libnids-1.23 + TEXTREL

marty marty at
Wed Apr 2 10:58:27 PDT 2008

> The reason I wanted Scanlogd was coz I have iptables rules like; 
>  $IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG 
>  --log-level debug --log-prefix "Port Scan"
>  $IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP 
> that I would like to get rid of. What I had though of was using scanlogd and 
> writing a small script to monitor the scanlogd logfile and send me a message 
> when the size of the logfile changes. 
> Libnids-1.23 builds without any issues. It is just that when I rebuilt 
> scanlogd (with Libnids support instead of pcap) scanlogd complains about 
> sharing text segments, that's when I thought of checking libnids for 
> Anyway, the solution (snort_inline) you proposed makes better sense and 
> that's  what am pursuing right now. Will let u know if I have any issues 
> building snort_inline. 

Real time port scan detection is not very valuable and will trigger constantly.
A serious attacker will scan you v e r y  s l o w l y and use a lot of dEcOyS.
You would need to analyze a months worth of captures to detect him. To correlate
that data you could use ACID and BASE with a snort IDS. (on a dedicated IDS
appliance). I don't think you want all that work.

You efforts are better used to monitor your OPEN ports for attack data, which
includes malformed packets, attempted buffer overflows, and brute force logins.
This is where you want real time response like snort inline provides.

Note. There is the main snort project, which is at version 2.8 or so and then
there is also the "snort_inline project" which uses version 2.6. They are not
the same thing; a big source of confusion. I prefer mainstream snort.

make distclean
./configure --prefix=/usr --libdir=/usr/lib --enable-inline
--sysconfdir=/etc/snort --sbindir=/sbin --with-pic --enable-react
--enable-stream4udp --enable-decoder-preprocessor-rules
make install

# optionally build the so rules if desired.
cd so_rules
# In CFLAGS we fix a fatal problem caused from the stack protector.
sed 's at -fpic@-fPIC -fno-stack-protector at g' -i.orig Makefile
make clean
make install

You can eliminate a lot of bot scanning with this:
iptables -I INPUT -p tcp --sport 6000 -m state --state NEW -j DROP
iptables -I INPUT -p tcp --sport 12200 -m state --state NEW -j DROP

If you need remote access, look at nufw.
If you run apache, look at mod_security.
If you use PHP, look at suhosin module.
If you use proftpd, look at mod_ban.
If you have a mail server, look at assp.

Marty B.

Building a better mousetrap only results in better mice. C. Darwin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the hlfs-dev mailing list