FAQ


gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../.. -I../../src
-I/usr/include/pcap -I../../src/output-plugins
-I../../src/detection-plugins -I../../src/preprocessors  -I/usr/include
-g -O2 -Wall -DGIDS -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD
-DHAVE_NET_ETHERNET_H -DLIBNET_LIL_ENDIAN -c `test -f 'spo_alert_fast.c'
|| echo './'`spo_alert_fast.c
In file included from /usr/include/linux/netfilter_ipv4/ip_queue.h:10,
                 from /usr/include/libipq.h:37,
                 from ../../src/inline.h:8,
                 from ../../src/snort.h:38,
                 from spo_alert_fast.c:51:
/usr/include/linux/if.h:59: redefinition of `struct ifmap'
/usr/include/linux/if.h:77: redefinition of `struct ifreq'
/usr/include/linux/if.h:126: redefinition of `struct ifconf'
make[3]: *** [spo_alert_fast.o] Error 1
make[3]: Leaving directory
`/home/matt/src/BUILD/snort-2.0.5/src/output-plugins'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/home/matt/src/BUILD/snort-2.0.5/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/matt/src/BUILD/snort-2.0.5'
make: *** [all] Error 2

Answer:  You need to update the kernel headers used by your glibc.  A quick fix is to create a link between /usr/include and the include directory of your kernel source.  For example, if you are trying to use this with kernel version 2.4.24, you can do the following:

cd /usr/include
mv linux linux.orig
ln -s /usr/src/linux-2.4.24/include/linux linux

Now simply go to your snort_inline directory and recompile (make clean first).

** That is, point to a set of "real" kernel includes instead of RH's glibc-kernheaders package. ** 
Answer:  This is can happen for a few reasons. 

    First, you have snort_inline running in bridge mode.  If the kernel is not compiled with the bridge/firewall patch, the bridge will not pass the packets to iptables, and therefore, not pass the packets to snort_inline.  The easiest way to test this is to start the bridge and set default iptable policies to drop.  If packets still get through the bridge, you need to download the bridge/firewall patch for your kernel; apply it to your kernel; and recompile the kernel.

    Second, you need to verify the HOME_NET variable in the snort_inline.conf file to ensure you are monitoring the proper network.  Snort_inline will only act on traffic that is destined to or originating from a monitored network.

Answer:  Snort_inline depends on the same libnet library as flexresp: 1.0.x.  Compiling snort_inline against libnet version 1.1.x will not work.
Answer:  Here is an example for sending only SMTP traffic to snort_inline.

1. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p tcp --dport 25 -j QUEUE
2. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
3. iptables -A FORWARD -p tcp --dport 25 -m state --state NEW -j QUEUE