[Snort-users] snort 2.8.4 and inline mode

justin joseph justinjoseph007 at ...11827...
Tue Aug 25 09:43:06 EDT 2009


On Tue, Aug 25, 2009 at 6:47 PM, Will Metcalf<william.metcalf at ...11827...> wrote:
> What do your iptables rules look like?  What traffic are you sending
> to the QUEUE target?

I am queuing all incomming traffic to my wan interface.  relevant
section of iptables --list:

Chain wan2fw (11 references)
target     prot opt source               destination
QUEUE      all  --  anywhere             anywhere            state ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
QUEUE      all  --  anywhere             anywhere

I use shorewall to do this, by specifying rules to QUEUE all wan to fw
traffic in
ESTABLISHED and NEW states.


>
> Setting modifysid * "^alert" | "drop" is a bad idea, and will lead to
> drops without notifications for things like flowbits with no alert
> that are not intended to identify malicious traffic, only for protocol
> identification etc.  I would run you IDS in passive mode for a while
> to weed out false positives before even considering implementing a
> drop rule set.

Does "without notifications" mean that there will be no alerts in the log file
or does it mean ( at the source code level) that there's no verdict
required (ipq verdict)
for dropping or accepting the mentioned types of packets?

Is the process you have mentioned of running first in IDS (passive mode)
to weed out false positives a manual process.  i.e manually figure out the
false alerts( by looking at alert.log) and then keep the rules associated with
these alerts with "alert action" only and not drop?  or it it an automatic one
which involved running scripts or something like that.

Also is there any method to configure/run snort in inline mode without
much manual
intervention(example: rule set support for inline mode)

Thank you
Justin

>
> Regards,
>
> Will
>
> On Tue, Aug 25, 2009 at 7:52 AM, justin joseph<justinjoseph007 at ...14542....> wrote:
>> Hi
>>
>> I have compiled from source snort 2.8.4 with --enable-inline support.
>>
>> to get rules for inline mode I have downloaded ruleset using oinkmaster
>> with the below config file:
>>
>> url = http://www.snort.org/pub-bin/oinkmaster.cgi/006d6ba065a1c0fe55e6e4a25d74518236a3da19/snortrules-snapshot-2.8.tar.gz
>> path = /bin:/usr/bin:/usr/local/bin
>> update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
>> skipfile local.rules
>> skipfile deleted.rules
>> skipfile snort.conf
>> modifysid * "^alert" | "drop"
>>
>>
>> As I understand the modifysid converts all the alert rules to drop rules.
>>
>> I am running this with the default config file in the etc/snort.conf
>> file by changing
>> only the paths to rules and library directories.
>>
>> When I test this setup with  IDSwakeup-1.0, I don't see any drop of packets
>> happening.  I know this because i have commented code in inline.c with
>> debug prints
>> against drop and accept verdicts.  Also there are no alerts in the logs.
>>
>> But if I ran the same setup with the same config (snort.conf) file
>> without the -Q option in IDS mode
>> with only difference in using rules with alert rules(downloaded with
>> oinkmaster without modifysid)
>> I see that there are lot of alerts when tested with IDSwakeup-1.0.
>>
>> What I am doing wrong, why isn't the inline mode dropping packets that
>> are being alerted
>> in the IDS mode?  is there any configuration changes required in
>> snort.conf between
>> inline and IDS modes?
>>
>> thank you
>> Justin
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
>> trial. Simplify your report design, integration and deployment - and focus on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>




More information about the Snort-users mailing list