[Snort-users] snort inline mode is not working with iptables

Wael netchildccie at ...125...
Sat Aug 7 17:21:21 EDT 2010


Hello Jason, 

If I did not use iptables -j QUEUE; the ping is working. 

How Can I run snort with _NO_rule ?! 

Regards,
Wael,

On 8/7/10 9:32 PM, "Jason Brvenik" <jasonb at ...1935...> wrote:

>I would suggest a ground up approach.
>
>Ping without the iptables -J QUEUE targets, if that works
>
>Add -j QUEUE for one target (INPUT), running snort with _NO_ rules, If
>that works
>
>Add the alert rule to snort, if that works
>
>change the rule to drop, if that works (The packet does not pass)
>
>call it fixed.
>
>
>
>On Sat, Aug 7, 2010 at 12:39 PM, Wael <netchildccie at ...125...> wrote:
>> Hello everyone,
>>
>> Any clues or hint to help me. I rebuilt the same setup over another
>>linux
>> server with no much of luck. I've got the same exact result.
>>
>> Please noted, that I am using two machines to test snort functionality
>> before put it in production. One linux server has snort on it, and the
>> second is just to perform ping command to snort server.
>>
>> Regards,
>> Wael,
>>
>> On 8/6/10 10:55 PM, "Will Metcalf" <william.metcalf at ...11827...> wrote:
>>
>>>Ahh ok... Thanks for the clarification Russ.
>>>
>>>Regards,
>>>
>>>Will
>>>
>>>On Fri, Aug 6, 2010 at 2:51 PM, Russ Combs <rcombs at ...1935...>
>>>wrote:
>>>>
>>>>
>>>> On Fri, Aug 6, 2010 at 3:36 PM, Will Metcalf
>>>><william.metcalf at ...11827...>
>>>> wrote:
>>>>>
>>>>> Yes I understand... Not sure if it matters but did you remove the "-i
>>>>> eth1" from the command line?  Not sure how this is handled now in
>>>>> snort, if this is valid for use with -Q or if it is just using one
>>>>> runmode over the other.
>>>>
>>>> The -i is parsed but not used to control the mode in this case.  So it
>>>>is
>>>> running inline.
>>>>>
>>>>> Regards,
>>>>>
>>>>> Will
>>>>>
>>>>> On Fri, Aug 6, 2010 at 2:27 PM, netchild ccie
>>>>><netchildccie at ...125...>
>>>>> wrote:
>>>>> > Hi William,
>>>>> > I've the traffic on that interface IN/OUT and even with both chain
>>>>> > IN/OUT
>>>>> > jump to QUEUE didn't work.
>>>>> > The behavior I'm getting is that all the traffic for the rule -j
>>>>>QUEUE
>>>>> > is
>>>>> > being dropped as if the packets are not being handled by snort
>>>>>(default
>>>>> > behavior for -j QUEUE if no application is handling the traffic).
>>>>> > Regards,
>>>>> > Wael
>>>>> >> Date: Fri, 6 Aug 2010 14:03:30 -0500
>>>>> >> Subject: Re: [Snort-users] snort inline mode is not working with
>>>>> >> iptables
>>>>> >> From: william.metcalf at ...11827...
>>>>> >> To: netchildccie at ...125...
>>>>> >> CC: snort-users at lists.sourceforge.net; hat_gh at ...131...
>>>>> >>
>>>>> >> lose the -i eth1... Also for traffic in/out of the local ip stack
>>>>>for
>>>>> >> tcp traffic you need to make sure that snort sees both sides of
>>>>>the
>>>>> >> conversation. i.e.
>>>>> >>
>>>>> >> iptables -I INPUT -p tcp --sport 80 -j QUEUE
>>>>> >> iptables -I OUTPUT -p tcp --dport 80 -j QUEUE
>>>>> >>
>>>>> >> Regards,
>>>>> >>
>>>>> >> Will
>>>>> >> On Fri, Aug 6, 2010 at 1:41 PM, netchild ccie
>>>>> >> <netchildccie at ...125...>
>>>>> >> wrote:
>>>>> >> > Dear list,
>>>>> >> > I a new user to Snort and this is my first experience with.
>>>>> >> > My issue is that; it seems the snort does not communicate
>>>>>correctly
>>>>> >> > with
>>>>> >> > iptables. I have a linux machine run SNORT 2.8.6 and connected
>>>>>to
>>>>>LAN
>>>>> >> > with
>>>>> >> > another linux machine. I am using the other machine to ping the
>>>>>snort
>>>>> >> > server. every time I am running snort without iptables, the ping
>>>>>is
>>>>> >> > working
>>>>> >> > and once I am using the iptables then launch snort, the ping
>>>>>stopped
>>>>> >> > and
>>>>> >> > I received alert messages!!!! I can not understand why snort
>>>>>drop
>>>>>the
>>>>> >> > packets?!
>>>>> >> >
>>>>> >> > I'll try to summarized my issue in points
>>>>> >> > 1. I've built linux machine with CentOS 4.8
>>>>> >> > 2. I've downloaded snort 2.8.6 from snort website
>>>>> >> > 3. I've compiled the package after I installed successfully
>>>>>libipq
>>>>> >> > and
>>>>> >> > libnet 1.0.2a. I used the following commands
>>>>> >> > ./configure --enable-inline
>>>>> >> > make
