Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort inline mode is not working with iptables

From: netchild ccie <netchildccie () hotmail com>
Date: Fri, 6 Aug 2010 19:50:22 +0000

If I lose the -i eth1 it will initialize different interface as I've many interfaces
*** interface device lookup found: peth0***Initializing Network Interface peth0Decoding Ethernet on interface peth0

Regards,Wael


Date: Fri, 6 Aug 2010 14:36:15 -0500
Subject: Re: [Snort-users] snort inline mode is not working with iptables
From: william.metcalf () gmail com
To: netchildccie () hotmail com
CC: snort-users () lists sourceforge net; hat_gh () yahoo com

Yes I understand... Not sure if it matters but did you remove the "-i
eth1" from the command line?  Not sure how this is handled now in
snort, if this is valid for use with -Q or if it is just using one
runmode over the other.

Regards,

Will

On Fri, Aug 6, 2010 at 2:27 PM, netchild ccie <netchildccie () hotmail com> wrote:

Hi William,
I've the traffic on that interface IN/OUT and even with both chain IN/OUT
jump to QUEUE didn't work.
The behavior I'm getting is that all the traffic for the rule -j QUEUE is
being dropped as if the packets are not being handled by snort (default
behavior for -j QUEUE if no application is handling the traffic).
Regards,
Wael

Date: Fri, 6 Aug 2010 14:03:30 -0500
Subject: Re: [Snort-users] snort inline mode is not working with iptables
From: william.metcalf () gmail com
To: netchildccie () hotmail com
CC: snort-users () lists sourceforge net; hat_gh () yahoo com

lose the -i eth1... Also for traffic in/out of the local ip stack for
tcp traffic you need to make sure that snort sees both sides of the
conversation. i.e.

iptables -I INPUT -p tcp --sport 80 -j QUEUE
iptables -I OUTPUT -p tcp --dport 80 -j QUEUE

Regards,

Will
On Fri, Aug 6, 2010 at 1:41 PM, netchild ccie <netchildccie () hotmail com>
wrote:

Dear list,
I a new user to Snort and this is my first experience with.
My issue is that; it seems the snort does not communicate correctly with
iptables. I have a linux machine run SNORT 2.8.6 and connected to LAN
with
another linux machine. I am using the other machine to ping the snort
server. every time I am running snort without iptables, the ping is
working
and once I am using the iptables then launch snort, the ping stopped and
I received alert messages!!!! I can not understand why snort drop the
packets?!

I'll try to summarized my issue in points
1. I've built linux machine with CentOS 4.8
2. I've downloaded snort 2.8.6 from snort website
3. I've compiled the package after I installed successfully libipq and
libnet 1.0.2a. I used the following commands
./configure --enable-inline
make
make install
4. I've built a simple rule under /etc/snort/rules as the below and
named
"local.rule"
alert icmp any any <> any any (msg: "ICMP DROPPED"; sid: 1000001;)
5. I loaded ip_queue model and verify it as below
[root@xen1 rules]# modprobe ip_queue
[root@xen1 rules]# lsmod | grep queue
ip_queue               44777  0
5. I launched iptables before I started snort as below and verify
iptables -A OUTPUT -p icmp -j QUEUE
[root@xen1 rules]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
QUEUE      icmp --  anywhere             anywhere
6. I've run snort as below
[root@xen1 rules]# snort -k none -c /etc/snort/snort.conf.wael -l
/var/log/snort/wael -Q -i eth1
Enabling inline operation
Running in IDS mode
        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf.wael"
PortVar 'HTTP_PORTS' defined :  [ 80 2301 3128 7777 7779 8000 8008 8028
8080
8180 8888 9999 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1521 ]
.
.
.
        --== Initialization Complete ==--
   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.6.1 (Build 39)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using PCRE version: 6.6 06-Feb-2006
           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.12  <Build
18>
7. Verify through the log
Aug  6 21:38:45 xen1 snort: [1:1000001:0] ICMP DROPPED {ICMP}
10.6.211.155
-> 10.6.211.53
Aug  6 21:39:16 xen1 last message repeated 31 times
Aug  6 21:40:17 xen1 last message repeated 61 times

8. verify the ping from the ping's screen
[root@dana-ser-ns-02 ~]# ping 10.6.211.53
PING 10.6.211.53 (10.6.211.53) 56(84) bytes of data.
<nothing>

what I have missed?!
Regards,
Wael,

------------------------------------------------------------------------------
This SF.net email is sponsored by

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




                                          
------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: