[Snort-users] snort-inline and iptables INPUT chain

Will Metcalf william.metcalf at ...11827...
Wed Mar 2 13:59:09 EST 2005


Nothing is showing up in your alert logs? Is it just ssh or does this
happen with all connections?  Try the following....

iptables -F INPUT
iptables -F OUPUT
iptables -F FORWARD
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT  -j QUEUE
iptables -A FORWARD -j QUEUE 
iptables -A OUPUT -j QUEUE

in your snort.conf set checksum mode to none.

config checksum_mode: none

Regards,

Will




On Wed, 02 Mar 2005 20:16:38 +0100, Laurent Haond <lhaond at ...13100...> wrote:
> 
> 
> Will Metcalf a écrit :
> 
> >If you start snort with
> >
> >snort -Q -v -c /etc/snort/snort.conf
> >
> >do you see any traffic?
> >
> >Regards,
> >
> >Will
> >
> >
> >
> Sure i see some traffic :
> 
> Here are tethereal captures (done on 192.168.0.2 which the ssh client
> with NO firewall):
> 
> => case 1
> ssh establishing WITHOUT snort-inline / queue :
> Capturing on eth0
> 0.000000  192.168.0.1 -> 192.168.0.2  TCP 32859 > 22 [SYN] Seq=0 Ack=0
> Win=5840 Len=0 MSS=1460 TSV=567646 TSER=0 WS=0
> 0.000422  192.168.0.2 -> 192.168.0.1  TCP 22 > 32859 [SYN, ACK] Seq=0
> Ack=1 Win=5792 Len=0 MSS=1460 TSV=583170 TSER=567646 WS=0
> 0.000456  192.168.0.1 -> 192.168.0.2  TCP 32859 > 22 [ACK] Seq=1 Ack=1
> Win=5840 Len=0 TSV=567647 TSER=583170
> 0.091878  192.168.0.2 -> 192.168.0.1  SSH Server Protocol: SSH-2.0-OpenSSH
> 0.091892  192.168.0.1 -> 192.168.0.2  TCP 32859 > 22 [ACK] Seq=1 Ack=25
> Win=5840 Len=0 TSV=567656 TSER=583180
> 0.091949  192.168.0.1 -> 192.168.0.2  SSH Client Protocol: SSH-2.0-OpenSSH
> 0.092158  192.168.0.2 -> 192.168.0.1  TCP 22 > 32859 [ACK] Seq=25
> Ack=42 Win=5792 Len=0 TSV=583180 TSER=567656
> 0.092166  192.168.0.1 -> 192.168.0.2  SSHv2 Client: Key Exchange Init
> 0.092429  192.168.0.2 -> 192.168.0.1  TCP 22 > 32859 [ACK] Seq=25
> Ack=650 Win=6688 Len=0 TSV=583180 TSER=567656
> 0.096161  192.168.0.2 -> 192.168.0.1  SSHv2 Server: Key Exchange Init
> 0.096229  192.168.0.1 -> 192.168.0.2  SSHv2 Client: Diffie-Hellman GEX
> Request
> 0.112155  192.168.0.2 -> 192.168.0.1  SSHv2 Server: Diffie-Hellman Key
> Exchange Reply
> 0.113776  192.168.0.1 -> 192.168.0.2  SSHv2 Client: Diffie-Hellman GEX
> Init
> 0.150941  192.168.0.2 -> 192.168.0.1  TCP 22 > 32859 [ACK] Seq=785
> Ack=818 Win=7904 Len=0 TSV=583186 TSER=567658
> 0.253657  192.168.0.2 -> 192.168.0.1  SSHv2 Server: Diffie-Hellman GEX
> Reply
> 0.255864  192.168.0.1 -> 192.168.0.2  SSHv2 Client: New Keys
> 0.256059  192.168.0.2 -> 192.168.0.1  TCP 22 > 32859 [ACK] Seq=1249
> Ack=834 Win=7904 Len=0 TSV=583196 TSER=567672
> 0.256068  192.168.0.1 -> 192.168.0.2  SSHv2 Encrypted request packet
> len=48
> 0.256240  192.168.0.2 -> 192.168.0.1  TCP 22 > 32859 [ACK] Seq=1249
> Ack=882 Win=7904 Len=0 TSV=583196 TSER=567672
> 0.256615  192.168.0.2 -> 192.168.0.1  SSHv2 Encrypted response packet
> len=48
> 0.256922  192.168.0.1 -> 192.168.0.2  SSHv2 Encrypted request packet
> len=64
> 0.258581  192.168.0.2 -> 192.168.0.1  SSHv2 Encrypted response packet
> len=80
> 0.258646  192.168.0.1 -> 192.168.0.2  SSHv2 Encrypted request packet
> len=528
> 0.260759  192.168.0.2 -> 192.168.0.1  SSHv2 Encrypted response packet
> len=80
> 0.260799  192.168.0.1 -> 192.168.0.2  SSHv2 Encrypted request packet
> len=96
> 0.261335  192.168.0.2 -> 192.168.0.1  SSHv2 Encrypted response packet
> len=80
> 0.300461  192.168.0.1 -> 192.168.0.2  TCP 32859 > 22 [ACK] Seq=1570
> Ack=1537 Win=7904 Len=0 TSV=567677 TSER=583197
> so ok it works normally...
> 
> => case 2:
> ssh establishing WITH snort-inlie /queue :
> Capturing on eth0
> 0.000000  192.168.0.1 -> 192.168.0.2  TCP 32862 > 22 [SYN] Seq=0 Ack=0
> Win=5840 Len=0 MSS=1460 TSV=599536 TSER=0 WS=0
> 0.000557  192.168.0.2 -> 192.168.0.1  TCP 22 > 32862 [SYN, ACK] Seq=0
> Ack=1 Win=5792 Len=0 MSS=1460 TSV=615058 TSER=599536 WS=0
> 0.000577  192.168.0.1 -> 192.168.0.2  TCP 32862 > 22 [ACK] Seq=1 Ack=1
> Win=5840 Len=0 TSV=599536 TSER=615058
> then nothing more is received...
> 
> But on 192.168.0.1 (snort box using snort -Q -v -c /etc/snort/snort.conf)
> I see  traffic from 192.168.0.2:22 -> 192.168.0.1:32862  after that...
> But this traffic is never received by 192.168.0.1 !!
> 
> Regards
> Laurent
> 
>




More information about the Snort-users mailing list