[Snort-users] snort inline mode is not working with iptables

Will Metcalf william.metcalf at ...11827...
Fri Aug 6 15:55:28 EDT 2010


Ahh ok... Thanks for the clarification Russ.

Regards,

Will

On Fri, Aug 6, 2010 at 2:51 PM, Russ Combs <rcombs at ...1935...> wrote:
>
>
> On Fri, Aug 6, 2010 at 3:36 PM, Will Metcalf <william.metcalf at ...11827...>
> wrote:
>>
>> Yes I understand... Not sure if it matters but did you remove the "-i
>> eth1" from the command line?  Not sure how this is handled now in
>> snort, if this is valid for use with -Q or if it is just using one
>> runmode over the other.
>
> The -i is parsed but not used to control the mode in this case.  So it is
> running inline.
>>
>> Regards,
>>
>> Will
>>
>> On Fri, Aug 6, 2010 at 2:27 PM, netchild ccie <netchildccie at ...125...>
>> wrote:
>> > Hi William,
>> > I've the traffic on that interface IN/OUT and even with both chain
>> > IN/OUT
>> > jump to QUEUE didn't work.
>> > The behavior I'm getting is that all the traffic for the rule -j QUEUE
>> > is
>> > being dropped as if the packets are not being handled by snort (default
>> > behavior for -j QUEUE if no application is handling the traffic).
>> > Regards,
>> > Wael
>> >> Date: Fri, 6 Aug 2010 14:03:30 -0500
>> >> Subject: Re: [Snort-users] snort inline mode is not working with
>> >> iptables
>> >> From: william.metcalf at ...11827...
>> >> To: netchildccie at ...125...
>> >> CC: snort-users at lists.sourceforge.net; hat_gh at ...131...
>> >>
>> >> lose the -i eth1... Also for traffic in/out of the local ip stack for
>> >> tcp traffic you need to make sure that snort sees both sides of the
>> >> conversation. i.e.
>> >>
>> >> iptables -I INPUT -p tcp --sport 80 -j QUEUE
>> >> iptables -I OUTPUT -p tcp --dport 80 -j QUEUE
>> >>
>> >> Regards,
>> >>
>> >> Will
>> >> On Fri, Aug 6, 2010 at 1:41 PM, netchild ccie
>> >> <netchildccie at ...125...>
>> >> wrote:
>> >> > Dear list,
>> >> > I a new user to Snort and this is my first experience with.
>> >> > My issue is that; it seems the snort does not communicate correctly
>> >> > with
>> >> > iptables. I have a linux machine run SNORT 2.8.6 and connected to LAN
>> >> > with
>> >> > another linux machine. I am using the other machine to ping the snort
>> >> > server. every time I am running snort without iptables, the ping is
>> >> > working
>> >> > and once I am using the iptables then launch snort, the ping stopped
>> >> > and
>> >> > I received alert messages!!!! I can not understand why snort drop the
>> >> > packets?!
>> >> >
>> >> > I'll try to summarized my issue in points
>> >> > 1. I've built linux machine with CentOS 4.8
>> >> > 2. I've downloaded snort 2.8.6 from snort website
>> >> > 3. I've compiled the package after I installed successfully libipq
>> >> > and
>> >> > libnet 1.0.2a. I used the following commands
>> >> > ./configure --enable-inline
>> >> > make
>> >> > make install
>> >> > 4. I've built a simple rule under /etc/snort/rules as the below and
>> >> > named
>> >> > "local.rule"
>> >> > alert icmp any any <> any any (msg: "ICMP DROPPED"; sid: 1000001;)
>> >> > 5. I loaded ip_queue model and verify it as below
>> >> > [root at ...14955... rules]# modprobe ip_queue
>> >> > [root at ...14955... rules]# lsmod | grep queue
>> >> > ip_queue               44777  0
>> >> > 5. I launched iptables before I started snort as below and verify
>> >> > iptables -A OUTPUT -p icmp -j QUEUE
>> >> > [root at ...14955... rules]# iptables -L
>> >> > Chain INPUT (policy ACCEPT)
>> >> > target     prot opt source               destination
>> >> > Chain FORWARD (policy ACCEPT)
>> >> > target     prot opt source               destination
>> >> > Chain OUTPUT (policy ACCEPT)
>> >> > target     prot opt source               destination
>> >> > QUEUE      icmp --  anywhere             anywhere
>> >> > 6. I've run snort as below
>> >> > [root at ...14955... rules]# snort -k none -c /etc/snort/snort.conf.wael -l
>> >> > /var/log/snort/wael -Q -i eth1
>> >> > Enabling inline operation
>> >> > Running in IDS mode
>> >> >         --== Initializing Snort ==--
>> >> > Initializing Output Plugins!
>> >> > Initializing Preprocessors!
>> >> > Initializing Plug-ins!
>> >> > Parsing Rules file "/etc/snort/snort.conf.wael"
>> >> > PortVar 'HTTP_PORTS' defined :  [ 80 2301 3128 7777 7779 8000 8008
>> >> > 8028
>> >> > 8080
>> >> > 8180 8888 9999 ]
>> >> > PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
>> >> > PortVar 'ORACLE_PORTS' defined :  [ 1521 ]
>> >> > .
>> >> > .
>> >> > .
>> >> >         --== Initialization Complete ==--
>> >> >    ,,_     -*> Snort! <*-
>> >> >   o"  )~   Version 2.8.6.1 (Build 39)
>> >> >    ''''    By Martin Roesch & The Snort Team:
>> >> > http://www.snort.org/snort/snort-team
>> >> >            Copyright (C) 1998-2010 Sourcefire, Inc., et al.
>> >> >            Using PCRE version: 6.6 06-Feb-2006
>> >> >            Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.12
>> >> >  <Build
>> >> > 18>
>> >> > 7. Verify through the log
>> >> > Aug  6 21:38:45 xen1 snort: [1:1000001:0] ICMP DROPPED {ICMP}
>> >> > 10.6.211.155
>> >> > -> 10.6.211.53
>> >> > Aug  6 21:39:16 xen1 last message repeated 31 times
>> >> > Aug  6 21:40:17 xen1 last message repeated 61 times
>> >> >
>> >> > 8. verify the ping from the ping's screen
>> >> > [root at ...14956... ~]# ping 10.6.211.53
>> >> > PING 10.6.211.53 (10.6.211.53) 56(84) bytes of data.
>> >> > <nothing>
>> >> >
>> >> > what I have missed?!
>> >> > Regards,
>> >> > Wael,
>> >> >
>> >> >
>> >> > ------------------------------------------------------------------------------
>> >> > This SF.net email is sponsored by
>> >> >
>> >> > Make an app they can't live without
>> >> > Enter the BlackBerry Developer Challenge
>> >> > http://p.sf.net/sfu/RIM-dev2dev
>> >> > _______________________________________________
>> >> > Snort-users mailing list
>> >> > Snort-users at lists.sourceforge.net
>> >> > Go to this URL to change user options or unsubscribe:
>> >> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> > Snort-users list archive:
>> >> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >> >
>> >
>>
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by
>>
>> Make an app they can't live without
>> Enter the BlackBerry Developer Challenge
>> http://p.sf.net/sfu/RIM-dev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>




More information about the Snort-users mailing list