[Snort-users] snort inline mode is not working with iptables

netchild ccie netchildccie at ...125...
Fri Aug 6 15:55:39 EDT 2010


Can't blame you, it fooled me before you =(
The file attached.
Regards,Wael

> Date: Fri, 6 Aug 2010 15:48:05 -0400
> Subject: Re: [Snort-users] snort inline mode is not working with iptables
> From: ryan.jordan at ...1935...
> To: william.metcalf at ...11827...
> CC: netchildccie at ...125...; snort-users at lists.sourceforge.net; hat_gh at ...979...131...
> 
> Ah, sorry, I was thrown off by the "ICMP DROPPED" in big letters. My
> eyes are easily drawn.
> 
> netchild, would you mind posting a copy of snort.conf.wael?
> 
> -Ryan
> 
> On Fri, Aug 6, 2010 at 3:07 PM, Will Metcalf <william.metcalf at ...11827...> wrote:
> > it was an alert rule....
> >
> > alert icmp any any <> any any (msg: "ICMP DROPPED"; sid: 1000001;)
> >
> > Regards,
> >
> > Will
> > On Fri, Aug 6, 2010 at 1:58 PM, Ryan Jordan <ryan.jordan at ...1935...> wrote:
> >> Congratulations! Everything is working as expected. Pings are ICMP
> >> packets, and judging from your alert file you have successfully
> >> dropped them.
> >>
> >> -Ryan
> >>
> >> On Fri, Aug 6, 2010 at 2:41 PM, netchild ccie <netchildccie at ...125...> wrote:
> >>> Dear list,
> >>> I a new user to Snort and this is my first experience with.
> >>> My issue is that; it seems the snort does not communicate correctly with
> >>> iptables. I have a linux machine run SNORT 2.8.6 and connected to LAN with
> >>> another linux machine. I am using the other machine to ping the snort
> >>> server. every time I am running snort without iptables, the ping is working
> >>> and once I am using the iptables then launch snort, the ping stopped and
> >>> I received alert messages!!!! I can not understand why snort drop the
> >>> packets?!
> >>>
> >>> I'll try to summarized my issue in points
> >>> 1. I've built linux machine with CentOS 4.8
> >>> 2. I've downloaded snort 2.8.6 from snort website
> >>> 3. I've compiled the package after I installed successfully libipq and
> >>> libnet 1.0.2a. I used the following commands
> >>> ./configure --enable-inline
> >>> make
> >>> make install
> >>> 4. I've built a simple rule under /etc/snort/rules as the below and named
> >>> "local.rule"
> >>> alert icmp any any <> any any (msg: "ICMP DROPPED"; sid: 1000001;)
> >>> 5. I loaded ip_queue model and verify it as below
> >>> [root at ...14955... rules]# modprobe ip_queue
> >>> [root at ...14955... rules]# lsmod | grep queue
> >>> ip_queue               44777  0
> >>> 5. I launched iptables before I started snort as below and verify
> >>> iptables -A OUTPUT -p icmp -j QUEUE
> >>> [root at ...14955... rules]# iptables -L
> >>> Chain INPUT (policy ACCEPT)
> >>> target     prot opt source               destination
> >>> Chain FORWARD (policy ACCEPT)
> >>> target     prot opt source               destination
> >>> Chain OUTPUT (policy ACCEPT)
> >>> target     prot opt source               destination
> >>> QUEUE      icmp --  anywhere             anywhere
> >>> 6. I've run snort as below
> >>> [root at ...14955... rules]# snort -k none -c /etc/snort/snort.conf.wael -l
> >>> /var/log/snort/wael -Q -i eth1
> >>> Enabling inline operation
> >>> Running in IDS mode
> >>>         --== Initializing Snort ==--
> >>> Initializing Output Plugins!
> >>> Initializing Preprocessors!
> >>> Initializing Plug-ins!
> >>> Parsing Rules file "/etc/snort/snort.conf.wael"
> >>> PortVar 'HTTP_PORTS' defined :  [ 80 2301 3128 7777 7779 8000 8008 8028 8080
> >>> 8180 8888 9999 ]
> >>> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
> >>> PortVar 'ORACLE_PORTS' defined :  [ 1521 ]
> >>> .
> >>> .
> >>> .
> >>>         --== Initialization Complete ==--
> >>>    ,,_     -*> Snort! <*-
> >>>   o"  )~   Version 2.8.6.1 (Build 39)
> >>>    ''''    By Martin Roesch & The Snort Team:
> >>> http://www.snort.org/snort/snort-team
> >>>            Copyright (C) 1998-2010 Sourcefire, Inc., et al.
> >>>            Using PCRE version: 6.6 06-Feb-2006
> >>>            Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.12  <Build 18>
> >>> 7. Verify through the log
> >>> Aug  6 21:38:45 xen1 snort: [1:1000001:0] ICMP DROPPED {ICMP} 10.6.211.155
> >>> -> 10.6.211.53
> >>> Aug  6 21:39:16 xen1 last message repeated 31 times
> >>> Aug  6 21:40:17 xen1 last message repeated 61 times
> >>>
> >>> 8. verify the ping from the ping's screen
> >>> [root at ...14956... ~]# ping 10.6.211.53
> >>> PING 10.6.211.53 (10.6.211.53) 56(84) bytes of data.
> >>> <nothing>
> >>>
> >>> what I have missed?!
> >>> Regards,
> >>> Wael,
> >>> ------------------------------------------------------------------------------
> >>> This SF.net email is sponsored by
> >>>
> >>> Make an app they can't live without
> >>> Enter the BlackBerry Developer Challenge
> >>> http://p.sf.net/sfu/RIM-dev2dev
> >>> _______________________________________________
> >>> Snort-users mailing list
> >>> Snort-users at lists.sourceforge.net
> >>> Go to this URL to change user options or unsubscribe:
> >>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>> Snort-users list archive:
> >>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>>
> >>
> >> ------------------------------------------------------------------------------
> >> This SF.net email is sponsored by
> >>
> >> Make an app they can't live without
> >> Enter the BlackBerry Developer Challenge
> >> http://p.sf.net/sfu/RIM-dev2dev
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100806/097b88b0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.conf.wael.rtf
Type: text/rtf
Size: 14893 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100806/097b88b0/attachment.bin>


More information about the Snort-users mailing list