[Snort-devel] Is it a bug?

Ellad G. Yatsko eyatsko at ...3452...
Mon Nov 25 02:09:05 EST 2013


Hello!

Sorry, if it is "to the wrong quarter", but I did not get any 
substantial help
in "Snort Users". My question is described in details below.

Kind regards,
Ellad
> Hello!
>
> I compiled again.. :-( To restore step-by-step procedure... :-( As usual
> afpacket hangs interfaces... :-(
> Ubuntu 12.04.1 amd64 (under VMWare ESXi 5.2) is from scratch.
>
> apt-get -y install build-essential libpcap0.8-dev libmysqlclient15-dev
> mysql-server libc6-dev g++ gcc pcregrep libpcre3-dev iptables-dev bison
> flex tshark
>
> cd/usr/src/libdnet-1.12/
> ./configure "CFLAGS=-fPIC -g -O2"
> make
> make install
>
> cd /usr/src/daq-2.0.1/
> ./configure
> make
> make install
>
> cd /usr/src/snort-2.9.5.6/
> ./configure --enable-gre --enable-reload --enable-linux-smp-stats
> --enable-zlib --enable-active-response --enable-react --enable-flexresp3
> make
> make install
>
> ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1
> ln -s /usr/local/lib/snort_dynamicpreprocessor
> /usr/lib/snort_dynamicpreprocessor
> ln -s /usr/local/lib/snort_dynamicengine /usr/lib/snort_dynamicengine
>
> Then I got init.d script from neighbor Virtual Machine where I had done
> apt-get install snort a minute ago and /etc/snort folder with all its
> content.
>
> scp eyatsko at ...3453...:/etc/init.d/snort /etc/init.d/snort
> scp -r eyatsko at ...3453...:/etc/snort /etc/
> chown root:root /etc/init.d/snort
> chown -R root:root /etc/snort
>
> Then I updated /etc/snort/snort.conf:
> . . .
> # Setup the network addresses you are protecting
> ipvar HOME_NET 192.168.0.0/24
>
> # Set up the external network addresses. Leave as "any" in most situations
> #ipvar EXTERNAL_NET any
> ipvar EXTERNAL_NET !$HOME_NET
> . . .
>
> ...and started snort:
> snort -Q -v -i eth0:eth1 --daq afpacket -c /etc/snort/snort.conf
>
> It got three bootp packets and hangs interfaces.
>
> As I can observe such behaviour of Snort does not depend on
> - Snort Version;
> - Operation system/OS version;
> - The way through Snort is installed;
> - Rule set (I commented all include $RULE_PATH/* lines except
> local.rules, which was empty).
>
> What could explain this situation?
>
> Kind regard,
> Ellad Yatsko
>
>> I have checked something. I re-installed OS - changed it on Debian 7.2.0
>> x86 (Ubuntu 12.04.1 was amd64) and Snort. Snort, again, is of version
>> 2.9.2 (if to be more accurate: 2.9.2.2).
>> All is much the same! It "hangs" interfaces after several tens of
>> packets and until several minutes passed after Snort execution break down.
>>
>> What could it be? I have already mentioned that I compiled Snort from
>> sources. Afpacket behaves similarly.
>>
>> Anybody help me!... :-)
>>
>>
>>> We have Ubuntu Server 12.04.1 LTS with snort 2.9.2 - both installed from
>>> scratch. Snort 2.9.2 distribution is native for this Ubuntu Release.
>>>
>>> ~# snort --daq-list
>>> Available DAQ modules:
>>> pcap(v3): readback live multi unpriv
>>> ipfw(v2): live inline multi unpriv
>>> dump(v1): readback live inline multi unpriv
>>> afpacket(v4): live inline multi unpriv
>>> ~#
>>>
>>> Snort config and rule set both are default they come with distribution
>>> (apt-get install ...)
>>>
>>> IPTables has its default configuration:
>>> ~# iptables -nL
>>> Chain INPUT (policy ACCEPT)
>>> target     prot opt source               destination
>>>
>>> Chain FORWARD (policy ACCEPT)
>>> target     prot opt source               destination
>>>
>>> Chain OUTPUT (policy ACCEPT)
>>> target     prot opt source               destination
>>> ~# iptables -t nat -nL
>>> Chain PREROUTING (policy ACCEPT)
>>> target     prot opt source               destination
>>>
>>> Chain INPUT (policy ACCEPT)
>>> target     prot opt source               destination
>>>
>>> Chain OUTPUT (policy ACCEPT)
>>> target     prot opt source               destination
>>>
>>> Chain POSTROUTING (policy ACCEPT)
>>> target     prot opt source               destination
>>> ~#
>>> I tried to put some traffic into QUEUE by command like: iptables -A
>>> INPUT -p udp -j QUQUE, but it has no effect relative to my main problem.
>>> I found just few cases in Internet when Snort have been started in
>>> inline mode. And they do not abound in examples how to set up IPTables
>>> in conjunction to Snort... :-( And, moreover, all of them differ
>>> depending on Snort version.
>>>
>>>
>>> After starting Snort via command-line:
>>> ~# snort -Q -vv -i eth0:eth1 --daq afpacket -c /etc/snort/snort.conf
>>>
>>>
>>> Snort received some tens of packets (mainly my SSH session to server
>>> with Snort), both interfaces eth0 and eth1 become unavailable from
>>> outside (i. e. from ipvar EXTERNAL_NET !$HOME_NET  ), but I still can
>>> ping them from server's console. Go further. When I tried to ping
>>> something out the server's interfaces this also has no result. Nothing
>>> is accessible via monitored interfaces.
>>>
>>> When I break the program execution interfaces from outside and external
>>> destinations from inside continue to be inaccessible for some time
>>> (several minutes).
>>>
>>> Now I have two more or less clear dilemmas:
>>> - how to start Snort in inline mode and to avoid it hang up (main problem);
>>> - how to set up IPTables if it needed to daq.
>>>
>>> Future plan relative to Snort  supposes to analyze and drop excessive
>>> SIP-traffic ONLY (methods: REGISTER and INVITE) from certain IPs. For
>>> example if there are many registrations per second (per ten of seconds -
>>> no matter). Such traffic patter must be "isolated" from SIP-registrar.
>>> And the same history is for INVITES. Ideally, it would be perfect if
>>> Snort can add rules to IPTables to block "rougue traffic" permanently!
>>> :-) As a rule (by my own observations) "bad guys" sit always at the same
>>> IP addresses.
>>>
>>> Please, help... :-)
>>>
>
> ------------------------------------------------------------------------------
> Shape the Mobile Experience: Free Subscription
> Software experts and developers: Be at the forefront of tech innovation.
> Intel(R) Software Adrenaline delivers strategic insight and game-changing
> conversations that shape the rapidly evolving mobile landscape. Sign up now.
> http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>





More information about the Snort-devel mailing list