Snort mailing list archives
Fw: Re: Snort in IPS mode
From: turki <turki_00 () yahoo com>
Date: Thu, 19 May 2011 08:29:34 -0700 (PDT)
To solve the problem if missing nfq in snort --daq-list, - install the following packages: apt-get -y install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0 - Rebuild DAQ 0.5: ./configure && make && make install - Check for nfq support in Snort: ./snort --daq-dir /usr/local/lib/daq --daq-list Available DAQ modules: nfq(v4): live inline multi <----------------------------- pcap(v3): readback live multi unpriv ipfw(v2): live inline multi unpriv dump(v1): readback live inline multi unpriv afpacket(v4): live inline multi unpriv - Run Snort in inline mode (don't forget to include the daq directory): ./snort --daq nfq -Q -c snort.conf --daq-dir /usr/local/lib/daq --daq-var device=eth0 I am assuming that Snort is running in inline mode right now by giving me the msg: Commencing packet processing (pid=5097) Decoding Raw IP4 Next step, configuring iptables --- On Tue, 5/17/11, turki <turki_00 () yahoo com> wrote: From: turki <turki_00 () yahoo com> Subject: Re: [Snort-users] Snort in IPS mode To: "Russ Combs" <rcombs () sourcefire com> Cc: "Will Metcalf" <william.metcalf () gmail com>, snort-users () lists sourceforge net, "Jason Brvenik" <jbrvenik () sourcefire com> Received: Tuesday, May 17, 2011, 6:40 PM I apologize for the late response as the VM instance failed and i had to rebuild it (welcome to the cloud !) attached the make3.out and install.out
./configure
Build AFPacket DAQ module.. : yes Build Dump DAQ module...... : yes Build IPFW DAQ module...... : yes Build IPQ DAQ module....... : no Build NFQ DAQ module....... : yes Build PCAP DAQ module...... : yes
snort --daq-dir /usr/local/lib daq --daq-list
Available DAQ modules: nfq(v4): live inline multi pcap(v3): readback live multi unpriv ipfw(v2): live inline multi unpriv dump(v1): readback live inline multi unpriv afpacket(v4): live inline multi unpriv --- On Tue, 5/17/11, Russ Combs <rcombs () sourcefire com> wrote: From: Russ Combs <rcombs () sourcefire com> Subject: Re: [Snort-users] Snort in IPS mode To: "turki" <turki_00 () yahoo com> Cc: "Will Metcalf" <william.metcalf () gmail com>, snort-users () lists sourceforge net, "Jason Brvenik" <jbrvenik () sourcefire com> Received: Tuesday, May 17, 2011, 4:07 PM On Tue, May 17, 2011 at 3:02 PM, turki <turki_00 () yahoo com> wrote:
./configure --disable-ipq-module
Build AFPacket DAQ module.. : yes Build Dump DAQ module...... : yes Build IPFW DAQ module...... : yes Build IPQ DAQ module....... : no Build NFQ DAQ module....... : yes Build PCAP DAQ module...... : yes
snort --daq-dir /usr/local/lib/daq --daq-list
Available DAQ modules: pcap(v3): readback live multi unpriv ipfw(v2): live inline multi unpriv dump(v1): readback live inline multi unpriv afpacket(v4): live inline multi unpriv make2.out (after disabling ipq) is attached Can you send the output of make install &> install.out? --- On Tue, 5/17/11, Russ Combs <rcombs () sourcefire com> wrote: From: Russ Combs <rcombs () sourcefire com> Subject: Re: [Snort-users] Snort in IPS mode To: "turki" <turki_00 () yahoo com> Cc: "Will Metcalf" <william.metcalf () gmail com>, snort-users () lists sourceforge net, "Jason Brvenik" <jbrvenik () sourcefire com> Received: Tuesday, May 17, 2011, 3:43 PM On Tue, May 17, 2011 at 2:24 PM, turki <turki_00 () yahoo com> wrote: make.out attached Try to reconfigure your DAQ with --disable-ipq-module. The make is stopping there with "cannot find -lipq". --- On Tue, 5/17/11, Russ Combs <rcombs () sourcefire com> wrote: From: Russ Combs <rcombs () sourcefire com> Subject: Re: [Snort-users] Snort in IPS mode To: "turki" <turki_00 () yahoo com> Cc: "Will Metcalf" <william.metcalf () gmail com>, snort-users () lists sourceforge net, "Jason Brvenik" <jbrvenik () sourcefire com> Received: Tuesday, May 17, 2011, 3:18 PM On Tue, May 17, 2011 at 2:09 PM, turki <turki_00 () yahoo com> wrote: Producing the same daq list:
./snort --daq-dir /usr/local/lib/daq --daq-list
Available DAQ modules: pcap(v3): readback live multi unpriv ipfw(v2): live inline multi unpriv dump(v1): readback live inline multi unpriv afpacket(v4): live inline multi unpriv
ls /usr/local/lib/daq
