On Wed, Oct 25, 2006 at 11:32:00AM -0700, John Draper wrote: > Joachim Schipper wrote: > >On Tue, Oct 24, 2006 at 03:17:05PM -0700, John Draper wrote: > >> or would I (...) write [Snort-inline] off as something OpenBSD is > >> not setup to do, or is there an alternative [to IPTables] I can > >> use with Snort? > >> > >Snort-inline is written to work with IPTables. It might be possible to > >implement something similar for pf, although it would most likely > >require some patches; however, to the best of my knowledge, this has not > >been done yet. > > > >It would be possible to use Snort's response mechanism to put someone in > >a table, say <badguys>. pf can be configured to handle tables in many > >interesting ways. This is not real-time blocking, but might be close > >enough. > > I also posted this to the snort users list, [EMAIL PROTECTED], but > (sigh) my postings are not making it to the list. Have they changed > their list mailing address? I suppose I shouldn't ask that in this > forum, but if anyone knows the snort mailing list address, and if > it's different, then I need to know that.
I really wouldn't know what snort mailing lists are there, but are you *really* certain that is not just one random guy? a quick google does suggest so, and does suggest that https://lists.sourceforge.net/lists/listinfo/snort-users might be a good place to start (note the [EMAIL PROTECTED]). > >>I'm basically setting up snort that if it sees a Priority one attack > >>it executes a script or Binary file, well, actually it will instantiate > >>a thread that does this in whatever scripting language I choose (Python) > >>in my case. > > > >Easy DoS. > > > I simplified this... of course it is... but was just giving an example. > > >>I Haven't read ALL the new stuff yet, but am ready to install any > >>additional utilities, like Barnyard. Which I already have running. > > > >Barnyard doesn't have a lot to do with Snort-inline, really. > > > I know, I'm still trying to figure it all out. Wish I could reach the > snort > community.... Can't seem to mail to their list after signing up. > > >>Is it possible to use Snort in normal NIDS mode, then when I get a > >>higher priority attach, to switch to Inline mode? How fast > >>can Snort switch from one mode to another? Also, is it possible > >>to use Snort to "look at" a binary file and display contents via > >>the ./snort -dvr option while snort is running? > > > >You cannot switch modes, that's just silly. Inline mode most likely does > >allow you to warn only, so that would take care of any need for running > >Snort in two modes. > > > Ok, thanx for the info.... when I was playing with Snort, they didn't > have this mode. It's been around for a while, I believe, but has only recently been integrated with the main development branch. > >Do you mean the log_tcpdump output module when you say 'binary file'? If > >so, use tcpdump. And yes, this can be done while Snort is running, > >although the file is most likely not complete, so you will be unable to > >see the last (couple of) packet(s). > > > > > OK, right. > > >Those questions are all answered in the documentation, really. Not worth > >bothering two lists with. > > If they can be answered in the documentation, then please point me > to it... the snort docs have more then 150 files, most are not > related with > what I want to do, some are not titled with names indicitive of what they > talk about, because I scanned each entry, and read 80% of them, and > NO, I didn't find the answers to my questions by reading the docs. You won't hear me say that the Snort docs are easy to read, but the questions you asked are, in fact, not that difficult to find an answer to. Q does OpenBSD have IPTables? man -k iptables; ls -d /usr/ports/*/*iptables* (equivalent web-based systems exist; the openbsd.org page links to the man pages, and ports.openbsd.nu allows you to search the ports system) Alternately, http://www.google.com/search?q=openbsd+iptables; read the synopsis of the first hit, http://www.openbsd.org/faq/faq9.html. As to answering the question whether there is another solution, http://www.google.com/search?q=snort+inline+pf Q make devel for Snort or IPTables? this is in the Snort docs, although not terribly clear Q can log_tcpdump be read while Snort is running? The manual also says it's in standard tcpdump format: http://www.snort.org/docs/snort_htmanuals/htmanual_260/node13.html#SECTION003350 However, I'll admit that it might not be obvious that this can be read while Snort is running. A simple test would give you an affirmative answer; the other solution is to note that tcpdump's files can be read while tcpdump is running, and extrapolate from there. Q Switching modes? granted, it might be hard to find a place where it is explicitly said that this doesn't work Questions are, of course, welcome; that's what this list is for, to a certain extent. However, I can't believe you actually tried to find the answer to the IPTables question before posting. (I could see how one would have trouble finding the answer to the other questions.) Also, if you had actually taken a look at the port, /usr/ports/net/snort, you'd have noticed the flexresp option (and the lack of inline option, but the text above suggests that inline mode does work; perhaps this should be fixed?). On OpenBSD, you should almost always use the packages provided for you. > I think I'm only bothering ONE list. For some reason, my messages are > not making it to the snort list. See above. Joachim
