[Snort-sigs] ftp rules

Al Lewis (allewi) allewi at ...3865...
Mon Oct 26 09:35:49 EDT 2015


Try running your test and dump the inline contents into a pcap file.

Use “--daq dump --daq-var load-mode=read-file -Q” which will create an “inline-out.pcap” file.

Check in that file to see if you are getting reset packets. The file is viewable with tcpdump.

The reset functionality works for me. See below.


[root at ...4076... snort-2.9.7.6-released]# ./bin/snort -c etc/TEST.conf --daq dump --daq-var load-mode=read-file -Q -r etc/10300.pcap -Acmg -U -H -k none -q

02/25-18:31:39.123456  [Drop] [**] [1:1000000:0] Reset TEST! [**] [Priority: 0] {TCP} 10.5.40.95:36884 -> 10.4.31.42:80
02/25-18:31:39.123456 00:1E:67:00:55:2E -> 00:15:C7:A1:11:40 type:0x800 len:0x4A
10.5.40.95:36884 -> 10.4.31.42:80 TCP TTL:64 TOS:0x0 ID:32233 IpLen:20 DgmLen:60 DF
******S* Seq: 0x95E0216F  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 347823238 0 NOP WS: 7

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


[root at ...4076... snort-2.9.7.6-released]# tcpdump -n -r inline-out.pcap
reading from file inline-out.pcap, link-type EN10MB (Ethernet)
14:31:39.123456 IP 10.4.31.42.http > 10.5.40.95.36884: Flags [R.], seq 0, ack 2514493808, win 0, length 0
14:31:39.123456 IP 10.5.40.95.36884 > 10.4.31.42.http: Flags [R.], seq 0, ack 0, win 0, length 0


[root at ...4076... snort-2.9.7.6-released]# cat etc/TEST.conf | grep reject
reject tcp any any -> any any (msg:"Reset TEST!"; resp:reset_both; sid:1000000;)



Also note that if I change the rule to drop there are no packets in the inline-out.pcap since every packet is dropped and none allowed through the inline set.


Hope this helps.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...3865...

From: santhoj san [mailto:santhojirulappan at ...2420...]
Sent: Monday, October 26, 2015 9:10 AM
To: Al Lewis (allewi)
Cc: Adonis Okpidi; snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] ftp rules

I have included  resp in the rule. But still it is not dropping the packet.

command used: sudo /usr/local/bin/snort -A console -d -Q -c /etc/snort/snort.conf -i eth0:wlan0
Network information:
eth0: 192.168.101.158/23<http://192.168.101.158/23>
wlan0: 192.168.101.159/23<http://192.168.101.159/23>

ipvar HOME_NET 192.168.101.158/23<http://192.168.101.158/23>

Rules used:
drop icmp any any -> $HOME_NET any (msg:"ICMP test"; resp: icmp_port; sid:10000001; rev:001;)
drop tcp any any -> any any (msg:"FB drop"; appid:firefox mozilla; resp: rst_all; sid:10000003; rev:002;)
drop tcp any any -> any any (msg:"No skype 80"; appid:skype; resp: rst_all; sid:10000004; rev:003;)
drop tcp any any -> any any (msg:"No youtube"; appid:youtube; resp: rst_all; sid:10000006; rev:004;)
drop tcp any any -> any any (msg:"No Google"; appid:google; resp: rst_all; sid:10000007; rev:005;)

Can you please check whether these application packet is dropping for you?

I have configured snort in inline mode (IPS). DAQ as AFpacket mode.

Thanks & Regards
Santhoj Irulappan

On Fri, Oct 23, 2015 at 7:58 PM, Al Lewis (allewi) <allewi at ...3865...<mailto:allewi at ...3865...>> wrote:
Take a look at the README.active file.

I think you are missing the “resp:<resp_t>;” in your rule.


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...3865...<mailto:allewi at ...3865...>

From: santhoj san [mailto:santhojirulappan at ...2420...<mailto:santhojirulappan at ...2420...>]
Sent: Friday, October 23, 2015 9:32 AM
To: Adonis Okpidi

Cc: snort-sigs at lists.sourceforge.net<mailto:snort-sigs at lists.sourceforge.net>
Subject: Re: [Snort-sigs] ftp rules

I am ruling snort in IPS mode only. Now changed the rule using reject instead of drop with different revision number for rules. l I'm getting Drop alert in console but not the packets are dropped. I am able to access the application.

Rules:
reject tcp any any -> any any (msg:"No skype 80"; appid:skype; sid:10000004; rev:003;)
reject tcp any any -> any any (msg:"No youtube"; appid:youtube; sid:10000006; rev:004;)
reject tcp any any -> any any (msg:"No Google"; appid:google; sid:10000007; rev:005;)

Changes in snort.conf
config policy_mode:inline
config daq: afpacket
config daq_dir: /usr/local/lib/daq
config daq_mode: inline
config daq_var: buffer_size_mb=512

command line: sudo /usr/local/bin/snort -d -A console -u snort -g snort -c /etc/snort/snort.conf -i eth0:wlan0 -Q
Console Log:
Enabling inline operation
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
...


