Comments for Inliniac

Comment on Blocking comment spam using ModSecurity and realtime blacklists by Mod Security for Apache – Web Server Smart Firewall

Mod Security for Apache – Web Server Smart Firewall — Mon, 22 Feb 2010 14:26:44 +0000

[...] http://www.inliniac.net/blog/2007/02/23/blocking-comment-spam-using-modsecurity-and-realtime-blackli... [...]

Comment on Window scaling normalization in Snort_inline broken by design by Victor Julien

Victor Julien — Mon, 15 Feb 2010 12:03:41 +0000

You need to make sure Snort_inline sees both sides of the traffic… so add a iptables rule for the return traffic as well…

Comment on Window scaling normalization in Snort_inline broken by design by assen

assen — Sun, 14 Feb 2010 09:07:42 +0000

Hy,

Debian 2.6.26-2-686 with snort-inline 2.6.1.5-1
————————–
snort_inline.conf-> add as you recomment the statement
preprocessor stream4: disable_evasion_alerts, \
stream4inline, \
enforce_state drop, \
memcap 134217728, \
timeout 3600, \
truncate, \
window_size 3000, \
norm_wscale_max 14
—————————–

This is working smtp session (with ACCEPT rule in firewall.sh):

$IPTABLES -A FORWARD -i eth2 -p tcp -s 0.0.0.0/0 -d IP_ADDRESS_MAIL_SERVER –dport 25 -j ACCEPT

IP IP_ADDRESS_SENDER.54741 > 192.168.1.200.25: S 2037140028:2037140028(0) win 5840
IP 192.168.1.200.25 > IP_ADDRESS_SENDER.54741: S 2476668242:2476668242(0) ack 2037140029 win 5792
IP IP_ADDRESS_SENDER.54741 > 192.168.1.200.25: . ack 1 win 92
IP 192.168.1.200.25 > IP_ADDRESS_SENDER.54741: P 1:71(70) ack 1 win 181
IP IP_ADDRESS_SENDER.54741 > 192.168.1.200.25: . ack 71 win 92

This is with QUEUE rule in firewall.sh (doesn’t work even with recommended option):
$IPTABLES -A FORWARD -i eth2 -p tcp -s 0.0.0.0/0 -d IP_ADDRESS_MAIL_SERVER –dport 25 -j QUEUE

The only effect from “norm_wscale_max 14″ option iis the messages in /var/log/snort_inline/snort_inline-f* disappeared, but the smtp is not working again – as you can see below:

IP IP_ADDRESS_SENDER.39797 > 192.168.1.200.25: S 1774669934:1774669934(0) win 5840
IP 192.168.1.200.25 >IP_ADDRESS_SENDER.39797: S 2214167916:2214167916(0) ack 1774669935 win 5792
IP IP_ADDRESS_SENDER.39797 > 192.168.1.200.25: . ack 1 win 92
IP 192.168.1.200.25 > IP_ADDRESS_SENDER.39797: S 2214167916:2214167916(0) ack 1774669935 win 5792
IP IP_ADDRESS_SENDER.39797 > 192.168.1.200.25: . ack 1 win 92
IPIP_ADDRESS_SENDER.54741 > 192.168.1.200.25: FP 0:5(5) ack 1 win 92
IP 192.168.1.200.25 > IP_ADDRESS_SENDER.39797: S 2214167916:2214167916(0) ack 1774669935 win 5792
IP IP_ADDRESS_SENDER.39797 > 192.168.1.200.25: . ack 1 win 92
IP 192.168.1.200.25 > IP_ADDRESS_SENDER.39797: S 2214167916:2214167916(0) ack 1774669935 win 5792
IP IP_ADDRESS_SENDER.39797 > 192.168.1.200.25: . ack 1 win 92
————————-

Any suggestions?

Comment on Contact by Ilya

Ilya — Mon, 08 Feb 2010 07:51:02 +0000

Dear Victor,

Why have you stopped working on Vuurmurr project? Ain’t you no more interested in its evolutioning? Honestly say, I find your project very useful indeed and I’d be glad to know it you’ll continue working on it at least some more time.

Best wishes,
Ilya Egorov (Russia, Moscow)

Comment on Contact by Emmanuel

Emmanuel — Thu, 04 Feb 2010 08:58:12 +0000

Hello

I am trying to implement an IPS using Snort on solaris 10

Any help on this in kind of manuals, HOWTOs, etc, will be appreciated,

Regards

Emmanuel

Comment on Contact by Victor Julien

Victor Julien — Tue, 12 Jan 2010 21:34:48 +0000

Hi Kayvan, I have never tried using IMQ with Snort_inline or other NFQUEUE using programs. Does it work without IMQ? I seem to remember reading about IMQ having issues with ip_queue at the time, but my memory is fuzzy on this point.

Comment on Contact by Kayvan Javid

Kayvan Javid — Tue, 12 Jan 2010 11:39:54 +0000

Victor,

Congrats on Suricata.

I am trying to get snort_inline in nfqueue mode working with my traffic shaping using imq, on the same box (before you crucify me i know its not the best idea).

All goes well both start with all their required kernel modules fine, not like the good ol’ip_queue days. However it seems it breaks iptables, did you run into any complications like this ?

Comment on First Suricata release tomorrow by Tweets that mention First Suricata release tomorrow « Inliniac -- Topsy.com

Tweets that mention First Suricata release tomorrow « Inliniac -- Topsy.com — Thu, 31 Dec 2009 03:06:16 +0000

[...] This post was mentioned on Twitter by Victor Julien, Vivek Rajagopalan. Vivek Rajagopalan said: RT: @inliniac: First Suricata release tomorrow! http://is.gd/5GZ6Y – looking forward [...]

Comment on Libnet 1.1 IPv6 fixes and additions by anon

anon — Tue, 15 Dec 2009 21:56:19 +0000

You could send your patch to this guy: http://github.com/sam-github/libnet/tree/libnet-1.1.4 ; he seems to have taken ownership of libnet .

Comment on Snort_inline updated to 2.8.3 in SVN by Yimbo

Yimbo — Fri, 13 Nov 2009 06:33:38 +0000

I got current snort_inline version 2.8.4.1.
When I configured the source, I got an error ” Libpcre library version >= 6.0 not found. So I installed pcre-8.0, but the error did not cleared.
I configured the source ‘–with-libpcre-includes=/usr/include/ –with-libpcre-libraries=/usr/lib/’ option, but I got the same error.
How can I fix this problem?

Thanks in advance.