[Snort-users] snort inline mode is not working with iptables

Jason Brvenik jasonb at ...1935...
Sat Aug 7 14:32:08 EDT 2010


I would suggest a ground up approach.

Ping without the iptables -J QUEUE targets, if that works

Add -j QUEUE for one target (INPUT), running snort with _NO_ rules, If
that works

Add the alert rule to snort, if that works

change the rule to drop, if that works (The packet does not pass)

call it fixed.



On Sat, Aug 7, 2010 at 12:39 PM, Wael <netchildccie at ...125...> wrote:
> Hello everyone,
>
> Any clues or hint to help me. I rebuilt the same setup over another linux
> server with no much of luck. I've got the same exact result.
>
> Please noted, that I am using two machines to test snort functionality
> before put it in production. One linux server has snort on it, and the
> second is just to perform ping command to snort server.
>
> Regards,
> Wael,
>
> On 8/6/10 10:55 PM, "Will Metcalf" <william.metcalf at ...11827...> wrote:
>
>>Ahh ok... Thanks for the clarification Russ.
>>
>>Regards,
>>
>>Will
>>
>>On Fri, Aug 6, 2010 at 2:51 PM, Russ Combs <rcombs at ...1935...> wrote:
>>>
>>>
>>> On Fri, Aug 6, 2010 at 3:36 PM, Will Metcalf <william.metcalf at ...14459.....>
>>> wrote:
>>>>
>>>> Yes I understand... Not sure if it matters but did you remove the "-i
>>>> eth1" from the command line?  Not sure how this is handled now in
>>>> snort, if this is valid for use with -Q or if it is just using one
>>>> runmode over the other.
>>>
>>> The -i is parsed but not used to control the mode in this case.  So it
>>>is
>>> running inline.
>>>>
>>>> Regards,
>>>>
>>>> Will
>>>>
>>>> On Fri, Aug 6, 2010 at 2:27 PM, netchild ccie
>>>><netchildccie at ...125...>
>>>> wrote:
>>>> > Hi William,
>>>> > I've the traffic on that interface IN/OUT and even with both chain
>>>> > IN/OUT
>>>> > jump to QUEUE didn't work.
>>>> > The behavior I'm getting is that all the traffic for the rule -j
>>>>QUEUE
>>>> > is
>>>> > being dropped as if the packets are not being handled by snort
>>>>(default
>>>> > behavior for -j QUEUE if no application is handling the traffic).
>>>> > Regards,
>>>> > Wael
>>>> >> Date: Fri, 6 Aug 2010 14:03:30 -0500
>>>> >> Subject: Re: [Snort-users] snort inline mode is not working with
>>>> >> iptables
>>>> >> From: william.metcalf at ...11827...
>>>> >> To: netchildccie at ...125...
>>>> >> CC: snort-users at lists.sourceforge.net; hat_gh at ...131...
>>>> >>
>>>> >> lose the -i eth1... Also for traffic in/out of the local ip stack
>>>>for
>>>> >> tcp traffic you need to make sure that snort sees both sides of the
>>>> >> conversation. i.e.
>>>> >>
>>>> >> iptables -I INPUT -p tcp --sport 80 -j QUEUE
>>>> >> iptables -I OUTPUT -p tcp --dport 80 -j QUEUE
>>>> >>
>>>> >> Regards,
>>>> >>
>>>> >> Will
>>>> >> On Fri, Aug 6, 2010 at 1:41 PM, netchild ccie
>>>> >> <netchildccie at ...125...>
>>>> >> wrote:
>>>> >> > Dear list,
>>>> >> > I a new user to Snort and this is my first experience with.
>>>> >> > My issue is that; it seems the snort does not communicate
>>>>correctly
>>>> >> > with
>>>> >> > iptables. I have a linux machine run SNORT 2.8.6 and connected to
>>>>LAN
>>>> >> > with
>>>> >> > another linux machine. I am using the other machine to ping the
>>>>snort
>>>> >> > server. every time I am running snort without iptables, the ping
>>>>is
>>>> >> > working
>>>> >> > and once I am using the iptables then launch snort, the ping
>>>>stopped
>>>> >> > and
>>>> >> > I received alert messages!!!! I can not understand why snort drop
>>>>the
>>>> >> > packets?!
>>>> >> >
>>>> >> > I'll try to summarized my issue in points
>>>> >> > 1. I've built linux machine with CentOS 4.8
>>>> >> > 2. I've downloaded snort 2.8.6 from snort website
>>>> >> > 3. I've compiled the package after I installed successfully libipq
>>>> >> > and
>>>> >> > libnet 1.0.2a. I used the following commands
>>>> >> > ./configure --enable-inline
>>>> >> > make
>>>> >> > make install
