Site Navigation

Date:      Wed, 26 Mar 2008 19:44:06 +0100 (CET)
From:      Martin Beran <mb@tns.cz>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   ports/122123: [patch] security/snort not working in inline mode
Message-ID:  <20080326184406.D7AD917042@mb.tns.cz>
Resent-Message-ID: <200803261900.m2QJ01v5020359@freefall.freebsd.org>

---

next in thread | raw e-mail | index | archive | help

---

>Number:         122123
>Category:       ports
>Synopsis:       [patch] security/snort not working in inline mode
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar 26 19:00:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Martin Beran
>Release:        FreeBSD 6.2-RELEASE-p4 i386
>Organization:
Trusted Network Solutions, a. s.
>Environment:
System: FreeBSD mb.tns.cz 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4 #0: Sun Apr 29 22:31:25 CEST 2007 root@mb.tns.cz:/usr/obj/usr/src/sys/MB i386


>Description:
The current security/snort port 
# $FreeBSD: ports/security/snort/Makefile,v 1.91 2007/10/05 01:48:34 clsung Exp $
does not support the inline (IPFW) mode of Snort operation, although the
source code seems to provide it. The alternative port security/snort_inline is
not a good alternative, because it cannot load recent rulesets from
www.snort.org.
The attached patch adds several modification to the port security/snort:
- adds INLINE option to the port configuration
- enables inline IPFW mode via CONFIGURE_ARGS in Makefile
- fixes the configure script to use libnet10-config instead of libnet-config
- fixes handling of termination signals in inline mode (original code
  terminates only after reception of the next packet)
- fixes "reject" action in inline mode (original code fails with SIGSEGV)

It may be necessary to add line:
config checksum_mode: none
to /usr/local/etc/snort/snort.conf, because divert sockets return bad checksums
for outgoing packets (as described in divert(4)).

Note: I managed to run snort in inline mode, but I have not done thorough
testing of it.

>How-To-Repeat:

>Fix:


--- patch.txt begins here ---
diff -ruN snort.orig/Makefile snort/Makefile
--- snort.orig/Makefile	Fri Oct  5 03:48:34 2007
+++ snort/Makefile	Wed Mar 26 11:14:20 2008
@@ -25,7 +25,8 @@
 		MYSQL "Enable MySQL support" off \
 		ODBC "Enable ODBC support" off \
 		POSTGRESQL "Enable PostgreSQL support" off \
-		PRELUDE "Enable Prelude NIDS integration" off
+		PRELUDE "Enable Prelude NIDS integration" off \
+		INLINE "Enable inline operation" on
 
 USE_RC_SUBR=	snort.sh
 SUB_FILES=	pkg-message
@@ -47,6 +48,14 @@
 
 .if ${OSVERSION} < 500036
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-src-sf_snort_plugin_api.h
+.endif
+
+.if !defined(WITHOUT_INLINE)
+.if defined(WITHOUT_FLEXRESP)
+.undef WITHOUT_FLEXRESP
+.endif
+WITH_FLEXRESP=		yes
+CONFIGURE_ARGS+=        --enable-inline --enable-ipfw
 .endif
 
