[Snort-users] snort inline mode is not working with iptables

Ryan Jordan ryan.jordan at ...1935...
Fri Aug 6 15:48:05 EDT 2010


Ah, sorry, I was thrown off by the "ICMP DROPPED" in big letters. My
eyes are easily drawn.

netchild, would you mind posting a copy of snort.conf.wael?

-Ryan

On Fri, Aug 6, 2010 at 3:07 PM, Will Metcalf <william.metcalf at ...11827...> wrote:
> it was an alert rule....
>
> alert icmp any any <> any any (msg: "ICMP DROPPED"; sid: 1000001;)
>
> Regards,
>
> Will
> On Fri, Aug 6, 2010 at 1:58 PM, Ryan Jordan <ryan.jordan at ...1935...> wrote:
>> Congratulations! Everything is working as expected. Pings are ICMP
>> packets, and judging from your alert file you have successfully
>> dropped them.
>>
>> -Ryan
>>
>> On Fri, Aug 6, 2010 at 2:41 PM, netchild ccie <netchildccie at ...125...> wrote:
>>> Dear list,
>>> I a new user to Snort and this is my first experience with.
>>> My issue is that; it seems the snort does not communicate correctly with
>>> iptables. I have a linux machine run SNORT 2.8.6 and connected to LAN with
>>> another linux machine. I am using the other machine to ping the snort
>>> server. every time I am running snort without iptables, the ping is working
>>> and once I am using the iptables then launch snort, the ping stopped and
>>> I received alert messages!!!! I can not understand why snort drop the
>>> packets?!
>>>
>>> I'll try to summarized my issue in points
>>> 1. I've built linux machine with CentOS 4.8
>>> 2. I've downloaded snort 2.8.6 from snort website
>>> 3. I've compiled the package after I installed successfully libipq and
>>> libnet 1.0.2a. I used the following commands
>>> ./configure --enable-inline
>>> make
>>> make install
>>> 4. I've built a simple rule under /etc/snort/rules as the below and named
>>> "local.rule"
>>> alert icmp any any <> any any (msg: "ICMP DROPPED"; sid: 1000001;)
>>> 5. I loaded ip_queue model and verify it as below
>>> [root at ...14955... rules]# modprobe ip_queue
>>> [root at ...14955... rules]# lsmod | grep queue
>>> ip_queue               44777  0
>>> 5. I launched iptables before I started snort as below and verify
>>> iptables -A OUTPUT -p icmp -j QUEUE
>>> [root at ...14955... rules]# iptables -L
>>> Chain INPUT (policy ACCEPT)
>>> target     prot opt source               destination
>>> Chain FORWARD (policy ACCEPT)
>>> target     prot opt source               destination
>>> Chain OUTPUT (policy ACCEPT)
>>> target     prot opt source               destination
>>> QUEUE      icmp --  anywhere             anywhere
>>> 6. I've run snort as below
>>> [root at ...14955... rules]# snort -k none -c /etc/snort/snort.conf.wael -l
>>> /var/log/snort/wael -Q -i eth1
>>> Enabling inline operation
>>> Running in IDS mode
>>>         --== Initializing Snort ==--
>>> Initializing Output Plugins!
>>> Initializing Preprocessors!
>>> Initializing Plug-ins!
>>> Parsing Rules file "/etc/snort/snort.conf.wael"
>>> PortVar 'HTTP_PORTS' defined :  [ 80 2301 3128 7777 7779 8000 8008 8028 8080
>>> 8180 8888 9999 ]
>>> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
>>> PortVar 'ORACLE_PORTS' defined :  [ 1521 ]
>>> .
>>> .
>>> .
>>>         --== Initialization Complete ==--
>>>    ,,_     -*> Snort! <*-
>>>   o"  )~   Version 2.8.6.1 (Build 39)
>>>    ''''    By Martin Roesch & The Snort Team:
>>> http://www.snort.org/snort/snort-team
>>>            Copyright (C) 1998-2010 Sourcefire, Inc., et al.
>>>            Using PCRE version: 6.6 06-Feb-2006
>>>            Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.12  <Build 18>
>>> 7. Verify through the log
>>> Aug  6 21:38:45 xen1 snort: [1:1000001:0] ICMP DROPPED {ICMP} 10.6.211.155
>>> -> 10.6.211.53
>>> Aug  6 21:39:16 xen1 last message repeated 31 times
>>> Aug  6 21:40:17 xen1 last message repeated 61 times
>>>
>>> 8. verify the ping from the ping's screen
>>> [root at ...14956... ~]# ping 10.6.211.53
>>> PING 10.6.211.53 (10.6.211.53) 56(84) bytes of data.
>>> <nothing>
>>>
>>> what I have missed?!
>>> Regards,
>>> Wael,
>>> ------------------------------------------------------------------------------
>>> This SF.net email is sponsored by
>>>
>>> Make an app they can't live without
>>> Enter the BlackBerry Developer Challenge
>>> http://p.sf.net/sfu/RIM-dev2dev
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by
>>
>> Make an app they can't live without
>> Enter the BlackBerry Developer Challenge
>> http://p.sf.net/sfu/RIM-dev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>




More information about the Snort-users mailing list