Re: Snort with IPTables

[John Sage <jsage () finchhaven com>]

*my* firewall just detected my name being taken in vain...

..can *your* firewall do that ;-)


Executive summary, IMHO:

When run *on* a firewall box:

1) Whether snort "sees everything" has a lot to do with which rules 
you're using.

2) snort *will* see everything you let it, *but* you have to understand 
what "everything" means, given the rulesets you're using.


Anyway, yeah, my experience is that snort (1.8.2 build 86 (I know: I'm 
behind..)) running on an ipchains-based firewall box will see all those 
packets that ipchains sees

**if**

(and this may an important factor in why this issue still causes some 
uncertainty..)

**if** you clearly understand which rules snort is using, and thus which 
packets snort can be expected to see.


This was an important fundamental point about snort that it took me a 
while to grok: snort *only* sees those packets that your rulesets are 
looking at.

(You'd think that would be a "well, duh!" but it seems to be at the core 
of a lot of confusion...)

On my low-volume system (home dialup/intrusion detection testbed) I have 
custom snort rules on my firewall that do something to *every single 
packet* -- every packet - inbound and outbound - is either alerting or 
logging.

And I -b binary capture everything, and run the distro-supplied 
detection/analysis rules against the captures, later.

Thus I can say correctly that snort is seeing *every* packet, period, 
and thus every packet that ipchains is seeing, because I've set up 
custom rules to do exactly that.


But (there had to be a "but..."):


But: you need to understand how TCP/IP works, and understand what your 
firewall is doing.

This means, for one example, that if you're DENY'ing SYN's to port 80 
via ipchains/iptables, you will not ever see any of the cool stuff that 
a lot of the snort rules would detect because you'll not ever get 
anything past the prober's first SYN.

Thus, to continue the example, I see a *lot* of probable CodeRed/Nimda 
probes, but I never get to analyze the details of the potential exploit 
because I'll never see anything beyond the initial connection attempt.


HTH..

- John

--
Computers: they're really nothing but l's and O's



Martijn Heemels wrote:

>  
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> > Have a look at the email thread that John Sage 
> > <jsage () finchhaven com> and I
> > had on this same subject a while back on the list.  IIRC, some of 
> > his findings
> > seem to contradict some things that I had thought.  Now, I could 
> > be smoking
> > crack, but I don't know who's right any more.  :)  Anyone want to 
> > jump in and
> > save my sanity?  If not, I'm going out and have a rather good
> > single malt scotch.  Research shall have to wait 'till Monday!
>
> Hi all,
> I've also had an e-mail exchange with John Sage on this, following my
> similar question to the list.
> Since a lot is still unclear about snort's behaviour on(!) a firewall
> box and I don't have the ability to test anything (I'm just a student
> with one hobby server) I can only offer my personal experiences.
>
> On my humble little server running linux-2.2.16-3 with
> ipchains-1.3.9-5 and libpcap-0.6.2-7 Snort does NOT see all traffic
> reaching the outside interface. The ipchains ruleset is as paranoid
> as possible since a bunch of ports are open (the box has about a
> dozen servers running), but only traffic targetted at open ports is
> seen by snort. I get a lot of CodeRed/Nimda related activity and some
> Squid proxy scans, but not much else.
>
> The box is connected directly to a cable modem device, so there's no
> switches involved. Neither is the ISP filtering any traffic (that I
> know of).
>
> I don't know enough about the layers of networking to know why my box
> doesn't do what Matt's boxes do, so I'll leave that to the experts
> (i.e. you).
> Hope this helps build a general consensus. :-) (and ease Erek's
> conscience)
>
> > G'nite for now...
>
> and a good morning too, Erek!
>
> > -----
> > Erek Adams
> > Nifty-Type-Guy
> > TheAdamsFamily.Net



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users