Thanks & Regards
Santhoj Irulappan

On Fri, Oct 23, 2015 at 6:37 PM, Adonis Okpidi <adonisokpidi at ...2420...<mailto:adonisokpidi at ...2420...>> wrote:
http://stackoverflow.com/questions/22126452/snort-ips-rule-reject-work-but-drop-and-sdrop-dont-work

Have a read through the answer as I'm sure it will help you with why it doesn't drop the packet because snort has to be ran in inline mode which make it act as an IPS. Because by default snort runs passively which makes it unable to drop the packets so change the settings in the snort.conf file. Let me know how you get on. And also you can use 'rev:1;' and 'rev:2;'

http://manual.snort.org/node31.html



Best Regards,
Adonis Okpidi


On 23 Oct 2015, at 05:35, santhoj san <santhojirulappan at ...2420...<mailto:santhojirulappan at ...2420...>> wrote:
Ya I tried with drop. Still it is not dropping the packets. I used the below rule

drop tcp any any -> any any (msg:"No chrome"; appid:chrome; sid:10000004; rev:001;)
drop tcp any any -> any any (msg:"No skype"; appid:skype; sid:10000005; rev:001;)

Still I am able to access chrome, skype.

Thanks & Regards
Santhoj Irulappan

On Fri, Oct 23, 2015 at 12:50 AM, Adonis Okpidi <adonisokpidi at ...2420...<mailto:adonisokpidi at ...2420...>> wrote:
You can use 'drop' instead of 'alert'

Best Regards,
Adonis Okpidi


On 22 Oct 2015, at 18:28, santhoj san <santhojirulappan at ...2420...<mailto:santhojirulappan at ...2420...>> wrote:
Hi, Can anyone help me in how to make a rule to drop the packets.

Thanks & Regards
Santhoj Irulappan

On Thu, Oct 22, 2015 at 9:12 PM, Adam Ring <adam.ring at ...4072...<mailto:adam.ring at ...4072...>> wrote:
Yea I just found out about the protocol-ftp rules.  Thanks.

From: Joel Esler (jesler) [mailto:jesler at ...3865...<mailto:jesler at ...3865...>]
Sent: Thursday, October 22, 2015 11:42 AM
To: Adam Ring
Cc: snort-sigs at lists.sourceforge.net<mailto:snort-sigs at lists.sourceforge.net>
Subject: Re: [Snort-sigs] ftp rules

Take a look at protocol-ftp.rules


--
Joel Esler
Manager, Talos Group



On Oct 22, 2015, at 8:55 AM, Adam Ring <adam.ring at ...4074...<mailto:adam.ring at ...4072...>> wrote:

Hi I am new to snort and was trying to create an ftp rule.  I have downloaded the rules from the website, but in the ftp file there aren’t any rules in there.  I was wondering if that was supposed to be empty and if it is, is there a place where I can go to find some examples of ftp rules?

Adam Ring
IT Help Desk Techniction
Office 703.677.9540

AOC Solutions<http://www.aocsolutions.com/> | Solutions That Pay®

Blog<http://www.aocsolutions.com/blog> | Video<http://www.aocsolutions.com/ap-payment-automation-video> | LinkedIn<https://www.linkedin.com/company/139025?trk=tyah&trkInfo=clickedVertical%3Acompany%2Cidx%3A1-1-1%2CtarId%3A1436380782168%2Ctas%3Aaoc%20solutions>

<image001.png><http://www.aocsolutions.com/about-aoc/aoc-in-the-news/aoc-named-top-workplace-by-washington-post>



This e-mail and any attachments may contain confidential and privileged

information. If you are not the intended recipient, please notify the sender

immediately by return e-mail, delete this e-mail and attachments (if applicable)

and destroy any copies. Any dissemination or use of this information by a person

other than the intended recipient is unauthorized and strictly prohibited. You

may be subject to confidentiality restrictions in an existing contract with AOC

Solutions, Inc. As a result, you must protect the contents of this communication

according to such terms and conditions.
------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org<http://www.snort.org/>


Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort!


This e-mail and any attachments may contain confidential and privileged

information. If you are not the intended recipient, please notify the sender

immediately by return e-mail, delete this e-mail and attachments (if applicable)

and destroy any copies. Any dissemination or use of this information by a person

other than the intended recipient is unauthorized and strictly prohibited. You

may be subject to confidentiality restrictions in an existing contract with AOC

Solutions, Inc. As a result, you must protect the contents of this communication

according to such terms and conditions.

------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20151026/22752d6f/attachment.html>


More information about the Snort-sigs mailing list