User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-DE; rv:1.7.12) Gecko/20050919 Firefox/1.0.7 Build Identifier: When using snort 2.4.5 with inline USE-Flag as an Intrusion Prevention System, all TCP traffic gets blocked, while ICMP and UDP seem to work perfectly well. It seems to be a problem with compiler optimization because everything works fine when optimization is disabled. My CFLAGS where the problems occur: CFLAGS="-O2 -march=i686 -pipe" Would it be possible to disable optimization in the ebuild? Reproducible: Always Steps to Reproduce: 1. set CFLAGS to "-O2 -march=i686 -pipe" 2. emerge snort 3. set up bridge 4. /etc/init.d/snort start 5. iptables -A FORWARD -j QUEUE Actual Results: ICMP and UDP traffic gets filtered through snort an passed to the other side to the bridge but TCP traffic gets blocked. Expected Results: All traffic (ICMP, UDP and TCP) should be passed to snort for filtering an reach the other side of the bridge. Gentoo Base System version 1.6.14 Portage 2.1 (default-linux/x86/2006.0, gcc-3.4.6, glibc-2.3.6-r4, 2.6.15-gentoo-r1 i686) ================================================================= System uname: 2.6.15-gentoo-r1 i686 Intel(R) Pentium(R) 4 CPU 2.40GHz app-admin/eselect-compiler: [Not Present] dev-java/java-config: [Not Present] dev-lang/python: 2.4.2 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1-r2 sys-devel/gcc-config: 1.3.13-r2 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=i686 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/terminfo" CXXFLAGS="-O2 -march=i686 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 alsa apache2 apm arts berkdb bitmap-fonts cli crypt cups dlloader dri eds emboss encode esd foomaticdb fortran gdbm gif gnome gpm gstreamer gtk gtk2 imlib inline ipv6 isdnlog jpeg kde libg++ libwww mad mikmod motif mp3 mpeg mysql ncurses nls nptl ogg opengl oss pam pcre perl png pppd python qt3 qt4 quicktime readline reflection sdl session spell spl ssl tcpd truetype truetype-fonts type1-fonts udev vorbis xml xmms xorg xv zlib elibc_glibc input_devices_keyboard input_devices_mouse input_devices_evdev kernel_linux userland_GNU video_cards_apm video_cards_ark video_cards_ati video_cards_chips video_cards_cirrus video_cards_cyrix video_cards_dummy video_cards_fbdev video_cards_glint video_cards_i128 video_cards_i740 video_cards_i810 video_cards_imstt video_cards_mga video_cards_neomagic video_cards_nsc video_cards_nv video_cards_rendition video_cards_s3 video_cards_s3virge video_cards_savage video_cards_siliconmotion video_cards_sis video_cards_sisusb video_cards_tdfx video_cards_tga video_cards_trident video_cards_tseng video_cards_v4l video_cards_vesa video_cards_vga video_cards_via video_cards_vmware video_cards_voodoo" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY snort-2.4.5 (with inline USE Flag) iptables-1.3.5-r1 bridge-utils-1.0.6-r3
This mail from the snort-inline-users mailing list seems to address the same issue and proposes a solution (compile with "-fno-strict-aliasing") In-Reply-To: <9d1b82480610052135l44a20d45qcfdd572d7587963@mail.gmail.com> Content-class: urn:content-classes:message Subject: Re: [Snort-inline-users] snort-inline dropping only TCP packets. Date: Fri, 6 Oct 2006 14:20:13 +0200 Message-ID: <452649FD.6090602@sourcefire.com> Thread-Topic: [Snort-inline-users] snort-inline dropping only TCP packets. Thread-Index: AcbpQcBeqcFbKtWmTRqYd5MpilRxqg== References: <9d1b82480610052135l44a20d45qcfdd572d7587963@mail.gmail.com> From: "Adam Keeton" <akeeton@sourcefire.com> Sender: <snort-inline-users-bounces@lists.sourceforge.net> To: "Pravin" <shindepravin@gmail.com> Cc: <snort-inline-users@lists.sourceforge.net> Run Snort with "-k none", if you start getting TCP packets, then the checksums are failing. FC 5 comes with GCC 4.x.x. In GCC 4.x.x, (and, potentially, late versions of the 3 series), optimizations were re-worked. Snort compiles with optimization level 2, which now assumes strict aliasing by default. The resulting optimizations break the TCP checksumming code. The solution is to compile Snort with "-fno-strict-aliasing". If you check out the latest Snort from CVS, or download the beta, the configure script will take care of it for you. If you want to stick with your current version, set the CFLAGS variable to -fno-strict-aliasing and rerun configure, then and do a fresh compile (be sure to make clean first). Thanks, Adam > Hi, > I have a problem that snort-inline is allowing UDP and ICMP packets > but dropping TCP packets. > I Fedora core - 5 on my box. > > I refered the http://linuxgazette.net/117/savage.html tutorial for > this installation and configuration purpose. > I run snort-inline using following command. > snort_inline -c /etc/snort_inline/snort_inline.conf -Q -N -l > /var/log/snort_inline/ \ > -t /var/log/snort_inline/ -v > > after starting snort-inline ICMP and UDP packets are able to get > through but > TCP packets are getting dropped > > I used simple IPTABLES rules to queue up the packets to user space. > iptables -I INPUT -p tcp --dport 80 -j QUEUE > iptables -I INPUT -p udp --dport 20000 -j QUEUE > iptables -I INPUT -p icmp -j QUEUE > > I checked logs files and all of them are empty. > > I also tried to go through the source code. > I found following lines which are responsible for packet droping or > packet allowing. > > inline.c : 948. status =3D ipq_set_verdict(ipqh, m->packet_id, > NF_DROP, 0, NULL); > > inline.c :1025 status =3D ipq_set_verdict(ipqh, m->packet_id, > NF_ACCEPT, 0, NULL); > > inline.c :1047 status =3D ipq_set_verdict(ipqh, m->packet_id, > NF_ACCEPT, > m->data_len, > m->payload ); > I added some printf after them for debugging purpose, > and find out that ICMP and UDP packets were being accepted by second > ipq_set_verdict function call (inline.c:1025) but TCP packets were > getting droped by first ipq_set_verdict > function call (inline.c:948). > > My guess is that there is something wrong in configuration file, > As per me, the default rules are not supposed to drop any packets. > The only change that I have done in config file is to change > "var RULE_PATH /etc/snort_inline/drop_rules" > to > "var RULE_PATH /etc/snort_inline/rules " > > I am attaching my snort_inline.conf file with this mail. > can someone please help me to find out what I am missing ? > > = ------------------------------------------------------------------------ > > = -------------------------------------------------------------------------= > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to = share your > opinions on IT & business topics through brief surveys -- and earn = cash > = http://www.techsay.com/default.php?page=3Djoin.php&p=3Dsourceforge&CID=3D= DEVDEV > = ------------------------------------------------------------------------ > > _______________________________________________ > Snort-inline-users mailing list > Snort-inline-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > =20 -------------------------------------------------------------------------= Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share = your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=3Djoin.php&p=3Dsourceforge&CID=3D= DEVDEV _______________________________________________ Snort-inline-users mailing list Snort-inline-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/snort-inline-users
Fix in cvs