Snort mailing list archives
Re: Snort with NFQUEUE allows everything (even unopened ports)
From: Russ Combs <rcombs () sourcefire com>
Date: Fri, 30 Mar 2012 14:48:14 -0400
Try using a drop rule instead of alert. And the DAQ mode and Snort mode aren't the same thing. Try adding -Q too. On Fri, Mar 30, 2012 at 2:29 PM, Amm Snort <ammdispose-snort () yahoo com>wrote:
Hello all, I have setup snort with DAQ NFQUEUE. My problem is inspite of firewall rule to block all ports, system starts allowing ALL THE PORTS. Without SNORT/NFQUEUE, blocking happens perfectly fine. So either I am making a STUPID mistake (I hope so) otherwise there is a serious SECURITY issue. System: Fedora 16 (64 bit) Snort version 2.9.2.2 (compiled from src rpm at http://www.snort.org/snort-downloads) Daq version 0.6.2 (compiled from src rpm at http://www.snort.org/snort-downloads with NFQ enabled) snort.conf summary: #monitor connection to LAN and DSL IP (dynamic) ipvar HOME_NET [192.168.1.0/24,1.2.0.0/16] config daq: nfq config daq_mode: inline config daq_dir: /usr/lib64/daq Command line: snort -A fast -b -d -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort (no interface specified, -Q not needed as config daq_mode set to inline) Rule File: (just one rule for testing) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP SMTP Hydra Activity Detected"; flow:to_server,established; content:"hydra"; nocase; pcre:"/^(EH|HE)LO\s+hydra\x0D\x0A/smi"; reference:url, www.thc.org/releases.php; classtype:misc-attack; sid:100000167; rev:1;) IPTABLES: iptables -I INPUT 1 -p tcp -i ppp1 -j NFQUEUE iptables -I OUTPUT 1 -p tcp -o ppp1 -j NFQUEUE (rule triggers alert on sending "EHLO hydra" - hence setup seems to be running fine) Now THE SERIOUS PROBLEM: As shown below, my iptables INPUT chain allows connection ONLY on port 22. 1) iptables -nvL INPUT (on snort system) Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 274 146K NFQUEUE tcp -- ppp1 * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0 0 0 ACCEPT tcp -- ppp1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 17344 816K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 2) telnet 1.2.3.4 25 (from some remote machine) Trying to connect to port 25 of SNORT machine from some remote machine. Trying 1.2.3.4... Connected to XXXXX. Escape character is '^]'. 220 XXXX ESMTP Sendmail; Fri, 30 Mar 2012 23:17:42 +0530 >>>> How did it connect to port 25??? ehlo hydra .... 3) tail -1 /var/log/snort/alert 03/30-23:17:46.056165 [**] [1:100000167:1] GPL SMTP SMTP Hydra Activity Detected [**] [Classification: Misc Attack] [Priority: 2] {TCP} 2.2.2.2:35256 -> 1.2.3.4:25 (which means snort detected the hydra activity as expected) 4) iptables -D INPUT 1 -p tcp -i ppp1 -j NFQUEUE Delete the NFQUEUE rule. i.e. disable SNORT inspection 5) telnet 1.2.3.4 25 (try again) Trying 1.2.3.4 ... telnet: connect to address 1.2.3.4: No route to hostBlocked (packet rejected) just as expected after removing snortNFQUEUE rule 6) Add rule again with one additional DROP rule for port 25 iptables -I INPUT 1 -p tcp -i ppp1 -j NFQUEUE iptables -I INPUT 2 -p tcp -i ppp1 --dport 25 -j DROP a) iptables -nvL INPUT pkts bytes target prot opt in out source destination 29 3660 NFQUEUE tcp -- ppp1 * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0 0 0 DROP tcp -- ppp1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 Now try to connect again: telnet 1.2.3.4 25 Trying 1.2.3.4... Connected to XXXXX. Escape character is '^]'. 220 XXXX ESMTP Sendmail; Fri, 30 Mar 2012 23:32:17 +0530WHAT?!! Started accepting connection again!!!!b) iptables -nvL INPUT pkts bytes target prot opt in out source destination 72 7982 NFQUEUE tcp -- ppp1 * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0 0 0 DROP tcp -- ppp1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25Notice that DROP counter has not increased at all, which meansSnort/NFQUEUE is ALLOWING the packet instead of proceeding to next rule (which is DROP rule) c) Port Scan nmap -n 1.2.3.4 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on (1.2.3.4): (The 1590 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 25/tcp open smtp 80/tcp open http 111/tcp open sunrpc 135/tcp filtered loc-srv 137/tcp filtered netbios-ns 139/tcp filtered netbios-ssn 443/tcp open https 445/tcp filtered microsoft-ds 3128/tcp open squid-httpEVERYTHING is OPEN!!!d) Delete NFQUEUE rule and try to connect again: iptables -D INPUT -p tcp -i ppp1 -j NFQUEUE telnet 1.2.3.4 25 Trying 1.2.3.4... Nothing happens due to DROP rule (as expected) d) iptables -nvL INPUT (check packet COUNTER) pkts bytes target prot opt in out source destination 2 120 DROP tcp -- ppp1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25DROP Counter increased once the NFQUEUE rule is deletedSo inshort NFQUEUE or Snort is ALLOWING the packet directly instead of letting it pass to next iptables rule. Is there something I missed or there is really something wrong with SNORT/NFQUEUE? Please correct me. Thank you, Amm ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort with NFQUEUE allows everything (even unopened ports) Amm Snort (Mar 30)
- Re: Snort with NFQUEUE allows everything (even unopened ports) Russ Combs (Mar 30)
- Re: Snort with NFQUEUE allows everything (even unopened ports) Amm Snort (Mar 30)
- Re: Snort with NFQUEUE allows everything (even unopened ports) Amm Snort (Mar 31)
- Re: Snort with NFQUEUE allows everything (even unopened ports) Jaime Nebrera (Mar 31)
- Re: Snort with NFQUEUE allows everything (even unopened ports) Amm Snort (Mar 31)
- Re: Snort with NFQUEUE allows everything (even unopened ports) Jaime Nebrera (Mar 31)
- Re: Snort with NFQUEUE allows everything (even unopened ports) Amm Snort (Mar 30)
- Re: Snort with NFQUEUE allows everything (even unopened ports) Russ Combs (Mar 30)