[Snort-users] question policy default snort

Alex Kirk akirk at ...1935...
Mon Apr 5 07:09:31 EDT 2010


> After setup I tried to access via terminal service but the connection
> does not work. I did the command "tail-f" in file alert and nothing and
> there is some political pattern generated snort to block traffic that
> does not match?

Generally speaking, if Snort's not generating any alerts, it's not going to
be the source of the problem - especially since a default, out-of-the box
installation of Snort is typically very quick to generate alerts. Though,
just to be sure - I see in your command above that you have no spaces
between "tail" and "-f" (it should be "tail -f"), which would cause "tail"
to fail. That's just a typo here on the list, right?

As far as Snort blocking traffic that *does not* match, no, it doesn't do
anything with a packet if it doesn't match - it just lets it pass through.

Have you successfully sent traffic through this setup without Snort? It's
possible some other part of your bridge setup is improperly configured.

On Mon, Apr 5, 2010 at 12:47 AM, Ricardo Barbosa <
ricardobarbosams at ...6873...> wrote:

> Hi,
>
> I set up a firewall with snort inline bridge mode and am using the
> following configuration and firewall rule for level
> test.
>
> ---- snort.conf -----
> var HOME_NET [192.168.1.0/24]
> var EXTERNAL_NET any
> var DNS_SERVERS $HOME_NET
> var SMTP_SERVERS $HOME_NET
> var HTTP_SERVERS $HOME_NET
> var SQL_SERVERS $HOME_NET
> var TELNET_SERVERS $HOME_NET
> var SNMP_SERVERS $HOME_NET
> portvar HTTP_PORTS 80
> portvar SHELLCODE_PORTS !80
> portvar ORACLE_PORTS 1521
> var AIM_SERVERS
> [
> 64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,2
>
> 05.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24
> ]
> var RULE_PATH /etc/snort/rules
> var PREPROC_RULE_PATH /etc/snort/preproc_rules
> config disable_ipopt_alerts
> config enable_decode_oversized_alerts
> config enable_decode_oversized_drops
> dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
> dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so
> preprocessor frag3_global: max_frags 65536
> preprocessor frag3_engine: policy first detect_anomalies
> preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
>                              track_udp no
> preprocessor stream5_tcp: policy first, use_static_footprint_sizes
> preprocessor http_inspect: global \
>    iis_unicode_map unicode.map 1252
> preprocessor http_inspect_server: server default \
>    profile all ports { 80 8080 8180 } oversize_dir_length 500
> preprocessor rpc_decode: 111 32771
> preprocessor bo
> preprocessor ftp_telnet: global \
>   encrypted_traffic yes \
>   inspection_type stateful
> preprocessor ftp_telnet_protocol: telnet \
>   normalize \
>   ayt_attack_thresh 200
> preprocessor ftp_telnet_protocol: ftp server default \
>   def_max_param_len 100 \
>   alt_max_param_len 200 { CWD } \
>   cmd_validity MODE < char ASBCZ > \
>   cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>   chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
>   telnet_cmds yes \
>   data_chan
> preprocessor ftp_telnet_protocol: ftp client default \
>   max_resp_len 256 \
>   bounce yes \
>   telnet_cmds yes
> preprocessor smtp: \
>  ports { 25 587 691 } \
>  inspection_type stateful \
>  normalize cmds \
>  normalize_cmds { EXPN VRFY RCPT } \
>  alt_max_command_line_len 260 { MAIL } \
>  alt_max_command_line_len 300 { RCPT } \
>  alt_max_command_line_len 500 { HELP HELO ETRN } \
>  alt_max_command_line_len 255 { EXPN VRFY }
> preprocessor sfportscan: proto  { all } \
>                         memcap { 10000000 } \
>                         sense_level { low }
> preprocessor dcerpc2
> preprocessor dcerpc2_server: default
> preprocessor dns: \
>    ports { 53 } \
>    enable_rdata_overflow
> preprocessor ssl: noinspect_encrypted, trustservers
> output alert_syslog: log_local7 log_debug
> output log_tcpdump: tcpdump.log
> include classification.config
> include reference.config
> include $RULE_PATH/local.rules
> include $RULE_PATH/bad-traffic.rules
> include $RULE_PATH/exploit.rules
> include $RULE_PATH/community-exploit.rules
> include $RULE_PATH/scan.rules
> include $RULE_PATH/ftp.rules
> include $RULE_PATH/rpc.rules
> include $RULE_PATH/dos.rules
> include $RULE_PATH/community-dos.rules
> include $RULE_PATH/ddos.rules
> include $RULE_PATH/dns.rules
> include $RULE_PATH/web-cgi.rules
> include $RULE_PATH/web-iis.rules
> include $RULE_PATH/web-misc.rules
> include $RULE_PATH/web-client.rules
> include $RULE_PATH/web-php.rules
> include $RULE_PATH/community-sql-injection.rules
> include $RULE_PATH/community-web-client.rules
> include $RULE_PATH/community-web-dos.rules
> include $RULE_PATH/community-web-iis.rules
> include $RULE_PATH/community-web-misc.rules
> include $RULE_PATH/community-web-php.rules
> include $RULE_PATH/sql.rules
> include $RULE_PATH/icmp.rules
> include $RULE_PATH/misc.rules
> include $RULE_PATH/attack-responses.rules
> include $RULE_PATH/mysql.rules
> include $RULE_PATH/community-ftp.rules
> include $RULE_PATH/smtp.rules
> include $RULE_PATH/community-smtp.rules
> include $RULE_PATH/imap.rules
> include $RULE_PATH/community-imap.rules
> include $RULE_PATH/pop2.rules
> include $RULE_PATH/pop3.rules
> include $RULE_PATH/community-sip.rules
> include $RULE_PATH/web-attacks.rules
> include $RULE_PATH/backdoor.rules
> include $RULE_PATH/community-virus.rules
> include $RULE_PATH/experimental.rules
> include $RULE_PATH/users.rules
> include threshold.conf
>
> --- iptables rules ----
> iptables -t filter -I FORWARD -j QUEUE
>
> The firewall is in bridge mode. I mounted the bridge using the following
> commands.
>
> ifconfig eth0 0.0.0.0
> ifconfig eth1 0.0.0.0
> ifconfig eth0 arp
> ifconfig eth1 arp
> brctl addbr br0
> brctl addif br0 eth0
> brctl addif br0 eth1
> Regards.
>
>
>
>
>
> __________________________________________________
> Faça ligações para outros computadores com o novo Yahoo! Messenger
> http://br.beta.messenger.yahoo.com/
>
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100405/035bf31e/attachment.html>


More information about the Snort-users mailing list