Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort on IP tables firewalls

From: Dennis Henderson <hendo () hendohome com>
Date: Mon, 01 Oct 2001 21:16:03 -0500
Oinkers and Oinkettes...
In order to witness or suffer a code red or nimda attack, one must allow traffic on port 80. Without allowing a connection to be established the GET /scr_pts/r__t.e_e ... can never occur. 

Bob is on the right track with his explanation.
From the sounds of James' configuration, I would bet that he has a web server on port 80, but blocks access from the Internet.
When he flushes the iptables, his machine will then answer to syn packets on port 80 allowing the attacker to issue the get commands.
I run snort on an iptables firewall. I also have a intenet accessible web server in my network. In order for the world to be able to see the sheer simplicity of my humble homepage, I have to allow port 80 traffic through to the webserver. Therefore I see many code red and nimda attacks every day. Fortunately my apache server simply says.... 


404  have a nice day.....

Hendo






Message: 16
Date: Thu, 27 Sep 2001 21:34:40 -0500 (CDT)
From: Bob Hillegas <bobhillegas () pdq net>
To: <snort-users () lists sourceforge net>
Cc: <JSeddon () semtech com>, John Sage <jsage () finchhaven com>
Subject: [Snort-users] Re: Snort Behind IPtables, contradicting evidence...

If you're interested in snort versus firewall discussion read on.
Otherwise this gets kind of deep. Sorry.

The question I'm trying to answer is: Does snort on the same box as a
packet filter see all the traffic? I think my analysis says yes.

That then begs the question, why don't you see any codered traffic in this
configuration? I think the answer is that when you DENY packets, you stop
the codered transmission at the first SYN packet. It never receives a
SYN-ACK, so you never get back the final ACK or any payload.

Someone who has received the full codered transmission can comment more
authoritatively than I on that.

On Thu, 27 Sep 2001 JSeddon () semtech com wrote:

>
> Message: 4
> To: snort-users () lists sourceforge net
> From: JSeddon () semtech com
> Date: Thu, 27 Sep 2001 08:53:46 -0700
> Subject: [Snort-users] Snort Behind IPtables, contradicting evidence...
>
> Honorable Oinkers,
>
>      I fretted a long time before I sent this because I know it's been
> discussed many times and we are all very busy.  However, I wanted to bring
> it up because either I am missing or misreading something or the evidence I
> have seen does not support the consensus reached on this list.  I'm running
> snort on my firewall and have questions about whether snort will see
> traffic that iptables is configured to block.
>
>      The question is, "If you run snort on a box with iptables
> blocking/filtering stuff, will snort see/process all the traffic?".  I
> gleaned over the archives and it seems the consensus of the list was that
> "yes, snort will see the traffic".  One reason given was that the packet
> capture library takes packets and passes them to snort before the normal
> tcp stack processing.  So, iptables doesn't get a chance to see it.  There
> were also several people who said they were running snort on iptables
> firewalls and it was working fine.
>
>      However, I wasn't seeing the waves of Code Red traffic (or nimda for
> that matter).  I thought that perhaps my ISP was filtering the Code Red
> Traffic.  Just for kicks, I flushed my iptables chains.  BAM!  Snort
> starting alerting on all kinds of Code Red traffic.  Ran rc.firewall again,
> no snort alerts.  Hmmm..I said, maybe a coinky dink....Flushed again, waves
> of code red alerts....put the rules back in the chains....No alerts...I
> decided to let it go a day...sure enough, no rules in chains and snort sees
> the traffic, put the rules back in the chains and snort doesn't.
>
>      This seems to contradict the conclusion I got from the list archives.
> It seems that iptables is processing traffic before snort gets a chance to
> see it.  Snort is putting the NIC in promiscuous mode.  But it doesn't see
> traffic iptables is configured to block unless I flush the IPtables rules.
> Is something misconfigured with snort for me?  Did I draw the wrong
> conclusion from the list?
>


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: