Summary: | net-analyzer/snort-2.4.5 - snort inline works with icmp but blocks tcp traffic | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Christian Buehler <christian> |
Component: | Current packages | Assignee: | Gentoo Netmon project <netmon> |
Status: | RESOLVED TEST-REQUEST | ||
Severity: | major | ||
Priority: | High | ||
Version: | unspecified | ||
Hardware: | x86 | ||
OS: | Linux | ||
URL: | http://sourceforge.net/mailarchive/forum.php?thread_id=30649789&forum_id=3972 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Christian Buehler
2006-09-29 01:27:26 UTC
This mail from the snort-inline-users mailing list seems to address the same issue and proposes a solution (compile with "-fno-strict-aliasing") In-Reply-To: <9d1b82480610052135l44a20d45qcfdd572d7587963@mail.gmail.com> Content-class: urn:content-classes:message Subject: Re: [Snort-inline-users] snort-inline dropping only TCP packets. Date: Fri, 6 Oct 2006 14:20:13 +0200 Message-ID: <452649FD.6090602@sourcefire.com> Thread-Topic: [Snort-inline-users] snort-inline dropping only TCP packets. Thread-Index: AcbpQcBeqcFbKtWmTRqYd5MpilRxqg== References: <9d1b82480610052135l44a20d45qcfdd572d7587963@mail.gmail.com> From: "Adam Keeton" <akeeton@sourcefire.com> Sender: <snort-inline-users-bounces@lists.sourceforge.net> To: "Pravin" <shindepravin@gmail.com> Cc: <snort-inline-users@lists.sourceforge.net> Run Snort with "-k none", if you start getting TCP packets, then the checksums are failing. FC 5 comes with GCC 4.x.x. In GCC 4.x.x, (and, potentially, late versions of the 3 series), optimizations were re-worked. Snort compiles with optimization level 2, which now assumes strict aliasing by default. The resulting optimizations break the TCP checksumming code. The solution is to compile Snort with "-fno-strict-aliasing". If you check out the latest Snort from CVS, or download the beta, the configure script will take care of it for you. If you want to stick with your current version, set the CFLAGS variable to -fno-strict-aliasing and rerun configure, then and do a fresh compile (be sure to make clean first). Thanks, Adam > Hi, > I have a problem that snort-inline is allowing UDP and ICMP packets > but dropping TCP packets. > I Fedora core - 5 on my box. > > I refered the http://linuxgazette.net/117/savage.html tutorial for > this installation and configuration purpose. > I run snort-inline using following command. > snort_inline -c /etc/snort_inline/snort_inline.conf -Q -N -l > /var/log/snort_inline/ \ > -t /var/log/snort_inline/ -v > > after starting snort-inline ICMP and UDP packets are able to get > through but > TCP packets are getting dropped > > I used simple IPTABLES rules to queue up the packets to user space. > iptables -I INPUT -p tcp --dport 80 -j QUEUE > iptables -I INPUT -p udp --dport 20000 -j QUEUE > iptables -I INPUT -p icmp -j QUEUE > > I checked logs files and all of them are empty. > > I also tried to go through the source code. > I found following lines which are responsible for packet droping or > packet allowing. > > inline.c : 948. status =3D ipq_set_verdict(ipqh, m->packet_id, > NF_DROP, 0, NULL); > > inline.c :1025 status =3D ipq_set_verdict(ipqh, m->packet_id, > NF_ACCEPT, 0, NULL); > > inline.c :1047 status =3D ipq_set_verdict(ipqh, m->packet_id, > NF_ACCEPT, > m->data_len, > m->payload ); > I added some printf after them for debugging purpose, > and find out that ICMP and UDP packets were being accepted by second > ipq_set_verdict function call (inline.c:1025) but TCP packets were > getting droped by first ipq_set_verdict > function call (inline.c:948). > > My guess is that there is something wrong in configuration file, > As per me, the default rules are not supposed to drop any packets. > The only change that I have done in config file is to change > "var RULE_PATH /etc/snort_inline/drop_rules" > to > "var RULE_PATH /etc/snort_inline/rules " > > I am attaching my snort_inline.conf file with this mail. > can someone please help me to find out what I am missing ? > > = ------------------------------------------------------------------------ > > = -------------------------------------------------------------------------= > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to = share your > opinions on IT & business topics through brief surveys -- and earn = cash > = http://www.techsay.com/default.php?page=3Djoin.php&p=3Dsourceforge&CID=3D= DEVDEV > = ------------------------------------------------------------------------ > > _______________________________________________ > Snort-inline-users mailing list > Snort-inline-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > =20 -------------------------------------------------------------------------= Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share = your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=3Djoin.php&p=3Dsourceforge&CID=3D= DEVDEV _______________________________________________ Snort-inline-users mailing list Snort-inline-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/snort-inline-users Fix in cvs |