>>>> >> > 4. I've built a simple rule under /etc/snort/rules as the below
>>>>and
>>>> >> > named
>>>> >> > "local.rule"
>>>> >> > alert icmp any any <> any any (msg: "ICMP DROPPED"; sid: 1000001;)
>>>> >> > 5. I loaded ip_queue model and verify it as below
>>>> >> > [root at ...14955... rules]# modprobe ip_queue
>>>> >> > [root at ...14955... rules]# lsmod | grep queue
>>>> >> > ip_queue               44777  0
>>>> >> > 5. I launched iptables before I started snort as below and verify
>>>> >> > iptables -A OUTPUT -p icmp -j QUEUE
>>>> >> > [root at ...14955... rules]# iptables -L
>>>> >> > Chain INPUT (policy ACCEPT)
>>>> >> > target     prot opt source               destination
>>>> >> > Chain FORWARD (policy ACCEPT)
>>>> >> > target     prot opt source               destination
>>>> >> > Chain OUTPUT (policy ACCEPT)
>>>> >> > target     prot opt source               destination
>>>> >> > QUEUE      icmp --  anywhere             anywhere
>>>> >> > 6. I've run snort as below
>>>> >> > [root at ...14955... rules]# snort -k none -c /etc/snort/snort.conf.wael -l
>>>> >> > /var/log/snort/wael -Q -i eth1
>>>> >> > Enabling inline operation
>>>> >> > Running in IDS mode
>>>> >> >         --== Initializing Snort ==--
>>>> >> > Initializing Output Plugins!
>>>> >> > Initializing Preprocessors!
>>>> >> > Initializing Plug-ins!
>>>> >> > Parsing Rules file "/etc/snort/snort.conf.wael"
>>>> >> > PortVar 'HTTP_PORTS' defined :  [ 80 2301 3128 7777 7779 8000 8008
>>>> >> > 8028
>>>> >> > 8080
>>>> >> > 8180 8888 9999 ]
>>>> >> > PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
>>>> >> > PortVar 'ORACLE_PORTS' defined :  [ 1521 ]
>>>> >> > .
>>>> >> > .
>>>> >> > .
>>>> >> >         --== Initialization Complete ==--
>>>> >> >    ,,_     -*> Snort! <*-
>>>> >> >   o"  )~   Version 2.8.6.1 (Build 39)
>>>> >> >    ''''    By Martin Roesch & The Snort Team:
>>>> >> > http://www.snort.org/snort/snort-team
>>>> >> >            Copyright (C) 1998-2010 Sourcefire, Inc., et al.
>>>> >> >            Using PCRE version: 6.6 06-Feb-2006
>>>> >> >            Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.12
>>>> >> >  <Build
>>>> >> > 18>
>>>> >> > 7. Verify through the log
>>>> >> > Aug  6 21:38:45 xen1 snort: [1:1000001:0] ICMP DROPPED {ICMP}
>>>> >> > 10.6.211.155
>>>> >> > -> 10.6.211.53
>>>> >> > Aug  6 21:39:16 xen1 last message repeated 31 times
>>>> >> > Aug  6 21:40:17 xen1 last message repeated 61 times
>>>> >> >
>>>> >> > 8. verify the ping from the ping's screen
>>>> >> > [root at ...14956... ~]# ping 10.6.211.53
>>>> >> > PING 10.6.211.53 (10.6.211.53) 56(84) bytes of data.
>>>> >> > <nothing>
>>>> >> >
>>>> >> > what I have missed?!
>>>> >> > Regards,
>>>> >> > Wael,
>>>> >> >
>>>> >> >
>>>> >> >
>>>>------------------------------------------------------------------------
>>>>------
>>>> >> > This SF.net email is sponsored by
>>>> >> >
>>>> >> > Make an app they can't live without
>>>> >> > Enter the BlackBerry Developer Challenge
>>>> >> > http://p.sf.net/sfu/RIM-dev2dev
>>>> >> > _______________________________________________
>>>> >> > Snort-users mailing list
>>>> >> > Snort-users at lists.sourceforge.net
>>>> >> > Go to this URL to change user options or unsubscribe:
>>>> >> > https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> >> > Snort-users list archive:
>>>> >> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>> >> >
>>>> >
>>>>
>>>>
>>>>
>>>>------------------------------------------------------------------------
>>>>------
>>>> This SF.net email is sponsored by
>>>>
>>>> Make an app they can't live without
>>>> Enter the BlackBerry Developer Challenge
>>>> http://p.sf.net/sfu/RIM-dev2dev
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>>
>>
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by
>
> Make an app they can't live without
> Enter the BlackBerry Developer Challenge
> http://p.sf.net/sfu/RIM-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Regards,

Jason.




More information about the Snort-users mailing list