[Snort-devel] Is it a bug?

Russ Combs rcombs at ...402...
Mon Dec 2 08:14:45 EST 2013


This does not sound like a bug.  You basically have Snort running from what
I can tell.  I suggest you do a little more testing and post an update to
the users list.

Some things to consider:

-- What do you mean the interfaces "hang"?  Not passing any packets as
observed from the endpoints?

-- Check Snort's shutdown stats.  Is it seeing all the packets you are
sending?  What are the verdicts?

-- Try adding config policy_mode: tap to your conf to prevent Snort from
blocking anything.  Do your results differ?

-- Stick with afpacket until you get things working.  It is much simpler to
set up than NFQ.

Russ



On Mon, Nov 25, 2013 at 2:09 AM, Ellad G. Yatsko <eyatsko at ...3452...> wrote:

> Hello!
>
> Sorry, if it is "to the wrong quarter", but I did not get any
> substantial help
> in "Snort Users". My question is described in details below.
>
> Kind regards,
> Ellad
> > Hello!
> >
> > I compiled again.. :-( To restore step-by-step procedure... :-( As usual
> > afpacket hangs interfaces... :-(
> > Ubuntu 12.04.1 amd64 (under VMWare ESXi 5.2) is from scratch.
> >
> > apt-get -y install build-essential libpcap0.8-dev libmysqlclient15-dev
> > mysql-server libc6-dev g++ gcc pcregrep libpcre3-dev iptables-dev bison
> > flex tshark
> >
> > cd/usr/src/libdnet-1.12/
> > ./configure "CFLAGS=-fPIC -g -O2"
> > make
> > make install
> >
> > cd /usr/src/daq-2.0.1/
> > ./configure
> > make
> > make install
> >
> > cd /usr/src/snort-2.9.5.6/
> > ./configure --enable-gre --enable-reload --enable-linux-smp-stats
> > --enable-zlib --enable-active-response --enable-react --enable-flexresp3
> > make
> > make install
> >
> > ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1
> > ln -s /usr/local/lib/snort_dynamicpreprocessor
> > /usr/lib/snort_dynamicpreprocessor
> > ln -s /usr/local/lib/snort_dynamicengine /usr/lib/snort_dynamicengine
> >
> > Then I got init.d script from neighbor Virtual Machine where I had done
> > apt-get install snort a minute ago and /etc/snort folder with all its
> > content.
> >
> > scp eyatsko at ...3453...:/etc/init.d/snort /etc/init.d/snort
> > scp -r eyatsko at ...3453...:/etc/snort /etc/
> > chown root:root /etc/init.d/snort
> > chown -R root:root /etc/snort
> >
> > Then I updated /etc/snort/snort.conf:
> > . . .
> > # Setup the network addresses you are protecting
> > ipvar HOME_NET 192.168.0.0/24
> >
> > # Set up the external network addresses. Leave as "any" in most
> situations
> > #ipvar EXTERNAL_NET any
> > ipvar EXTERNAL_NET !$HOME_NET
> > . . .
> >
> > ...and started snort:
> > snort -Q -v -i eth0:eth1 --daq afpacket -c /etc/snort/snort.conf
> >
> > It got three bootp packets and hangs interfaces.
> >
> > As I can observe such behaviour of Snort does not depend on
> > - Snort Version;
> > - Operation system/OS version;
> > - The way through Snort is installed;
> > - Rule set (I commented all include $RULE_PATH/* lines except
> > local.rules, which was empty).
> >
> > What could explain this situation?
> >
> > Kind regard,
> > Ellad Yatsko
> >
> >> I have checked something. I re-installed OS - changed it on Debian 7.2.0
> >> x86 (Ubuntu 12.04.1 was amd64) and Snort. Snort, again, is of version
> >> 2.9.2 (if to be more accurate: 2.9.2.2).
> >> All is much the same! It "hangs" interfaces after several tens of
> >> packets and until several minutes passed after Snort execution break
> down.
> >>
> >> What could it be? I have already mentioned that I compiled Snort from
> >> sources. Afpacket behaves similarly.
> >>
> >> Anybody help me!... :-)
> >>
> >>
> >>> We have Ubuntu Server 12.04.1 LTS with snort 2.9.2 - both installed
> from
> >>> scratch. Snort 2.9.2 distribution is native for this Ubuntu Release.
> >>>
> >>> ~# snort --daq-list
> >>> Available DAQ modules:
> >>> pcap(v3): readback live multi unpriv
> >>> ipfw(v2): live inline multi unpriv
