[Snort-users] Configuration issue, Part II

John Sage jsage at ...2022...
Mon Sep 24 07:22:02 EDT 2001


Let's see...

*rummages around in logs*

Erek Adams wrote:

> On Mon, 24 Sep 2001, John Sage wrote:
> 
>>Although I think Erek has something going with the real issue, here,
>>questioning how *two* external interfaces are to work...
>>
> Well, you've really got two options running under Linux.  -i any and running
> two instances of snort, one for each interface.
> 
> [...snip...]
> 
>>...let me say that this is *not* what I see.
>>
> 
> Hrm....
> 
>>With snort 1.8.1-RELEASE build 74, and ipchains 1.3.9 (I know, I know..)
>>on RHL 6.2, ipchains quite busily DENY's or ACCEPT's as appropriate, and
>>snort happily logs everything, DENY'ed or not.
>>
>>Maybe if Marty or someone is lurking, they can comment on what the FAQ says:
>>
>><snip>
>>Q: Snort is behind a firewall (ipf/pf/ipchains/ipfilter) and awfully
>>quiet...
>>
>>A: Your firewall rules will also block traffic to the snort processes.
>><snip>
>>
>>and how that reconciles with what I'm seeing.
>>
>>I'm running snort thus:
>>
>>snortREL -b -i ppp0 -c /usr/local/snort-1.8.1-RELEASE/snortREL.conf &
>>
>>and my snortREL.conf points at my rules files that essentially log
>>everything.
>>
> 
> Do you actually see packets with snort that should have been denied by the
> firewall?  IOW, if you setup a firewall rule to deny all traffic from an
> external site, say route-server.cerf.net, and then tried to send traffic from
> the blocked site back into your net, does your snort box see it?  According to
> everything we've seen so far, it shouldn't.  If you can, we'd love more info
> on it!


Ah! here we go!

snort:
[**] [1:0:0] TCP to 111 sunrpc [**]
09/23-08:38:33.200899 211.234.99.8:1180 -> 12.82.129.113:111
TCP TTL:50 TOS:0x0 ID:57715 IpLen:20 DgmLen:60 DF
******S* Seq: 0x5F3001C2  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 20829501 0 NOP WS: 0

syslog via logcheck, from snort and ipchains:
Security Violations
=-=-=-=-=-=-=-=-=-=
Sep 23 08:38:33 greatwall snort: [1:0:0] TCP to 111 sunrpc {TCP} 
211.234.99.8:1180 -> 12.82.129.113:111
Sep 23 08:38:33 greatwall kernel: Packet log: input DENY ppp0 PROTO=6 
211.234.99.8:1180 12.82.129.113:111 L=60 S=0x00 I=57715 F=0x4000 T=50 
SYN (#58)

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Sep 23 08:38:33 greatwall snort: [1:0:0] TCP to 111 sunrpc {TCP} 
211.234.99.8:1180 -> 12.82.129.113:111
Sep 23 08:38:33 greatwall kernel: Packet log: input DENY ppp0 PROTO=6 
211.234.99.8:1180 12.82.129.113:111 L=60 S=0x00 I=57715 F=0x4000 T=50 
SYN (#58)

<time passes>

snort:
[**] [1:0:0] TCP to 80 http [**]
09/23-09:16:59.486532 12.82.128.150:3737 -> 12.82.129.113:80
TCP TTL:126 TOS:0x0 ID:23129 IpLen:20 DgmLen:48 DF
******S* Seq: 0xD7345D22  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] TCP to 80 http [**]
09/23-09:17:02.506834 12.82.128.150:3737 -> 12.82.129.113:80
TCP TTL:126 TOS:0x0 ID:23493 IpLen:20 DgmLen:48 DF
******S* Seq: 0xD7345D22  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

Security Violations
=-=-=-=-=-=-=-=-=-=
Sep 23 09:16:59 greatwall snort: [1:0:0] TCP to 80 http {TCP} 
12.82.128.150:3737 -> 12.82.129.113:80
Sep 23 09:17:02 greatwall snort: [1:0:0] TCP to 80 http {TCP} 
12.82.128.150:3737 -> 12.82.129.113:80
Sep 23 09:16:59 greatwall kernel: Packet log: input DENY ppp0 PROTO=6 
12.82.128.150:3737 12.82.129.113:80 L=48 S=0x00 I=23129 F=0x4000 T=126 
SYN (#58)
Sep 23 09:17:02 greatwall kernel: Packet log: input DENY ppp0 PROTO=6 
12.82.128.150:3737 12.82.129.113:80 L=48 S=0x00 I=23493 F=0x4000 T=126 
SYN (#58)

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Sep 23 09:16:59 greatwall snort: [1:0:0] TCP to 80 http {TCP} 
12.82.128.150:3737 -> 12.82.129.113:80
Sep 23 09:17:02 greatwall snort: [1:0:0] TCP to 80 http {TCP} 
12.82.128.150:3737 -> 12.82.129.113:80
Sep 23 09:16:59 greatwall kernel: Packet log: input DENY ppp0 PROTO=6 
12.82.128.150:3737 12.82.129.113:80 L=48 S=0x00 I=23129 F=0x4000 T=126 
SYN (#58)
Sep 23 09:17:02 greatwall kernel: Packet log: input DENY ppp0 PROTO=6 
12.82.128.150:3737 12.82.129.113:80 L=48 S=0x00 I=23493 F=0x4000 T=126 
SYN (#58)

<same sorta crap goes on for hours...>


Realize, again, that this is snort and ipchains running on the same box.

Dialup, ppp...

Command line:

snortREL -b -i ppp0 -c /usr/local/snort-1.8.1-RELEASE/snortREL.conf &


- John

-- 
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."





More information about the Snort-users mailing list