[Snort-users] snort inline behavior

Stephan Scholz sscholz at ...9753...
Wed Nov 26 01:11:06 EST 2003


If you add a QUEUE rule to iptables, you have to make sure that a process
is actually listening to the ip_queue. Otherwise netfilter actually waits
until a process picks up the packets.

There is another issue. As soon as snort_inline has decided whether to drop
or accept a packet, the following iptables rules are not being used anymore.
The decision whether to accept or drop a packet is solely made in snort then.
This way you can have the problem that your packet filter ruleset becomes ineffective.

If you still have trouble with dropped connections, check the snort log file.
The current ruleset is designed for intrusion *detection*, and if you changed
all the rules to "drop", then you might drop harmless traffic, too.

Stephan

> First, thanks to all for the help on getting the right inline version
> running.
> 
> I went through my firewall script and every '-j ACCEPT' I had, I changed to
> '-j QUEUE' and re-built my iptable chains.  Did `insmod ip_queue`, loaded
> fine.  Started up snort_inline with '-DQ -l ... -c ...'.  Everything looked
> fine.  After a couple of minutes I decided instead of -D (daemon) I'd rather
> see a little output to make sure it was seeing packets as expected.  I was
> ssh'ed into the box so I figured my iptables "ESTABLISHED,RELATED -j QUEUE"
> entry should show a lot of ssh packets.  I do a `kill` on the snort_inline
> pid and suddenly my ssh connection goes dead - I'm waiting for it to timeout
> now.  In the mean time I've tried to re-ssh back into the box, but they just
> time out.
> 
> I'm wondering if this is some weird deal that if you don't have someone
> running on QUEUE that the packets never get ACCEPTed and by shutting snort
> down I just shot myself in the foot.
> 
> I'm going to go ahead and set up another box (that one is 1hr away, and the
> tech guy will arive in the morning and I'll walk him through changing QUEUE
> back to ACCEPT and restart the firewall...) and getting it tested locally
> where if it breaks I can fix it easily.
> 
> In the mean time I was wondering if you guys could lend your experience
> here.  Does killing snort_inline while it's watching the QUEUE break any
> connections that are getting -j QUEUEed?  What happened here?
> 
> Thanks!


-- 
Stephan Scholz <sscholz at ...9753...> | Development
Astaro AG | www.astaro.com | Phone +49-721-490069-0 | Fax -55

Visit Astaro at:
- Infosecurity France, Paris, Nov. 26-27, 2003

Awards for ASL:
- Linux Enterprise Readers' Choice Award: Best Firewall - October 2003
- LinuxWorld Product Excellence Award: Best Security Solution - August 2003
- "Excellent" Infoworld Magazine - August 2003
- "Four Stars" SC Magazine  - June 2003






More information about the Snort-users mailing list