PhenIXUS

[Vehrsey]

Pourtant, à l'heure où j'écris, lorsque je le télécharge le MD5 correspond bien ainsi que l'installation.

[Flexible]

Ok j'ai rien dit, bizarrement derriere mon untangle, l'archive est corrompue ....

[Andre]

Hello Vehrsey!

Congratulations on your work!

You could compile Snort with the following options?

- enable-inline
- enable-flexresp

These options will use it as IPS.

Contact-me please: andrelrf[at]gmail.com

[Vehrsey]

Hello Andre,
You can also do it with Guardian add-on:

"Guardian is a security program which works in conjunction with Snort to automaticly update firewall rules based on alerts generated by Snort.
The updated firewall rules block all incoming data from the IP address of the attacking machine".

If you want I add a language other than English or French, let me know ...

See below :
http://entraide.ixus.net/viewtopic.php?f=6&t=297
.

[Andre]

Yes, but the Guardian blocks the IP and not the connection.
If you compile Snort with these features that you asked, we can block the connection, doing this directly with Snort, through their rules.
So I'm going to make a graphical interface to manage the rules and have a high level IPS.

I count on your help.
Again, congratulations on your work!

- André

[Vehrsey]

The option "enable-inline" doesn't exist with snort 2.9.x. It's compiled by default.
Snort works with DAQ modules (inline mode):
There are several choices DAQ modules : NFQ, IPQ, AFPACKET, ...
In mode inline (mode NFQ), packages "libnetfilter_queue" and "libnetlink" are needed before for exemple.
You can switch from passive to inline with the option -Q. Exemple: ./snort -c /directory/snort.conf -Q --daq nfq

Nevertheless each one has advantages and defects. With mode NFQ or IPQ, this modules can not run unprivileged so ./snort -u -g will produce a warning
and won't change user or group.
With AFPACKET mode it takes more memory and works with one or more interface pairs (eth0:eth1) or (eth0:eth1::eth2:eth3).

[Andre]

Great! So you've compiled according to the link below?

http://vrt-blog.snort.org/2010/08/snort ... s-daq.html

Thank you for your help!

André Luiz Rodrigues Ferreira

[Andre]

I started the snort on GREEN interface but is no logging. The alert log file is empty.

Any bug?

- André Luiz Rodrigues Ferreira

[Andre]

Do you have any news about the log?

Thanks!

[Vehrsey]

Try to do a test.
Edit this file: /etc/snort/local.rules and write it :

alert tcp any any -> any 80 (msg: "Test web activity"; sid:1000001;)

Restart snort, take your navigator and try a web page, exemple: http://www.google.com
See your snort logs.
(Uncomment or remove this rule after the test).