> >>> dump(v1): readback live inline multi unpriv
> >>> afpacket(v4): live inline multi unpriv
> >>> ~#
> >>>
> >>> Snort config and rule set both are default they come with distribution
> >>> (apt-get install ...)
> >>>
> >>> IPTables has its default configuration:
> >>> ~# iptables -nL
> >>> Chain INPUT (policy ACCEPT)
> >>> target     prot opt source               destination
> >>>
> >>> Chain FORWARD (policy ACCEPT)
> >>> target     prot opt source               destination
> >>>
> >>> Chain OUTPUT (policy ACCEPT)
> >>> target     prot opt source               destination
> >>> ~# iptables -t nat -nL
> >>> Chain PREROUTING (policy ACCEPT)
> >>> target     prot opt source               destination
> >>>
> >>> Chain INPUT (policy ACCEPT)
> >>> target     prot opt source               destination
> >>>
> >>> Chain OUTPUT (policy ACCEPT)
> >>> target     prot opt source               destination
> >>>
> >>> Chain POSTROUTING (policy ACCEPT)
> >>> target     prot opt source               destination
> >>> ~#
> >>> I tried to put some traffic into QUEUE by command like: iptables -A
> >>> INPUT -p udp -j QUQUE, but it has no effect relative to my main
> problem.
> >>> I found just few cases in Internet when Snort have been started in
> >>> inline mode. And they do not abound in examples how to set up IPTables
> >>> in conjunction to Snort... :-( And, moreover, all of them differ
> >>> depending on Snort version.
> >>>
> >>>
> >>> After starting Snort via command-line:
> >>> ~# snort -Q -vv -i eth0:eth1 --daq afpacket -c /etc/snort/snort.conf
> >>>
> >>>
> >>> Snort received some tens of packets (mainly my SSH session to server
> >>> with Snort), both interfaces eth0 and eth1 become unavailable from
> >>> outside (i. e. from ipvar EXTERNAL_NET !$HOME_NET  ), but I still can
> >>> ping them from server's console. Go further. When I tried to ping
> >>> something out the server's interfaces this also has no result. Nothing
> >>> is accessible via monitored interfaces.
> >>>
> >>> When I break the program execution interfaces from outside and external
> >>> destinations from inside continue to be inaccessible for some time
> >>> (several minutes).
> >>>
> >>> Now I have two more or less clear dilemmas:
> >>> - how to start Snort in inline mode and to avoid it hang up (main
> problem);
> >>> - how to set up IPTables if it needed to daq.
> >>>
> >>> Future plan relative to Snort  supposes to analyze and drop excessive
> >>> SIP-traffic ONLY (methods: REGISTER and INVITE) from certain IPs. For
> >>> example if there are many registrations per second (per ten of seconds
> -
> >>> no matter). Such traffic patter must be "isolated" from SIP-registrar.
> >>> And the same history is for INVITES. Ideally, it would be perfect if
> >>> Snort can add rules to IPTables to block "rougue traffic" permanently!
> >>> :-) As a rule (by my own observations) "bad guys" sit always at the
> same
> >>> IP addresses.
> >>>
> >>> Please, help... :-)
> >>>
> >
> >
> ------------------------------------------------------------------------------
> > Shape the Mobile Experience: Free Subscription
> > Software experts and developers: Be at the forefront of tech innovation.
> > Intel(R) Software Adrenaline delivers strategic insight and game-changing
> > conversations that shape the rapidly evolving mobile landscape. Sign up
> now.
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
> >
>
>
>
> ------------------------------------------------------------------------------
> Shape the Mobile Experience: Free Subscription
> Software experts and developers: Be at the forefront of tech innovation.
> Intel(R) Software Adrenaline delivers strategic insight and game-changing
> conversations that shape the rapidly evolving mobile landscape. Sign up
> now.
> http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131202/c846dd30/attachment.html>


More information about the Snort-devel mailing list