Snort mailing list archives
Re: Some Snort beginner questions
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 31 Oct 2014 18:40:41 -0600
On Sat, 2014-11-01 at 00:26 +0000, Joel Esler (jesler) wrote:
You can put all your deny statements in iptables before you put your queue statements. -- Joel Esler iPhoneOn Oct 31, 2014, at 17:40, Jim Garrison <jhg () jhmg net> wrote: I have a Centos 6.5 web server configured with a very restrictive iptables setup (8 incoming tcp ports open, 0 udp). I'm a fairly experienced Linux admin but haven't looked at Snort in at least 7 or 8 years (wow, has it changed since then!), since I use iptables to present a tiny attack surface to the Internet. However, installing PHP/Wordpress has prompted me to add Snort to my toolkit. I recently built and installed Snort from source and have been testing it with the command line: snort --enable-inline-test -c /etc/snort/snort.conf -b -A fast I have three questions: 1) I am getting very few alerts, which I expected due to the small exposed surface, but find that the alerts that do get logged are on ports that are not open in iptables. I therefore guess that Snort is seeing the packets either before or at the same time as (independent of) iptables. Is this correct? 2) Is there a way to set things up so Snort sees only packets that are not blocked by iptables? I don't want to replace iptables with Snort. I'd rather use iptables as a perimeter defense and Snort to scan traffic for application layer exploits. 3) A couple of alerts I am seeing occasionally are: 10/31-19:49:40.592851 [**] [1:31136:1] MALWARE-CNC Win.Trojan.ZeroAccess inbound communication [**] [Classification: A Network Trojan was Detected] [Priority: 1] {UDP} 93.120.27.62:40000 -> ob.fus.cated.ip:16464 10/31-19:49:40.592851 [**] [1:23493:5] MALWARE-CNC Win.Trojan.ZeroAccess outbound communication [**] [Classification: A Network Trojan was Detected] [Priority: 1] {UDP} 93.120.27.62:40000 -> ob.fus.cated.ip:16464 The arrow points from the foreign IP to my IP in both cases, but one says "inbound" and one says "outbound", which seems to conflict. When I examine the binary log file in Wireshark both packets are shown as incoming, supporting the arrow and indicating the "outbound" designation may be incorrect, or I don't understand how the word "outbound" is being used here. Is this a bug? -- Jim Garrison (jhg () acm org) PGP Keys at http://www.jhmg.net RSA 0x04B73B7F DH 0x70738D88
Also keep in mind that any iptables rules AFTER your snort QUEUE rule are NOT applied. As soon as a packet hits the snort QUEUE rule the packet is either a) flagged by snort and dropped, or b) passed up the stack as allowed. James
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Some Snort beginner questions Jim Garrison (Oct 31)
- Re: Some Snort beginner questions Joel Esler (jesler) (Oct 31)
- Re: Some Snort beginner questions James Lay (Oct 31)
- Re: Some Snort beginner questions Jim Garrison (Nov 05)
- Re: Some Snort beginner questions Sec_Aficionado (Nov 05)
- Re: Some Snort beginner questions James Lay (Nov 05)
- Re: Some Snort beginner questions James Lay (Oct 31)
- Re: Some Snort beginner questions Joel Esler (jesler) (Oct 31)
- Re: Some Snort beginner questions waldo kitty (Nov 01)