[Snort-users] Problem with Snort-inline

ravivsn at ...9637... ravivsn at ...9637...
Mon Feb 9 06:07:06 EST 2004


Aravind,
Check these:
 Did you run iptables to queue all (forward)packets to snort_inline?
 Did you enable ip_forward?
 From your snort_inline command , i feel you are logging onto " ./tmp" and
checking for logs in "/tmp"
 Check your /var/log/messages for any errors
 for questions on snort_inline pls post in snort_inline mailing list :)
Cheers,
-Ravi



> Hi all,
>
>      I am using Snort-inline version 2.0.2(Build 92) .My
> snort_inline.conf is below:I started snort-inline with the options
> below.
>
> ./snort_inline -Qvc ./snort_inline.conf -l ./tmp
>
>
> #
> # Honeynet snort_inline configuration file
> # Version 0.4
> # Last modified 29 March, 2003
> #
> # Standard Snort configuration file modified for inline
> # use.  Most preprocessors currently do not work in inline
> # mode, as such they are not included.
> #
> ### Network variables
> var HONEYNET 172.30.180.0/24
> var EXTERNAL_NET any
> ### Ports variables
> var SHELLCODE_PORTS !80
> var HTTP_PORTS 80
> var ORACLE_PORTS 1521
> ### Let's make sure we don't let bad packets out simply cause
> ### they have bad checksums.  If this is not here, packets with
> ### bad checksums could get out.
> config checksum_mode: none
>
> ### Preprocessors
> # usage guidelines:  if the plugin normalizes the packet so that the  #
> detection engine can better interpret the data, the plugin can be  #
> used with the snort_inline safely.  If the plugin itself makes
> # the alert decisions, then we have to modify it to drop packets.
> # Many false positives
> # preprocessor fnord
> # Done by IPTables
> # preprocessor frag2
> # preprocessor portscan
> # Not yet modified for snort_inline
> # preprocessor stream4: detect_scans
> # preprocessor stream4_reassemble
> # preprocessor asn1_decode
> # Enabled
> preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
> iis_flip_slash full_whitespace preprocessor rpc_decode: 111 32771
> preprocessor telnet_decode
> preprocessor bo: -nobrute
> preprocessor conversation: allowed_ip_protocols all, timeout 60,
> max_conversations 32000 ### Logging alerts of outbound attacks
> output alert_full: snort_inline-full
> output alert_fast: snort_inline-fast
> ### If you want to log the contents of the dropped packets, remove
> comment #output log_tcpdump: tcpdump.log
> ### Rules found in local directory
> var RULE_PATH /tmp
> ### Include classification & reference
> include $RULE_PATH/classification.config
> include $RULE_PATH/reference.config
> ### The Drop Rules
> # Enabled
> include $RULE_PATH/exploit.rules
> include $RULE_PATH/finger.rules
> include $RULE_PATH/ftp.rules
> include $RULE_PATH/telnet.rules
> include $RULE_PATH/rpc.rules
> include $RULE_PATH/rservices.rules
> include $RULE_PATH/dos.rules
> include $RULE_PATH/ddos.rules
> include $RULE_PATH/dns.rules
> include $RULE_PATH/tftp.rules
> include $RULE_PATH/web-cgi.rules
> include $RULE_PATH/web-coldfusion.rules
> include $RULE_PATH/web-iis.rules
> include $RULE_PATH/web-frontpage.rules
> include $RULE_PATH/web-misc.rules
> include $RULE_PATH/web-client.rules
> include $RULE_PATH/web-php.rules
> include $RULE_PATH/sql.rules
> include $RULE_PATH/x11.rules
> include $RULE_PATH/icmp.rules
> include $RULE_PATH/netbios.rules
> include $RULE_PATH/oracle.rules
> include $RULE_PATH/mysql.rules
> include $RULE_PATH/snmp.rules
> include $RULE_PATH/smtp.rules
> include $RULE_PATH/imap.rules
> include $RULE_PATH/pop3.rules
> include $RULE_PATH/pop2.rules
> include $RULE_PATH/web-attacks.rules
> include $RULE_PATH/virus.rules
> include $RULE_PATH/nntp.rules
> ### Disabled
> # include $RULE_PATH/other-ids.rules
> # include $RULE_PATH/backdoor.rules
> # include $RULE_PATH/shellcode.rules
> # include $RULE_PATH/policy.rules
> # include $RULE_PATH/porn.rules
> # include $RULE_PATH/info.rules
> # include $RULE_PATH/icmp-info.rules
> # include $RULE_PATH/chat.rules
> # include $RULE_PATH/multimedia.rules
> # include $RULE_PATH/p2p.rules
> # include $RULE_PATH/experimental.rules
> # include $RULE_PATH/local.rules
> # include $RULE_PATH/bad-traffic.rules
> # include $RULE_PATH/attack-responses.rules
> # include $RULE_PATH/scan.rules
> # include $RULE_PATH/misc.rules
>
>
> My setup is like this :
>
>
>   NESSUS                 SNORT-INLINE                   TARGET MACHINE
> <10.1.10.1>------<10.1.10.2    172.30.180.212>------<172.30.180.99>
>
> I am running Nessus on 10.1.10.1 with all checks enabled.After starting
> nessus snort-inline is not detecting any packet after getting the
> following packet.
>
> 02/09-17:05:00.360000 10.1.10.1:33771 -> 172.30.180.99:69
> PROTO017 TTL:63 TOS:0x0 ID:4896 IpLen:20 DgmLen:50 DF
> Len: 22
>
>
> I tried for 4 times but the same situation happens. Why is not detecting
> any thing after getting the above packet?Also packets are not logging in
> /tmp directory?
>
> Thanks in advance,
> Aravind.
>
> Yahoo! India Education Special: Study in the UK now.







More information about the Snort-users mailing list