[Snort-users] snort inline mode is not working with iptables

netchild ccie netchildccie at ...125...
Fri Aug 6 15:27:27 EDT 2010


Hi William,
I've the traffic on that interface IN/OUT and even with both chain IN/OUT jump to QUEUE didn't work.
The behavior I'm getting is that all the traffic for the rule -j QUEUE is being dropped as if the packets are not being handled by snort (default behavior for -j QUEUE if no application is handling the traffic).
Regards,Wael 
> Date: Fri, 6 Aug 2010 14:03:30 -0500
> Subject: Re: [Snort-users] snort inline mode is not working with iptables
> From: william.metcalf at ...11827...
> To: netchildccie at ...125...
> CC: snort-users at lists.sourceforge.net; hat_gh at ...131...
> 
> lose the -i eth1...  Also for traffic in/out of the local ip stack for
> tcp traffic you need  to make sure that snort sees both sides of the
> conversation. i.e.
> 
> iptables -I INPUT -p tcp --sport 80 -j QUEUE
> iptables -I OUTPUT -p tcp --dport 80 -j QUEUE
> 
> Regards,
> 
> Will
> On Fri, Aug 6, 2010 at 1:41 PM, netchild ccie <netchildccie at ...125...> wrote:
> > Dear list,
> > I a new user to Snort and this is my first experience with.
> > My issue is that; it seems the snort does not communicate correctly with
> > iptables. I have a linux machine run SNORT 2.8.6 and connected to LAN with
> > another linux machine. I am using the other machine to ping the snort
> > server. every time I am running snort without iptables, the ping is working
> > and once I am using the iptables then launch snort, the ping stopped and
> > I received alert messages!!!! I can not understand why snort drop the
> > packets?!
> >
> > I'll try to summarized my issue in points
> > 1. I've built linux machine with CentOS 4.8
> > 2. I've downloaded snort 2.8.6 from snort website
> > 3. I've compiled the package after I installed successfully libipq and
> > libnet 1.0.2a. I used the following commands
> > ./configure --enable-inline
> > make
> > make install
> > 4. I've built a simple rule under /etc/snort/rules as the below and named
> > "local.rule"
> > alert icmp any any <> any any (msg: "ICMP DROPPED"; sid: 1000001;)
> > 5. I loaded ip_queue model and verify it as below
> > [root at ...14955... rules]# modprobe ip_queue
> > [root at ...14955... rules]# lsmod | grep queue
> > ip_queue               44777  0
> > 5. I launched iptables before I started snort as below and verify
> > iptables -A OUTPUT -p icmp -j QUEUE
> > [root at ...14955... rules]# iptables -L
> > Chain INPUT (policy ACCEPT)
> > target     prot opt source               destination
> > Chain FORWARD (policy ACCEPT)
> > target     prot opt source               destination
> > Chain OUTPUT (policy ACCEPT)
> > target     prot opt source               destination
> > QUEUE      icmp --  anywhere             anywhere
> > 6. I've run snort as below
> > [root at ...14955... rules]# snort -k none -c /etc/snort/snort.conf.wael -l
> > /var/log/snort/wael -Q -i eth1
> > Enabling inline operation
> > Running in IDS mode
> >         --== Initializing Snort ==--
> > Initializing Output Plugins!
> > Initializing Preprocessors!
> > Initializing Plug-ins!
> > Parsing Rules file "/etc/snort/snort.conf.wael"
> > PortVar 'HTTP_PORTS' defined :  [ 80 2301 3128 7777 7779 8000 8008 8028 8080
> > 8180 8888 9999 ]
> > PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
> > PortVar 'ORACLE_PORTS' defined :  [ 1521 ]
> > .
> > .
> > .
> >         --== Initialization Complete ==--
> >    ,,_     -*> Snort! <*-
> >   o"  )~   Version 2.8.6.1 (Build 39)
> >    ''''    By Martin Roesch & The Snort Team:
> > http://www.snort.org/snort/snort-team
> >            Copyright (C) 1998-2010 Sourcefire, Inc., et al.
> >            Using PCRE version: 6.6 06-Feb-2006
> >            Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.12  <Build 18>
> > 7. Verify through the log
> > Aug  6 21:38:45 xen1 snort: [1:1000001:0] ICMP DROPPED {ICMP} 10.6.211.155
> > -> 10.6.211.53
> > Aug  6 21:39:16 xen1 last message repeated 31 times
> > Aug  6 21:40:17 xen1 last message repeated 61 times
> >
> > 8. verify the ping from the ping's screen
> > [root at ...14956... ~]# ping 10.6.211.53
> > PING 10.6.211.53 (10.6.211.53) 56(84) bytes of data.
> > <nothing>
> >
> > what I have missed?!
> > Regards,
> > Wael,
> > ------------------------------------------------------------------------------
> > This SF.net email is sponsored by
> >
> > Make an app they can't live without
> > Enter the BlackBerry Developer Challenge
> > http://p.sf.net/sfu/RIM-dev2dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100806/0c5acd4d/attachment.html>


More information about the Snort-users mailing list