>>>>> >> > make install
>>>>> >> > 4. I've built a simple rule under /etc/snort/rules as the below
>>>>>and
>>>>> >> > named
>>>>> >> > "local.rule"
>>>>> >> > alert icmp any any <> any any (msg: "ICMP DROPPED"; sid:
>>>>>1000001;)
>>>>> >> > 5. I loaded ip_queue model and verify it as below
>>>>> >> > [root at ...14955... rules]# modprobe ip_queue
>>>>> >> > [root at ...14955... rules]# lsmod | grep queue
>>>>> >> > ip_queue               44777  0
>>>>> >> > 5. I launched iptables before I started snort as below and
>>>>>verify
>>>>> >> > iptables -A OUTPUT -p icmp -j QUEUE
>>>>> >> > [root at ...14955... rules]# iptables -L
>>>>> >> > Chain INPUT (policy ACCEPT)
>>>>> >> > target     prot opt source               destination
>>>>> >> > Chain FORWARD (policy ACCEPT)
>>>>> >> > target     prot opt source               destination
>>>>> >> > Chain OUTPUT (policy ACCEPT)
>>>>> >> > target     prot opt source               destination
>>>>> >> > QUEUE      icmp --  anywhere             anywhere
>>>>> >> > 6. I've run snort as below
>>>>> >> > [root at ...14955... rules]# snort -k none -c /etc/snort/snort.conf.wael
>>>>>-l
>>>>> >> > /var/log/snort/wael -Q -i eth1
>>>>> >> > Enabling inline operation
>>>>> >> > Running in IDS mode
>>>>> >> >         --== Initializing Snort ==--
>>>>> >> > Initializing Output Plugins!
>>>>> >> > Initializing Preprocessors!
>>>>> >> > Initializing Plug-ins!
>>>>> >> > Parsing Rules file "/etc/snort/snort.conf.wael"
>>>>> >> > PortVar 'HTTP_PORTS' defined :  [ 80 2301 3128 7777 7779 8000
>>>>>8008
>>>>> >> > 8028
>>>>> >> > 8080
>>>>> >> > 8180 8888 9999 ]
>>>>> >> > PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
>>>>> >> > PortVar 'ORACLE_PORTS' defined :  [ 1521 ]
>>>>> >> > .
>>>>> >> > .
>>>>> >> > .
>>>>> >> >         --== Initialization Complete ==--
>>>>> >> >    ,,_     -*> Snort! <*-
>>>>> >> >   o"  )~   Version 2.8.6.1 (Build 39)
>>>>> >> >    ''''    By Martin Roesch & The Snort Team:
>>>>> >> > http://www.snort.org/snort/snort-team
>>>>> >> >            Copyright (C) 1998-2010 Sourcefire, Inc., et al.
>>>>> >> >            Using PCRE version: 6.6 06-Feb-2006
>>>>> >> >            Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.12
>>>>> >> >  <Build
>>>>> >> > 18>
>>>>> >> > 7. Verify through the log
>>>>> >> > Aug  6 21:38:45 xen1 snort: [1:1000001:0] ICMP DROPPED {ICMP}
>>>>> >> > 10.6.211.155
>>>>> >> > -> 10.6.211.53
>>>>> >> > Aug  6 21:39:16 xen1 last message repeated 31 times
>>>>> >> > Aug  6 21:40:17 xen1 last message repeated 61 times
>>>>> >> >
>>>>> >> > 8. verify the ping from the ping's screen
>>>>> >> > [root at ...14956... ~]# ping 10.6.211.53
>>>>> >> > PING 10.6.211.53 (10.6.211.53) 56(84) bytes of data.
>>>>> >> > <nothing>
>>>>> >> >
>>>>> >> > what I have missed?!
>>>>> >> > Regards,
>>>>> >> > Wael,
>>>>> >> >
>>>>> >> >
>>>>> >> >
>>>>>----------------------------------------------------------------------
>>>>>--
>>>>>------
>>>>> >> > This SF.net email is sponsored by
>>>>> >> >
>>>>> >> > Make an app they can't live without
>>>>> >> > Enter the BlackBerry Developer Challenge
>>>>> >> > http://p.sf.net/sfu/RIM-dev2dev
>>>>> >> > _______________________________________________
>>>>> >> > Snort-users mailing list
>>>>> >> > Snort-users at lists.sourceforge.net
>>>>> >> > Go to this URL to change user options or unsubscribe:
>>>>> >> > https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> >> > Snort-users list archive:
>>>>> >> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>> >> >
>>>>> >
>>>>>
>>>>>
>>>>>
>>>>>----------------------------------------------------------------------
>>>>>--
>>>>>------
>>>>> This SF.net email is sponsored by
>>>>>
>>>>> Make an app they can't live without
>>>>> Enter the BlackBerry Developer Challenge
>>>>> http://p.sf.net/sfu/RIM-dev2dev
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>>
>>>
>>
>>
>>
>> 
>>-------------------------------------------------------------------------
>>-----
>> This SF.net email is sponsored by
>>
>> Make an app they can't live without
>> Enter the BlackBerry Developer Challenge
>> http://p.sf.net/sfu/RIM-dev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
>
>-- 
>Regards,
>
>Jason.
>






More information about the Snort-users mailing list