Joachim Schipper wrote:
I also posted this to the snort users list, [EMAIL PROTECTED], but
(sigh) my postings are not making it to the list. Have they changed
their list mailing address? I suppose I shouldn't ask that in this
forum, but if anyone knows the snort mailing list address, and if
it's different, then I need to know that.
I really wouldn't know what snort mailing lists are there, but are you
*really* certain that is not just one random guy? a quick google does
suggest so, and does suggest that
https://lists.sourceforge.net/lists/listinfo/snort-users might be a good
place to start (note the [EMAIL PROTECTED]).
I just learned they changed the name of the mailing list, which
I joined more then 3 years ago. I'm still getting mail from
[EMAIL PROTECTED] but for some reason, sending mail
there no longer works, but I did get a different Email, and have
since sent this posting to them as well, and confirmed it is
working now.
I think I've decided to download and test SnortSam and see if it meets
my needs. It seems to only support OpenBSD 3.6 (I have 3.8),
and have joined the SnortSam mailing list so I can direct my questions
to this list as I start learning it.
Ok, thanx for the info.... when I was playing with Snort, they didn't
have this mode.
It's been around for a while, I believe, but has only recently been
integrated with the main development branch.
Yea - I'm learning all about these new (and very cool) features.
I wasn't expecting to see so many cool enhancements.
I'm hoping some future effort might be done to both Snort and OpenBSD
to integrate them together in new and interesting ways. I would participate
but I don't know these systems well yet.
If they can be answered in the documentation, then please point me
to it... the snort docs have more then 150 files, most are not
related with
what I want to do, some are not titled with names indicitive of what they
talk about, because I scanned each entry, and read 80% of them, and
NO, I didn't find the answers to my questions by reading the docs.
You won't hear me say that the Snort docs are easy to read, but the
questions you asked are, in fact, not that difficult to find an answer
to.
Q does OpenBSD have IPTables?
man -k iptables; ls -d /usr/ports/*/*iptables* (equivalent
web-based systems exist; the openbsd.org page links to the man pages,
and ports.openbsd.nu allows you to search the ports system)
Alternately, http://www.google.com/search?q=openbsd+iptables;
read the synopsis of the first hit,
http://www.openbsd.org/faq/faq9.html.
As to answering the question whether there is another solution,
http://www.google.com/search?q=snort+inline+pf
Q make devel for Snort or IPTables?
this is in the Snort docs, although not terribly clear
yes - this was my perception as well - but I looked at a lot of
these docs as well, but I'm just not quite understanding it
all yet. It DOES take time to learn new systems, especially
if you are over 63. Now if I were a 15 yr old kid, that would
most certainly be different, and age discrimination is alive
and well....
Q can log_tcpdump be read while Snort is running?
The manual also says it's in standard tcpdump format:
http://www.snort.org/docs/snort_htmanuals/htmanual_260/node13.html#SECTION003350
However, I'll admit that it might not be obvious that this can be read
while Snort is running.
No - there was nothing in the Snort manual that hints if this will work
and display the contents of this file, and I sure as heck wasn't going to
try it on the only system I have access to, which is a production system.
I haven't got everything installed yet, as this is taking me a little
longer then
I was expecting. I think in few days, I'll have an experimental
system I can
try things with, without shutting down a production server.
A simple test would give you an affirmative
answer; the other solution is to note that tcpdump's files can be read
while tcpdump is running, and extrapolate from there.
Q Switching modes?
granted, it might be hard to find a place where it is explicitly
said that this doesn't work
I didn't see any.
Questions are, of course, welcome; that's what this list is for, to a
certain extent. However, I can't believe you actually tried to find the
answer to the IPTables question before posting. (I could see how one
would have trouble finding the answer to the other questions.)
I might have been looking in the wrong place - sorry! These
things happen.
Also, if you had actually taken a look at the port,
/usr/ports/net/snort, you'd have noticed the flexresp option (and the
lack of inline option,
I didn't notice it, because how would I know to look for it?
I don't even know what a "flexresp" option is.... and yes,
I agree with you that I should use the ports tree, but I
WILL need to build snort from source, expecially if I intend
to use SnortSam, because I already looked at their docs,
and am putting together an installation plan. I develop this
plan while I'm reading the archives in the mailing lists, of
which I'm focusing on SnortSam right now, and getting it to
work with OpenBSD's "PF"... but as I said earlier, SnortSam
supports up to ver 3.6 of OPenBSD, but they only said they
tested it to that version, I'm hopeful SnortSam WOULD work
with the new 3.8.
but the text above suggests that inline mode does
work; perhaps this should be fixed?). On OpenBSD, you should almost
always use the packages provided for you.
I think I remembered reading about this, but after closer look
I didn't see or hear anything else about it.
John
