[Snort-users] Problem with iptables

Stacker Hush stackerhush at ...11827...
Sat Nov 14 13:34:01 EST 2009


Hello to all,

I'm trying to use snort with ossec to block ultrasurf access from internal
users of my lan.

My server have this configuration:
eth0: 192.168.1.254 (external)
eth1: 10.1.1.254 (internal)

I'm running snort version 2.8.5.1 and iptables version 1.4.4. My default
policy are set to drop. I'm using an external dns.

With iptables disabled (all accept) without rules activated snort detect
ultrasurf fine and the internal ip of client are blocked by ossec.
The rule i'm using is this (from emergingthreats.net):

>>> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible 
>>> External Ultrasurf Anonymizer DNS Query"; content:"|00 00 00 00 00 
>>> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; 
>>> classtype:policy-violation; threshold:type limit, track by_src,count 
>>> 1, seconds 60; reference:url,doc.emergingthreats.net/2008533; 
>>> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY
>>> /POLICY_Ultrasurf; sid:2008533; rev:3;)


I'm using nat this rule: iptables  -A POSTROUTING -t nat -j SNAT --to-source
192.168.91.131 -s 10.1.1.1/24 -o eth0

When i enable the firewall the snort stop to detect the ultrasurf connection
and the traffic pass with no problems.

With snort i have:
var HOME_NET 10.1.1.0/24
var EXTERNAL_NET any

Some Idea to solve this problem?

Very thanks to all,

Stacker






More information about the Snort-users mailing list