[Snort-users] new user - snort is not droping pacekts

lokesh.khanna at ...13040... lokesh.khanna at ...13040...
Tue Feb 15 07:55:35 EST 2005


But can I use Flexresp or flexresp2 with snort to drop packets.
Will that do same job which snort-inline do and will drop packets ?

Cordially,
LK

-----Original Message-----
From: Chris Vaughan [mailto:chrisv at ...12963...] 
Sent: 15 February 2005 16:51
To: Lokesh Khanna; Alex.Butcher at ...11254...;
snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] new user - snort is not droping pacekts

If you aren't running snort-inline, you aren't dropping packets. You are
simply monitoring and logging data for later analysis.  When not running
inline, snort is an Intrustion *Detection* System, not an Intrusion
*Prevention* system.

 -----Original Message-----
From: 	lokesh.khanna at ...13040...
[mailto:lokesh.khanna at ...13040...] 
Sent:	Tuesday, February 15, 2005 10:18 AM
To:	Chris Vaughan; Alex.Butcher at ...11254...;
snort-users at lists.sourceforge.net
Subject:	RE: [Snort-users] new user - snort is not droping
pacekts

But if you use snort and connect ur ids server on span port, it is going
to drop genuine packets also along with hacking attempt packets. 

For example if you have attack on port 25 from one IP address, Snort
will see that IP address and using some other program it will call
access-list or iptable to drop any packet from that IP address to that
particular destination on port 25. How ever there may be another packet
using same source and destination ip at the same time ( or after few
seconds ) which is not a hacking attempt on port 25. Will snort not drop
that genuine packet also ? IF yes then is it a good solution ?

Cordially,
LK

-----Original Message-----
From: Chris Vaughan [mailto:chrisv at ...12963...] 
Sent: 15 February 2005 16:10
To: Lokesh Khanna; Alex.Butcher at ...11254...;
snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] new user - snort is not droping pacekts

Snort-inline is exactly that, it must be inline between the host you
want to monitor, and the network. If you want to monitor traffic from a
span port on a switch, or from a passive Ethernet tap, or you just don't
want to introduce another point of failure in your network, you use
snort.

 -----Original Message-----
From: 	snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]  On Behalf Of
lokesh.khanna at ...13040...
Sent:	Tuesday, February 15, 2005 10:07 AM
To:	Alex.Butcher at ...11254...; snort-users at lists.sourceforge.net
Subject:	RE: [Snort-users] new user - snort is not droping
pacekts

Hi

Thanks again.

If I understand correctly, snort-inline is capable of sending TCP RST to
drop the session. So it will only drop hacking attempts packets (depend
on signature). It will not drop genuine packet from same host. This is
how manhunt works. 

Secondly I don't understand why people use Snort instead of
snort-inline.
What are advantages and disadvantages of using snort and snort-inline?

Cordially,
LK

-----Original Message-----
From: Alex Butcher, ISC/ISYS [mailto:Alex.Butcher at ...11254...] 
Sent: 15 February 2005 14:39
To: Lokesh Khanna; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] new user - snort is not droping pacekts



--On 15 February 2005 10:47 +0100 lokesh.khanna at ...13040... wrote:

> Thanks again for reply.
> But it is confusing me more. As per my knowledge I can not set a rule
> using IPCHAIN which will drop a packets based on content in the
packet.
>
> What I am able to understand is if I use IDS in INLINE mode, IDS will
> act as a router and based on alerts, IDS will insert rules in IPTABLE.

See <http://www.snort.org/docs/snort_manual/node7.html>

Essentially, when running in inline mode, Snort can either cause the 
*packet* matching a rule to be dropped (with or without logging), or it
can 
reject the packet (using TCP RST or ICMP dest unreachable packets) so as
to 
terminate the session.

Snort running in inline mode won't blacklist all traffic from 
alert-generating hosts, unless you use flexresp or snortsam to tie it in

with a firewall (be that iptables/netfilter, Cisco, or FW-1)

> I can have a genuine traffic from an IP address and virus traffic from
> same IP address. So content of that packet will define if packet
should
> drop or it should not. How IPCHAIN will handle this?

To be honest, this perhaps isn't the best place to ask about snort
inline - 
I haven't used it, so everything I've told you has come from reading the

snort manual, <http://snort-inline.sourceforge.net/index.html> and 
<http://sourceforge.net/projects/snort-inline/>.

> Cordially,
>
> LK

HTH,
Alex.

>
> -----Original Message-----
> From: Alex Butcher, ISC/ISYS [mailto:Alex.Butcher at ...11254...]
> Sent: 15 February 2005 10:34
> To: Lokesh Khanna; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] new user - snort is not droping pacekts
>
>
>
> --On 15 February 2005 10:23 +0100 lokesh.khanna at ...13040...
wrote:
>
>> I remember in real secure or manhunt, I used to configure a port in
>> mirroring mode on switch and I put IDS on that port. All our traffic
> was
>> going through that mirrored port. Based on rules defined in IDS, it
> was
>> dropping / logging packets.
>
> Logging, yes, but those products would only have been dropping (i.e.
> blocking, rejecting) packets if they were interacting with a firewall
or
>
> router in some way (or they were running in some kind of IPS mode,
which
>
> you seem to indicate was not the case).
>
>> If I understand correctly, do I need to pass all traffic through IDS
>> box.
>
> If you're using inline mode, yes, the snort machine will be acting as
a
> router (actually an Intrusion _Prevention_ System or IPS). See
> <http://snort-inline.sourceforge.net/> and README.INLINE for more info
> on
> inline mode. Note that 2.3.0 integrates the inline stuff IIRC.
>
>> IDS will act as a router also. And based on alerts, IDS will make
>> modification in IPCHAIN and will drop or allow packets.
>
> See the above site for the details.
>
>> Or is there any other way out? How can I find out documents on this?
>
> <http://www.snortsam.net/> and README.FLEXRESP and README.FLEXRESP2 in
> the
> snort docs.
>
>> Cordially,
>> LK
>
> Best Regards,
> Alex.



-- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9





-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=ick
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users










More information about the Snort-users mailing list