FAQ
- I am having problems compiling snort_inline.
- I am having problems running snort_inline.
- Snort_inline is not dropping any packets.
- Which version of libnet do I need?
- I want to handle only selected traffic with snort_inline
- Question: I am having problems compiling snort_inline. Here is a sample of the error messages I get during compilation:
gcc -DHAVE_CONFIG_H -I. -I. -I../..
-I../.. -I../../src
-I/usr/include/pcap
-I../../src/output-plugins
-I../../src/detection-plugins -I../../src/preprocessors -I/usr/include
-g -O2 -Wall -DGIDS -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD
-DHAVE_NET_ETHERNET_H -DLIBNET_LIL_ENDIAN -c `test -f 'spo_alert_fast.c'
|| echo './'`spo_alert_fast.c
In file included from /usr/include/linux/netfilter_ipv4/ip_queue.h:10,
from /usr/include/libipq.h:37,
from ../../src/inline.h:8,
from ../../src/snort.h:38,
from spo_alert_fast.c:51:
/usr/include/linux/if.h:59: redefinition of `struct ifmap'
/usr/include/linux/if.h:77: redefinition of `struct ifreq'
/usr/include/linux/if.h:126: redefinition of `struct ifconf'
make[3]: *** [spo_alert_fast.o] Error 1
make[3]: Leaving directory
`/home/matt/src/BUILD/snort-2.0.5/src/output-plugins'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/home/matt/src/BUILD/snort-2.0.5/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/matt/src/BUILD/snort-2.0.5'
make: *** [all] Error 2
Answer: You need to update the kernel headers used by your glibc. A quick fix is to create a link between /usr/include and the include directory of your kernel source. For example, if you are trying to use this with kernel version 2.4.24, you can do the following:
cd /usr/include
mv linux linux.orig
ln -s /usr/src/linux-2.4.24/include/linux linux
Now simply go to your snort_inline directory and recompile (make clean first).
** That is, point to a set of "real" kernel includes instead of RH's glibc-kernheaders package. **
-I../../src/detection-plugins -I../../src/preprocessors -I/usr/include
-g -O2 -Wall -DGIDS -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD
-DHAVE_NET_ETHERNET_H -DLIBNET_LIL_ENDIAN -c `test -f 'spo_alert_fast.c'
|| echo './'`spo_alert_fast.c
In file included from /usr/include/linux/netfilter_ipv4/ip_queue.h:10,
from /usr/include/libipq.h:37,
from ../../src/inline.h:8,
from ../../src/snort.h:38,
from spo_alert_fast.c:51:
/usr/include/linux/if.h:59: redefinition of `struct ifmap'
/usr/include/linux/if.h:77: redefinition of `struct ifreq'
/usr/include/linux/if.h:126: redefinition of `struct ifconf'
make[3]: *** [spo_alert_fast.o] Error 1
make[3]: Leaving directory
`/home/matt/src/BUILD/snort-2.0.5/src/output-plugins'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/home/matt/src/BUILD/snort-2.0.5/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/matt/src/BUILD/snort-2.0.5'
make: *** [all] Error 2
Answer: You need to update the kernel headers used by your glibc. A quick fix is to create a link between /usr/include and the include directory of your kernel source. For example, if you are trying to use this with kernel version 2.4.24, you can do the following:
cd /usr/include
mv linux linux.orig
ln -s /usr/src/linux-2.4.24/include/linux linux
Now simply go to your snort_inline directory and recompile (make clean first).
** That is, point to a set of "real" kernel includes instead of RH's glibc-kernheaders package. **
-
Reading from iptables
- Question: Snort_inline is not dropping any packets. What's wrong?
Running in IDS mode
Log directory = /var/log/snort
Initializing Inline mode
InitInline: : Failed to send netlink message: Connection refused
Answer: This means that snort_inline cannot talk to iptables because the ip_queue module is not loaded. You can verify this by doing an lsmod. If you don't see ip_queue listed, you need to load it before starting snort_inline: insmod ip_queue.
Answer:
This is can happen for a few reasons.
First, you have snort_inline running in bridge mode. If the kernel is not compiled with the bridge/firewall patch, the bridge will not pass the packets to iptables, and therefore, not pass the packets to snort_inline. The easiest way to test this is to start the bridge and set default iptable policies to drop. If packets still get through the bridge, you need to download the bridge/firewall patch for your kernel; apply it to your kernel; and recompile the kernel.
Second, you need to verify the HOME_NET variable in the snort_inline.conf file to ensure you are monitoring the proper network. Snort_inline will only act on traffic that is destined to or originating from a monitored network.
First, you have snort_inline running in bridge mode. If the kernel is not compiled with the bridge/firewall patch, the bridge will not pass the packets to iptables, and therefore, not pass the packets to snort_inline. The easiest way to test this is to start the bridge and set default iptable policies to drop. If packets still get through the bridge, you need to download the bridge/firewall patch for your kernel; apply it to your kernel; and recompile the kernel.
Second, you need to verify the HOME_NET variable in the snort_inline.conf file to ensure you are monitoring the proper network. Snort_inline will only act on traffic that is destined to or originating from a monitored network.
Answer:
Snort_inline depends on the same libnet library as flexresp: 1.0.x.
Compiling snort_inline against libnet version 1.1.x will not work.
Answer:
Here is an example for sending only SMTP traffic to snort_inline.
1. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p tcp --dport 25 -j QUEUE
2. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
3. iptables -A FORWARD -p tcp --dport 25 -m state --state NEW -j QUEUE
1. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p tcp --dport 25 -j QUEUE
2. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
3. iptables -A FORWARD -p tcp --dport 25 -m state --state NEW -j QUEUE