Snort Inline Support

This should probably really go to Debian. Are there any ramifications of enabling inline support? Thanks.

Yeah, dependency on a (deprecated) library we don't have.

I think snort 2.6 might rely on a different library for interfacing with iptables with inline support, but I'm not sure. I just know the old lib that 2.3 uses is long dead and I can't imagine 2.4 and 2.6 aren't updated.

Aside from that, the inline module is an add-on that snort's built with. You can compile it; but if you don't enable it at runtime it doesn't do anything.

On a side note, a fully updated Snort 2.6 may be good for Edgy+1. Edgy is getting some nice security enhancements, I hear there's firewall stuff involved; an active intrusion prevention system would be nice but really there's enough to do for Edgy in the next 3 months already. Still, it'd be nice to have Snort 2.6 + Inline around so we can look at it for Edgy+1.

An updated Snort 2.6 would not be a free intrusion prevention system, even with inline support, as no signatures would be available. So it's rather useless (like an antivirus without signatures) and it would be only useful for those that pay up to Sourcefire for the latest ruleset.

Yeah, no Inline signatures available.

As for signatures, Sourcefire releases the latest rules as of 7 days ago, even if the current subscription is 7 days old. A couple weeks ago, registered and subscribed matched because subscribed had no updates for a week. You do need to register (for free).

Snort has moved on since this thread was opened.

Oinkmaster (already packaged and available under Ubuntu (server 7.04)) provides signature updates for Snort that are also used by Snort-inline. As per John's message these can be free-registered to get 7 day-old bundles.
  Ala - Linux Gazette circa 2005;
    http://linuxgazette.net/118/savage.html

Snort-inline has picked up a stream4 reassembler, so it runs as Snort did.
  Ala Snort manual - item 2.1.3 Stream4;
    http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/node11.html#SECTION00313000000000000000

For Snort-inline to run, there are two libraries required that are not shipped in Ubuntu (server 7.04), these are libipq and libNet.

Using libnetfilter_queue, a symlink from /lib/libipq.so -> /lib/libnetfilter_queue_libipq.so lets the Snort configure run fine. Was libipq the depreciated library John referred to? The active libnetfilter_queue project can be found here;
  ftp://ftp.netfilter.org/pub/libnetfilter_queue/

The libNet page has been updated in 2007, but it's tgz archive contains files that are only as recent as 2004 (was libNet the depreciated library John referred to?) I haven't compiled up a libNet, but it can be found here;
  http://www.packetfactory.net/projects/libnet/

Snort-inline seems like a good opportunity to get some self-defending servers (at least, if not desktops) out there. Out-of-the-box Ubuntu installs could be oinkmaster'd up to at least download the "full release" updates (free and no registration). While not current, it would still be updated at sporadic intervals. In a default configuration snort-inline would prevent both in and outbound signature-recognised attacks (i.e. no Ubuntu desktop script kiddies).

Setting aside an enabled snort-inline; For the sake of two libraries, I can't see why snort-inline isn't at least made available to the Ubuntu community - even if the two libraries were just dependencies on the Snort package.

On rule updates;

I was wrong - the 7 day rule cycle is now 30 days;
    http://www.snort.org/vrt/
    * Subscribers receive real-time rules updates as they are available – get more subscription highlights here
    * Registered users can access rule updates 30 days after release to subscription users.
    * Unregistered users receive a static ruleset at the time of each major Snort Release

And there is also the free Community rule set, that is at least verified to ensure that they don't break Snort;
    http://www.snort.org/pub-bin/downloads.cgi#COMM
    http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules-CURRENT.tar.gz

.. these could be updated daily, in addition to the sporadically provided Official Unregistered.

I'm checking if this bug is still an issue for you now that we have snort 2.7 in the repository after almost 2 jears. Can someone look if this bug is still valid? Thanks.

 please refer http://marc.info/?l=snort-users&m=124947462631199&w=2
In Hardy snort is not compiled with --enable-inline
I tried to build from source(got source by apt-get source) with --enable-inline and got errors
because of issues with libipq.h declarations. I think there is library incompatibility with libipq and the snort version on hardy.

Could compile latest stable release 2.8.4 (source code from snort.org) on Hardy after downgrading libnet1 to libnet0.

This: http://www.netfilter.org/projects/libnetfilter_queue/index.html
maybe usefull as well to discuss this bug.

 Thank you for taking the time to report this bug and helping to make Ubuntu better. We are sorry that we do not always have the capacity to look at all reported bugs in a timely manner. There have been many changes in Ubuntu since that time you reported the bug and your problem may have been fixed with some of the updates. It would help us a lot if you could test it on a currently supported Ubuntu version. When you test it and it is still an issue, kindly upload the updated logs by running apport-collect <bug #> and any other logs that are relevant for this particular issue.

This report has been abandonned both on BTS and here; so closing it now.