[Snort-users] Problem with iptables
stackerhush at ...11827...
Sat Nov 14 13:34:01 EST 2009
Hello to all,
I'm trying to use snort with ossec to block ultrasurf access from internal
users of my lan.
My server have this configuration:
eth0: 192.168.1.254 (external)
eth1: 10.1.1.254 (internal)
I'm running snort version 126.96.36.199 and iptables version 1.4.4. My default
policy are set to drop. I'm using an external dns.
With iptables disabled (all accept) without rules activated snort detect
ultrasurf fine and the internal ip of client are blocked by ossec.
The rule i'm using is this (from emergingthreats.net):
>>> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible
>>> External Ultrasurf Anonymizer DNS Query"; content:"|00 00 00 00 00
>>> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|";
>>> classtype:policy-violation; threshold:type limit, track by_src,count
>>> 1, seconds 60; reference:url,doc.emergingthreats.net/2008533;
>>> /POLICY_Ultrasurf; sid:2008533; rev:3;)
I'm using nat this rule: iptables -A POSTROUTING -t nat -j SNAT --to-source
192.168.91.131 -s 10.1.1.1/24 -o eth0
When i enable the firewall the snort stop to detect the ultrasurf connection
and the traffic pass with no problems.
With snort i have:
var HOME_NET 10.1.1.0/24
var EXTERNAL_NET any
Some Idea to solve this problem?
Very thanks to all,
More information about the Snort-users