 .if defined(WITH_FLEXRESP)
diff -ruN snort.orig/files/patch-configure snort/files/patch-configure
--- snort.orig/files/patch-configure	Thu Jan  1 01:00:00 1970
+++ snort/files/patch-configure	Wed Mar 26 11:17:53 2008
@@ -0,0 +1,87 @@
+--- configure.orig	Wed Mar 26 11:04:37 2008
++++ configure	Wed Mar 26 11:15:21 2008
+@@ -24768,8 +24768,8 @@
+    exit 1
+ 
+             fi
+-            CFLAGS="${CFLAGS} `libnet-config --defines` `libnet-config --cflags`"
+-            LIBS="${LIBS} `libnet-config --libs`"
++            CFLAGS="${CFLAGS} `libnet10-config --defines` `libnet10-config --cflags`"
++            LIBS="${LIBS} `libnet10-config --libs`"
+             CPPFLAGS="${CPPFLAGS} -I${LIBNET_INC_DIR}"
+             echo "$as_me:$LINENO: result: $i" >&5
+ echo "${ECHO_T}$i" >&6
+@@ -24793,7 +24793,7 @@
+ # Check whether --enable-flexresp or --disable-flexresp was given.
+ if test "${enable_flexresp+set}" = set; then
+   enableval="$enable_flexresp"
+-   CPPFLAGS="${CPPFLAGS} -DENABLE_RESPONSE `libnet-config --defines --cflags`" LDFLAGS="${LDFLAGS} `libnet-config --libs`"
++   CPPFLAGS="${CPPFLAGS} -DENABLE_RESPONSE `libnet10-config --defines --cflags`" LDFLAGS="${LDFLAGS} `libnet10-config --libs`"
+ fi;
+ 
+ 
+@@ -24804,14 +24804,14 @@
+     exit
+   fi
+ 
+-  if test `libnet-config --cflags | wc -c` = "1"; then
++  if test `libnet10-config --cflags | wc -c` = "1"; then
+     CPPFLAGS="${CPPFLAGS} -I/usr/local/include -I/sw/include"
+     LIBNET_CONFIG_BROKEN_CFLAGS=yes
+   fi
+ 
+-  if test `libnet-config --libs | wc -c` = "1"; then
+-    { echo "$as_me:$LINENO: WARNING: libnet-config --libs is broken on your system.  If you" >&5
+-echo "$as_me: WARNING: libnet-config --libs is broken on your system.  If you" >&2;}
++  if test `libnet10-config --libs | wc -c` = "1"; then
++    { echo "$as_me:$LINENO: WARNING: libnet10-config --libs is broken on your system.  If you" >&5
++echo "$as_me: WARNING: libnet10-config --libs is broken on your system.  If you" >&2;}
+     { echo "$as_me:$LINENO: WARNING: are using a precompiled package please notify the" >&5
+ echo "$as_me: WARNING: are using a precompiled package please notify the" >&2;}
+     { echo "$as_me:$LINENO: WARNING: maintainer." >&5
+@@ -24991,7 +24991,7 @@
+       libnet_dir="/usr/include /usr/local/include /sw/include"
+     fi
+   else
+-    libnet_dir=`libnet-config --cflags | cut -dI -f2`
++    libnet_dir=`libnet10-config --cflags | cut -dI -f2`
+   fi
+ 
+   LIBNET_INC_DIR=""
+@@ -25395,7 +25395,7 @@
+ # Check whether --enable-react or --disable-react was given.
+ if test "${enable_react+set}" = set; then
+   enableval="$enable_react"
+-   CPPFLAGS="${CPPFLAGS} -DENABLE_REACT `libnet-config --defines --cflags`" LDFLAGS="${LDFLAGS} `libnet-config --libs`"
++   CPPFLAGS="${CPPFLAGS} -DENABLE_REACT `libnet10-config --defines --cflags`" LDFLAGS="${LDFLAGS} `libnet10-config --libs`"
+ fi;
+ 
+ 
+@@ -25407,14 +25407,14 @@
+     exit
+   fi
+ 
+-  if test `libnet-config --cflags | wc -c` = "1"; then
++  if test `libnet10-config --cflags | wc -c` = "1"; then
+     CPPFLAGS="${CPPFLAGS} -I/usr/local/include -I/sw/include"
+     LIBNET_CONFIG_BROKEN_CFLAGS=yes
+   fi
+ 
+-  if test `libnet-config --libs | wc -c` = "1"; then
+-    { echo "$as_me:$LINENO: WARNING: libnet-config --libs is broken on your system.  If you" >&5
+-echo "$as_me: WARNING: libnet-config --libs is broken on your system.  If you" >&2;}
++  if test `libnet10-config --libs | wc -c` = "1"; then
++    { echo "$as_me:$LINENO: WARNING: libnet10-config --libs is broken on your system.  If you" >&5
++echo "$as_me: WARNING: libnet10-config --libs is broken on your system.  If you" >&2;}
+     { echo "$as_me:$LINENO: WARNING: are using a precompiled package please notify the" >&5
+ echo "$as_me: WARNING: are using a precompiled package please notify the" >&2;}
+     { echo "$as_me:$LINENO: WARNING: maintainer." >&5
+@@ -25594,7 +25594,7 @@
+       libnet_dir="/usr/include /usr/local/include /sw/include"
+     fi
+   else
+-    libnet_dir=`libnet-config --cflags | cut -dI -f2`
++    libnet_dir=`libnet10-config --cflags | cut -dI -f2`
+   fi
+ 
+   LIBNET_INC_DIR=""
diff -ruN snort.orig/files/patch-inline.c snort/files/patch-inline.c
--- snort.orig/files/patch-inline.c	Thu Jan  1 01:00:00 1970
+++ snort/files/patch-inline.c	Wed Mar 26 18:23:32 2008
@@ -0,0 +1,35 @@
+--- src/inline.c.orig	Wed Mar 26 13:32:12 2008
++++ src/inline.c	Wed Mar 26 13:51:47 2008
+@@ -366,8 +366,12 @@
+ 
+         if (select(32, &fdset, (fd_set *)NULL, (fd_set *)NULL, (struct timeval *)NULL) == -1)
+         {
+-            printf("select failed");
+-            continue;
++	    if (errno == EINTR)
++		sig_check();
++	    else {
++		printf("select failed\n");
++		continue;
++	    }
+         }
+ 
+         if (FD_ISSET(s, &fdset)) 
+@@ -378,7 +382,7 @@
+             {
+                 if (errno != EINTR)
+                 {
+-                     printf("IpfwLoop: read from divert socket failed");
++                     printf("IpfwLoop: read from divert socket failed\n");
+                      continue;
+                 }
+             }
+@@ -396,7 +400,7 @@
+             {
+                 if (sendto(s, pkt, pktlen, 0,(struct sockaddr *)&sin, sinlen) == -1)
+                 {
+-                    printf("IpfwLoop: write to divert socket failed");
++                    printf("IpfwLoop: write to divert socket failed\n");
+                 }
+             }
+          } /* end if */
diff -ruN snort.orig/files/patch-snort.c snort/files/patch-snort.c
--- snort.orig/files/patch-snort.c	Thu Jan  1 01:00:00 1970
+++ snort/files/patch-snort.c	Wed Mar 26 18:24:05 2008
@@ -0,0 +1,18 @@
+--- src/snort.c.orig	Wed Mar 26 18:18:36 2008
++++ src/snort.c	Wed Mar 26 18:18:40 2008
+@@ -825,7 +825,6 @@
+         SnortEventqInit();
+         
+ #ifdef GIDS
+-#ifndef IPFW
+         if (InlineMode())
+         {
+             if (!(pv.test_mode_flag && pv.disable_inline_init_flag))
+@@ -833,7 +832,6 @@
+                 InitInlinePostConfig();
+             }
+         }
+-#endif /* IPFW */
+ #endif /* GIDS */
+     }
+ 
--- patch.txt ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080326184406.D7AD917042>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact