[Snort-users] Snort Inline

Xavier Cabrera xavierc at ...12882...
Mon Jun 6 15:17:12 EDT 2005


Hi All: look this:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
QUEUE      tcp  --  0.0.0.0/0            0.0.0.0/0           tcp 
dpt:10000        
QUEUE      tcp  --  0.0.0.0/0            0.0.0.0/0           tcp 
spts:1:65535 dpt:80
QUEUE      icmp --  0.0.0.0/0            0.0.0.0/0  

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
QUEUE      tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:10000
QUEUE      tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:80 
dpts:1:65535
QUEUE      icmp --  0.0.0.0/0            0.0.0.0/0          


 From Other server ping is taken for snort_inline and stopped for rule 
LARGE ICMP:

xavierc@ [~]# ping x.x.x.x
PING 207.58.187.4 (207.58.187.4) 56(84) bytes of data.
64 bytes from x.x.x.x: icmp_seq=1 ttl=62 time=0.481 ms

xavierc@ [~]# ping x.x.x.x -s 1000
PING x,x,x,x (x.x.x.x) 1000(1028) bytes of data.
c
--- x.x.x.x ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4018ms


But for HTTP Dont Work

 xavierc at ...13351... [~]# telnet x.x.x.x 80
Trying x.x.x.x...

whit other ports WORK!!!

xavierc at ...13351... [~]# telnet x.x.x.x 10000
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.

The rule again are:

drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"XavierC  Try 
to stop http DOS Attack"; threshold: type both, track by_src, count 20, 
seconds 1; classtype:misc-activity; sid:3000000; rev:1;)

And with rule commented, i can't connect to the port :(



Will Thanks for your tip doesn't work too.

"config checksum_mode: none"


i have this on the alert log:

06/06-18:09:46.385165  [**] [1:3000000:1] XavierC  Try to stop http DOS 
Attack [**] [Classification: Misc activity] [Priority: 3] {TCP} 
10.80.98.7:2095 -> x.x.x.x:80
06/06-18:10:09.834341  [**] [116:47:1] (snort_decoder) WARNING: TCP 
Header length exceeds packet length! [**] {TCP} 192.168.0.30:0 -> x.x.x.x:0

i think whit this log there are some kind of comunication between snort 
and iptables, but good connections are droped too and don't appears in 
log.... for example the machine where i made the telnet doesn't appear, 
even when the rule are uncommented i can't connecto to the 80 port.... 
any preprocessor maybe?

Thanks for any help... I'm going to be crazy...
Regards

Xavier C.


Will Metcalf wrote:

>Xavier,
>
>Darn checksums, try setting this in your snort.conf
>
>config checksum_mode: none
>
>Regards,
>
>Will
>On 6/6/05, Xavier Cabrera <xavierc at ...12882...> wrote:
>  
>
>>I put your line on my iptables.. and don't work...  icmp works good for
>>me there some other reasons do you have?
>>
>>Thanks...
>>
>>Xavier C.
>>
>>Victor Julien wrote:
>>
>>    
>>
>>>On Monday 06 June 2005 21:14, Xavier Cabrera wrote:
>>>
>>>
>>>      
>>>
>>>>Hello:
>>>>
>>>>Anyone have a rule to stop a DoS attack to apache whit snort inline?
>>>>
>>>>i Have this rule:
>>>>
>>>>drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"XavierC  Try
>>>>to stop http DOS Attack";  flags:S; threshold: type both, track by_src,
>>>>count 5, seconds 1; classtype:misc-activity; sid:3000000; rev:1;)
>>>>
>>>>and this on iptables table INPUT:
>>>>
>>>>QUEUE      tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
>>>>
>>>>
>>>>
>>>>        
>>>>
>>>Snort_inline needs to see the outgoing traffic as well, so add the following
>>>iptables rule:
>>>'iptables -A OUTPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --sport 80 -j QUEUE'
>>>
>>>Now it should work!
>>>
>>>Regards,
>>>Victor
>>>
>>>
>>>
>>>
>>>      
>>>
>>>>is seem stop some connections:
>>>>
>>>>
>>>>
>>>>but when i want to make a real connection for a good ip i can't see the
>>>>website....... and no log appears for the good ip!!!
>>>>
>>>>What can be happend?
>>>>
>>>>thanks every one.
>>>>
>>>>Xavier C.
>>>>
>>>>
>>>>
>>>>-------------------------------------------------------
>>>>This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you
>>>>shotput a projector? How fast can you ride your desk chair down the office
>>>>luge track? If you want to score the big prize, get to know the little guy.
>>>>Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20
>>>>_______________________________________________
>>>>Snort-users mailing list
>>>>Snort-users at lists.sourceforge.net
>>>>Go to this URL to change user options or unsubscribe:
>>>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>Snort-users list archive:
>>>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>>
>>>>        
>>>>
>>>-------------------------------------------------------
>>>This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you shotput
>>>a projector? How fast can you ride your desk chair down the office luge track?
>>>If you want to score the big prize, get to know the little guy.
>>>Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20
>>>_______________________________________________
>>>Snort-users mailing list
>>>Snort-users at lists.sourceforge.net
>>>Go to this URL to change user options or unsubscribe:
>>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>>Snort-users list archive:
>>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>>
>>>      
>>>
>>
>>-------------------------------------------------------
>>This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you shotput
>>a projector? How fast can you ride your desk chair down the office luge track?
>>If you want to score the big prize, get to know the little guy.
>>Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20
>>_______________________________________________
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>Snort-users list archive:
>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>    
>>
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you shotput
>a projector? How fast can you ride your desk chair down the office luge track?
>If you want to score the big prize, get to know the little guy.  
>Play to win an NEC 61" plasma display: http://www.necitguy.com/?r 
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=ort-users
>  
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050606/aacab7a9/attachment.html>


More information about the Snort-users mailing list