daq_afpacket.la daq_dump.la daq_ipfw.la daq_pcap.la daq_afpacket.so daq_dump.so daq_ipfw.so daq_pcap.so daq_nfq.so and daq_nfq.la is not there?! How come when the configuration of daq telling me Build NFQ DAQ module....... : yes Is there anything I need to export in the path? Can you send the make output of the DAQ source? Eg: make clean make &> make.out e.g. LD_LIBRARY_PATH or CPPFLAGS Russ, I read your previous post in Snort-users list: http://www.networksecurityarchive.org/html/Snort-Users/2011-03/msg00687.html and trying to understand what is going on appreciate all kinds of help --- On Tue, 5/17/11, Russ Combs <rcombs () sourcefire com> wrote: From: Russ Combs <rcombs () sourcefire com> Subject: Re: [Snort-users] Snort in IPS mode To: "turki" <turki_00 () yahoo com> Cc: "Will Metcalf" <william.metcalf () gmail com>, snort-users () lists sourceforge net, "Jason Brvenik" <jbrvenik () sourcefire com> Received: Tuesday, May 17, 2011, 2:32 PM On Tue, May 17, 2011 at 1:03 PM, turki <turki_00 () yahoo com> wrote: Hi Will, first, checking the configuration of daq ./configure Build AFPacket DAQ module.. : yes Build Dump DAQ module...... : yes Build IPFW DAQ module...... : yes Build IPQ DAQ module....... : no Build NFQ DAQ module....... : no Build PCAP DAQ module...... : yes then, install the provided packages: apt-get -y install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0 Run the configuration of daq again: ./configure Build AFPacket DAQ module.. : yes Build Dump DAQ module...... : yes Build IPFW DAQ module...... : yes Build IPQ DAQ module....... : no Build NFQ DAQ module....... : yes Build PCAP DAQ module...... : yes So clearly, NFQ DAQ module was not installed b4 installing the packages When I run: ./configure --with-libpcap-includes=/usr/include/libnetfilter_queue --with-libpcap-libraries=/usr/lib Build AFPacket DAQ module.. : yes Build Dump DAQ module...... : yes Build IPFW DAQ module...... : yes Build IPQ DAQ module....... : yes Build NFQ DAQ module....... : yes Build PCAP DAQ module...... : yes Now, when i run: ./snort --daq-list Available DAQ modules: pcap(v3): readback live multi unpriv ipfw(v2): live inline multi unpriv dump(v1): readback live inline multi unpriv afpacket(v4): live inline multi unpriv NFQ is not in the list ?! help It may have built only the shared library. If you know the install directory, then run this: ./snort --daq-dir /usr/local/lib/daq --daq-list where /usr/local/lib/daq is your daq so install directory. --- On Tue, 5/17/11, Will Metcalf <william.metcalf () gmail com> wrote: From: Will Metcalf <william.metcalf () gmail com> Subject: Re: [Snort-users] Snort in IPS mode To: "turki" <turki_00 () yahoo com> Cc: snort-users () lists sourceforge net, "Jason Brvenik" <jbrvenik () sourcefire com> Received: Tuesday, May 17, 2011, 11:56 AM I'm not running 11.4 but try this. Afterwards you need to try and rebuild daq and make sure it builds with nfq support. sudo apt-get -y install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0 Regards, Will On Tue, May 17, 2011 at 9:43 AM, turki <turki_00 () yahoo com> wrote:
Hi Jason, as far as i understand from your (and Michael) comments, I did the following: snort --daq nfq -Q -c snort.conf I received the following error: ERROR: Can't find nfq DAQ!
Fatal Error, Quitting.. - Is there any modification I need to do in the snort.conf file ? - do i
have to compile snort in inline mode first?
- do I have to set the iptables before i ran snort in inline mode? My goal is to run Snort in inline mode with a single interface eth0
I appoligize if I am asking too many b Is there any beginners tutorial regarding snort inline mode as I just jumped in into the snort IPS mode without any background. Thank you,
daq-0.5 ubuntu 11.4 Snort 2.9.0.5 --- On Mon, 5/16/11, Will Metcalf <william.metcalf () gmail com> wrote:
From: Will Metcalf <william.metcalf () gmail com> Subject: Re: [Snort-users] Snort in IPS mode To: "turki" <turki_00 () yahoo com>
Cc: "Jason Brvenik" <jbrvenik () sourcefire com>, snort-users () lists sourceforge net
Received: Monday, May 16, 2011, 4:14 PM You should be able to do this very easily with NFQ as Michael suggested. See the README included with daq. One thing to note afaik the example uses the FORWARD, if you are using on local host you need something like the following if you want to look at port 80 traffic bound for your webserver.
