[Snort-users] snort inline mode is not working with iptables

Will Metcalf william.metcalf at ...11827...
Fri Aug 6 15:07:42 EDT 2010


it was an alert rule....

alert icmp any any <> any any (msg: "ICMP DROPPED"; sid: 1000001;)

Regards,

Will
On Fri, Aug 6, 2010 at 1:58 PM, Ryan Jordan <ryan.jordan at ...1935...> wrote:
> Congratulations! Everything is working as expected. Pings are ICMP
> packets, and judging from your alert file you have successfully
> dropped them.
>
> -Ryan
>
> On Fri, Aug 6, 2010 at 2:41 PM, netchild ccie <netchildccie at ...125...> wrote:
>> Dear list,
>> I a new user to Snort and this is my first experience with.
>> My issue is that; it seems the snort does not communicate correctly with
>> iptables. I have a linux machine run SNORT 2.8.6 and connected to LAN with
>> another linux machine. I am using the other machine to ping the snort
>> server. every time I am running snort without iptables, the ping is working
>> and once I am using the iptables then launch snort, the ping stopped and
>> I received alert messages!!!! I can not understand why snort drop the
>> packets?!
>>
>> I'll try to summarized my issue in points
>> 1. I've built linux machine with CentOS 4.8
>> 2. I've downloaded snort 2.8.6 from snort website
>> 3. I've compiled the package after I installed successfully libipq and
>> libnet 1.0.2a. I used the following commands
>> ./configure --enable-inline
>> make
>> make install
>> 4. I've built a simple rule under /etc/snort/rules as the below and named
>> "local.rule"
>> alert icmp any any <> any any (msg: "ICMP DROPPED"; sid: 1000001;)
>> 5. I loaded ip_queue model and verify it as below
>> [root at ...14955... rules]# modprobe ip_queue
>> [root at ...14955... rules]# lsmod | grep queue
>> ip_queue               44777  0
>> 5. I launched iptables before I started snort as below and verify
>> iptables -A OUTPUT -p icmp -j QUEUE
>> [root at ...14955... rules]# iptables -L
>> Chain INPUT (policy ACCEPT)
>> target     prot opt source               destination
>> Chain FORWARD (policy ACCEPT)
>> target     prot opt source               destination
>> Chain OUTPUT (policy ACCEPT)
>> target     prot opt source               destination
>> QUEUE      icmp --  anywhere             anywhere
>> 6. I've run snort as below
>> [root at ...14955... rules]# snort -k none -c /etc/snort/snort.conf.wael -l
>> /var/log/snort/wael -Q -i eth1
>> Enabling inline operation
>> Running in IDS mode
>>         --== Initializing Snort ==--
>> Initializing Output Plugins!
>> Initializing Preprocessors!
>> Initializing Plug-ins!
>> Parsing Rules file "/etc/snort/snort.conf.wael"
>> PortVar 'HTTP_PORTS' defined :  [ 80 2301 3128 7777 7779 8000 8008 8028 8080
>> 8180 8888 9999 ]
>> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
>> PortVar 'ORACLE_PORTS' defined :  [ 1521 ]
>> .
>> .
>> .
>>         --== Initialization Complete ==--
>>    ,,_     -*> Snort! <*-
>>   o"  )~   Version 2.8.6.1 (Build 39)
>>    ''''    By Martin Roesch & The Snort Team:
>> http://www.snort.org/snort/snort-team
>>            Copyright (C) 1998-2010 Sourcefire, Inc., et al.
>>            Using PCRE version: 6.6 06-Feb-2006
>>            Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.12  <Build 18>
>> 7. Verify through the log
>> Aug  6 21:38:45 xen1 snort: [1:1000001:0] ICMP DROPPED {ICMP} 10.6.211.155
>> -> 10.6.211.53
>> Aug  6 21:39:16 xen1 last message repeated 31 times
>> Aug  6 21:40:17 xen1 last message repeated 61 times
>>
>> 8. verify the ping from the ping's screen
>> [root at ...14956... ~]# ping 10.6.211.53
>> PING 10.6.211.53 (10.6.211.53) 56(84) bytes of data.
>> <nothing>
>>
>> what I have missed?!
>> Regards,
>> Wael,
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by
>>
>> Make an app they can't live without
>> Enter the BlackBerry Developer Challenge
>> http://p.sf.net/sfu/RIM-dev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by
>
> Make an app they can't live without
> Enter the BlackBerry Developer Challenge
> http://p.sf.net/sfu/RIM-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list