Snort mailing list archives
Re: sending netlink message: Connection Refused
From: "Will Metcalf" <william.metcalf () gmail com>
Date: Wed, 17 Sep 2008 10:16:09 -0500
Well first off you need to pass both sides of the conversation to snort otherwise your rules with the established keyword i.e. essentially every tcp based rule will not fire so you need iptables -A FORWARD -p tcp -m tcp --dport 80 -j QUEUE iptables -A FORWARD -p tcp -m tcp --sport 80 -j QUEUE There is nothing stoping you from firing up another instance of snort that just listens on an interface in IDS mode. Regards, Will On Wed, Sep 17, 2008 at 4:19 AM, Alberto Colosi/SI/RM/GSI/it <alberto.colosi () sistinf it> wrote:
Hi, even strange it is working now. Strange! ip_queue was already loaded. Can it unload from itself??? owever, I have inside syslog: Sep 17 11:11:57 nova5 modprobe: modprobe: Can't locate module iptable_QUEUE and till now I was unable to see in real SNORT to block any traffic. Is inside rules a way to know if a rule drop or log or ........ now SNORT is running with: modprobe ip_queue iptables -A FORWARD -p tcp -m tcp --dport 80 -j QUEUE snort -c /usr/local/snort/etc/snort.conf -g snort -u snort -X -U -y -s -Q -D --disable-inline-initialization I have added --disable-inline-initialization so to be sure (becouse I'm testing on a production machine and not wanting to have strange results). Owever even if I run it without --disable-inline-initialization it seems to not block for example P2P traffic. It log it but nothing else. Is then a way to see packets and QUEUE activity?. iptables -A FORWARD -p tcp -m tcp --dport 80 -j QUEUE send only port 80 traffic to be sniffed from snort inline? and if I would like to have all traffic sniffed as when snort run in NOT INLINE?. * I'm really new to snort :D ------------------------------- Alberto Colosi IBM Global Business Services Sistemi Informativi S.P.A. IT NetWork & Security Department *-* *-* *-* SECURITY IS EVERYONE'S BUSINESS Member of IBM Information Security WW CoP "Will Metcalf" <william.metcalf () gmail com> 16/09/2008 17.52 To "Alberto Colosi/SI/RM/GSI/it" <alberto.colosi () sistinf it> cc "Snort Users" <Snort-users () lists sourceforge net> Subject Re: [Snort-users] sending netlink message: Connection Refused You must first load the ip_queue module if it is not already loaded. modprobe ip_queue Also what user are you running snort as? You must run as root to interact with ipqueue Regards, Will On Tue, Sep 16, 2008 at 9:32 AM, Alberto Colosi/SI/RM/GSI/it <alberto.colosi () sistinf it> wrote:hi, an information. while working snort 2.8.3 have stopped to log inside syslog. I have restarted my machine and I have restarted snort many times. It is inline compiled but not working in inline. After different tests I have runned it not in DAEMON mode and I got a "sending netlink message: Connection Refused" why it happened? I have changed nothing ....... or at least I think so. No other users could have changed anything becouse noone compile or configure anything there. Running snort without -Q, not reading from IPTABLES, it has started to work again. What's on??. ------------------------------- Alberto Colosi IBM Global Business Services Sistemi Informativi S.P.A. IT NetWork & Security Department *-* *-* *-* SECURITY IS EVERYONE'S BUSINESS Member of IBM Information Security WW CoP ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort generates alerts when I use rsync to download files carlopmart (Sep 15)
- Re: Snort generates alerts when I use rsync to download files Matt Olney (Sep 15)
- Re: Snort generates alerts when I use rsync to download files carlopmart (Sep 15)
- Re: Snort generates alerts when I use rsync to download files carlopmart (Sep 16)
- Re: Snort generates alerts when I use rsync to download files Alberto Colosi/SI/RM/GSI/it (Sep 16)
- sending netlink message: Connection Refused Alberto Colosi/SI/RM/GSI/it (Sep 16)
- Re: sending netlink message: Connection Refused Will Metcalf (Sep 16)
- Re: sending netlink message: Connection Refused Alberto Colosi/SI/RM/GSI/it (Sep 17)
- Re: sending netlink message: Connection Refused Will Metcalf (Sep 17)
- Re: Snort generates alerts when I use rsync to download files carlopmart (Sep 15)
- Re: Snort generates alerts when I use rsync to download files Matt Olney (Sep 15)