iptables -I INPUT -i lo -j ACCEPT iptables -I INPUT -p tcp --dport 80 -j NFQUEUE iptables -I OUTPUT -p tcp --sport 80 -j NFQUEUE
Regards,
Will On Mon, May 16, 2011 at 1:46 PM, turki <turki_00 () yahoo com> wrote: Jason,
No, it didn't work :( After creating an alias interface eth0:0 and running the command: snort -Q --daq afpacket -i eth0:eth0:0 -c snort.conf I got the error msg:
ERROR: Can't initialize DAQ afpacket (-1) - afpacket_daq_initialize: Couldn't create the bridge between eth0 and eth0! Fatal Error, Quitting.. Thank you for the help
--- On Mon, 5/16/11, Jason Brvenik <jbrvenik () sourcefire com> wrote: From: Jason Brvenik <jbrvenik () sourcefire com>
Subject: Re: [Snort-users] Snort in IPS mode To: "turki" <turki_00 () yahoo com> Cc: snort-users () lists sourceforge net, "Michael Altizer" <maltizer () sourcefire com>
Received: Monday, May 16, 2011, 3:29 PM Just create an aliased interface to eth0 On May 16, 2011 2:15 PM, "turki" <turki_00 () yahoo com> wrote:
The reason behind my single interface approach is that I want to run Snort (inline mode) in Amazon cloud and I was
stopped by the fact that they only allow 1 interface for every running virtual machine instance in EC2.
Thank you Michael for sharing your knowledge. --- On Mon, 5/16/11, Michael Altizer <maltizer () sourcefire com> wrote:
From: Michael Altizer <maltizer () sourcefire com> Subject: Re: [Snort-users] Snort in IPS mode
To: snort-users () lists sourceforge net
Received: Monday, May 16, 2011, 9:53 PM This is not possible with
the current AFPacket DAQ module since I
never really thought to do that, but it could be modified to do so (check if an instance for that interface already exists when opening each interface and reuse it instead of trying to reopen and
failing). You may be able to do something like that with IPTables and the NFQ DAQ module, but I couldn't say for sure. On 05/16/2011 09:42 AM, turki wrote:
What if I only have single interface card "eth0" ? can I redirect/pair the traffic to itself (i know it is
kind of silly statement) something like this: snort -Q --daq afpacket -i eth0:eth0 -c snort.conf
--- On Mon, 5/16/11, Michael Altizer <xiche () verizon net>
wrote: From: Michael Altizer <xiche () verizon net>
Subject: Re: [Snort-users] Snort in IPS mode To: snort-users () lists sourceforge net
Received: Monday, May 16, 2011, 6:27 AM On 05/15/2011 08:09 PM, turki wrote: Hi,
I am new to snort, so i need help here. I am trying to
run snort in inline mode with
the following command: snort -Q --daq afpacket -i eth0 -c snort.conf but snort initialization keeps failing with
error message: afpacket DAQ configured to inline. ERROR: Can't initialize DAQ afpacket (-1) - afpacket_daq_initialize: Invalid interface
specification: 'eth0'! Fatal Error, Quitting.. In order to have an inline deployment you need at
least one pair of interfaces for the traffic to flow through. To that end, you need to specify a second interface for AFPacket to use to complete the bridge.
For example:snort -Q --daq afpacket -i eth0:eth1 -c snort.conf or (two inline pairs): snort -Q --daq afpacket -i eth0:eth1::eth2:eth3 -c
snort.conf -----Inline Attachment Follows-----
------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay
-----Inline Attachment Follows----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------
Achieve unprecedented
app performance and reliability
What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -----Inline Attachment Follows----- ------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay -----Inline Attachment Follows----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Attachment:
make3.out
Description:
Attachment:
install.out
Description:
------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort in IPS mode, (continued)
- Re: Snort in IPS mode turki (May 17)
- Re: Snort in IPS mode Russ Combs (May 17)
- Re: Snort in IPS mode Russ Combs (May 17)
- Re: Snort in IPS mode turki (May 17)
- Re: Snort in IPS mode Russ Combs (May 17)
- Re: Snort in IPS mode Lay, James (May 17)
- Re: Snort in IPS mode Will Metcalf (May 17)
- Re: Snort in IPS mode Russ Combs (May 17)
- Re: Snort in IPS mode Russ Combs (May 17)
- Re: Fw: Re: Snort in IPS mode Russ Combs (May 19)
- Re: Fw: Re: Snort in IPS mode turki (May 19)