Joachim Schipper wrote:
On Tue, Oct 24, 2006 at 03:17:05PM -0700, John Draper wrote:
Hi,
I'm posting this to both OpenBSD and Snort mailing lists.
In reading through the snort documentation, in section 1.5
(Inline mode), they state the following...
"In order for Snort Inline to work properly, Download and compile
the iptables code to include "make install-devel". (http://www,iptables.org)
Would I do the "make install-devel" from within the Snort's Source
build system, or the iptables build system?.
IPTables, if I read the docs correctly.
Hmm - that's what I thought... wasn't sure.
This will install the libipq library that allows snort Inline to
interface with iptables. Also, you must build and install LibNet,
which is available from www.packetfactory.net.
Ok, all fine and well, but I'm using snort on an OpenBSD platform,
which uses PF instead of iptables... I'm assuming that iptables is
only for Linux, or does OpenBSD also use iptables? I didn't see
any mention of it in either OpenBSD docs or Snort docs other then
this, and as far as I can remember, iptables is used primarily with
Linux, is that right?
IPTables is for Linux, pf is for OpenBSD.
That's what I thought.
Would I follow the same installation procedures? or would I ditch this
effort alltogether and write it off as something OpenBSD is not setup
to do, or is there an alternative I can use with Snort?
Snort-inline is written to work with IPTables. It might be possible to
implement something similar for pf, although it would most likely
require some patches; however, to the best of my knowledge, this has not
been done yet.
It would be possible to use Snort's response mechanism to put someone in
a table, say <badguys>. pf can be configured to handle tables in many
interesting ways. This is not real-time blocking, but might be close
enough.
I also posted this to the snort users list, [EMAIL PROTECTED], but
(sigh) my postings are not making it to the list. Have they changed
their list mailing address? I suppose I shouldn't ask that in this
forum, but if anyone knows the snort mailing list address, and if
it's different, then I need to know that.
I haven't looked at Snort since 2003, and from reading the new docs,
a lot of new features have been added, some of which I haven't
come across yet.
I'm basically setting up snort that if it sees a Priority one attack
it executes a script or Binary file, well, actually it will instantiate
a thread that does this in whatever scripting language I choose (Python)
in my case.
Easy DoS.
I simplified this... of course it is... but was just giving an example.
I Haven't read ALL the new stuff yet, but am ready to install any
additional utilities, like Barnyard. Which I already have running.
Barnyard doesn't have a lot to do with Snort-inline, really.
I know, I'm still trying to figure it all out. Wish I could reach the
snort
community.... Can't seem to mail to their list after signing up.
Is it possible to use Snort in normal NIDS mode, then when I get a
higher priority attach, to switch to Inline mode? How fast
can Snort switch from one mode to another? Also, is it possible
to use Snort to "look at" a binary file and display contents via
the ./snort -dvr option while snort is running?
You cannot switch modes, that's just silly. Inline mode most likely does
allow you to warn only, so that would take care of any need for running
Snort in two modes.
Ok, thanx for the info.... when I was playing with Snort, they didn't
have this mode.
Do you mean the log_tcpdump output module when you say 'binary file'? If
so, use tcpdump. And yes, this can be done while Snort is running,
although the file is most likely not complete, so you will be unable to
see the last (couple of) packet(s).
OK, right.
Those questions are all answered in the documentation, really. Not worth
bothering two lists with.
If they can be answered in the documentation, then please point me
to it... the snort docs have more then 150 files, most are not
related with
what I want to do, some are not titled with names indicitive of what they
talk about, because I scanned each entry, and read 80% of them, and
NO, I didn't find the answers to my questions by reading the docs.
I think I'm only bothering ONE list. For some reason, my messages are
not making it to the snort list.
John
