifies iptables to create drop/block and log rules? how much
> more
> memory is consumed by snort in inline mode?

This one might be worth your time to dig into a little ... the DAQ README
and Snort README.active are a good place to start.  There is a lot there and
I can't do it justice here, but some responses to the above:

* Active response enables sending TCP resets or ICMP unreachables and is
possible in passive or inline mode.
* The DAQ provides more flavors than just pcap or iptables (via NFQ or
IPQ).  See, for example, afpacket.
* Also, NFQ and IPQ don't update iptables rules; all packets pass through
Snort which renders a verdict to the kernel.


> >      > > With 2.9.0, you *must* use the DAQ.  By default, you will wind
> up using a
> >      >     pcap
> >      > > DAQ, but the DAQ is a separate package that must be installed.
>  This is
> >      >     new for
> >      > > 2.9.0.
> >      >
> >      >     ugh! when does the madness end? :lol: i'll have to see if i
> can hunt
> >     up the
> >      >     archive for that... hopefully it is available at
> >      > www.snort.org/ports/snort-current/
> >      >
> >      > You can find it here, along with Snort:
> http://www.snort.org/snort-downloads.
> >     i'd rather find it in a place that is automation and script
> friendly... that web
> >     page link is not :?
> >
> > This is another issue worth sending to the web site maintainers.
>
> :?
>
> FWIW: luckily enough, DAQ is available at the above location...
>
> http://www.snort.org/ports/snort-current/daq-0.2.tar.gz
>
>
>
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
> http://p.sf.net/sfu/beautyoftheweb
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users