[Snort-users] Unable to run Snort in IPS mode

Sharma, Ashish ashish.sharma3 at ...6440...
Tue Feb 23 02:15:06 EST 2010


Nigel,

No success with your suggested idea.

Attached is my 'local.rules' file.

My uncommented rule is as:
'drop tcp any any -> 16.150.17.4 80 (msg: "Test web activity";sid:1000001;)'

I launch my 'snort' with the following command:

'snort -A console -Q -c /etc/snortIDSMode/snort.conf -i eth1 -l /var/log/snort'

Now whenever I try to access a web page hosted on a web server on the same machine (on which snort is hosted), I get following kind of console output:

' 02/23-12:28:04.537751  [Drop] [**] [1:1000001:0] Test web activity [**] [Priority: 0] {TCP} 16.213.0.37:5763 -> 16.150.17.4:80
02/23-12:28:04.538713  [Drop] [**] [1:1000001:0] Test web activity [**] [Priority: 0] {TCP} 16.213.0.37:5763 -> 16.150.17.4:80
02/23-12:28:04.935699  [Drop] [**] [1:1000001:0] Test web activity [**] [Priority: 0] {TCP} 16.213.0.37:5763 -> 16.150.17.4:80
02/23-12:28:05.263633  [Drop] [**] [1:1000001:0] Test web activity [**] [Priority: 0] {TCP} 16.213.0.37:5763 -> 16.150.17.4:80'

Here I am able to access my web page from any other foreign machine, but this should not happen with 'Drop' rule of this kind , I should not be able to access my web page in first place when snort is running in 'inline' mode.

Moreover I had to comment other 'reject' and 'sdrop' rules since 'snort' fails to identify them (Please look into my first message for console output for this error).

Thanks
Ashish Sharma


-----Original Message-----
From: Nigel Houghton [mailto:nhoughton at ...1935...] 
Sent: Monday, February 22, 2010 9:16 PM
To: Sharma, Ashish
Cc: Snort Users List
Subject: Re: [Snort-users] Unable to run Snort in IPS mode

On Mon, Feb 22, 2010 at 9:22 AM, Sharma, Ashish <ashish.sharma3 at ...6440...> wrote:
> Nigel,
>
> One of my drop rules in 'local.rules' is of following type:
> 'drop icmp any any -> xxx.xxx.xxx.xxx any (msg: "Test ping activity";sid:1000002;)'
>
> Here my intention is to drop any packet that is received for ICMP ping activity, but actually when I run my 'snort',
> And 'Ping' on the destination machine only alerts are logged and I receive the response of my 'Ping' command too.
>
> But I expect this should not happen with 'drop' rule, no response should be received for this case.
>
> Thanks
> Ashish Sharma
>
> -----Original Message-----
> From: Nigel Houghton [mailto:nhoughton at ...1935...]
> Sent: Monday, February 22, 2010 7:42 PM
> To: Sharma, Ashish
> Cc: Snort Users List
> Subject: Re: [Snort-users] Unable to run Snort in IPS mode
>
> On Mon, Feb 22, 2010 at 8:37 AM, Sharma, Ashish <ashish.sharma3 at ...14781....> wrote:
>> Rmkml,
>>
>> Please find attached my 'local.rules' file.
>>
>> Thanks
>> Ashish Sharma
>>
>> -----Original Message-----
>> From: rmkml [mailto:rmkml at ...953...]
>> Sent: Monday, February 22, 2010 6:49 PM
>> To: Sharma, Ashish
>> Cc: rmkml at ...953...
>> Subject: RE: [Snort-users] Unable to run Snort in IPS mode
>>
>> ok thx you Sharma,
>> could you send local.rules please?
>> Regards
>> Rmkml
>>
>>
>> On Mon, 22 Feb 2010, Sharma, Ashish wrote:
>>
>>> Rmkml,
>>>
>>> First of all thanks for helping.
>>>
>>> I don't think there is any problem with command formatting or 'RULE_PATH' variable error.
>>>
>>> Reason being that when I comment out the 'reject' and 'sdrop' rules from 'local.rules' file and only 'drop' rules are there, then 'Snort' is able to run fine and alerts are generated and logged.
>>>
>>> For your reference my 'Snort.conf' is attached.
>>>
>>> Thanks for helping again.
>>>
>>> Ashish Sharma
>>>
>>> -----Original Message-----
>>> From: rmkml [mailto:rmkml at ...953...]
>>> Sent: Monday, February 22, 2010 5:15 PM
>>> To: Sharma, Ashish
>>> Cc: rmkml at ...953...
>>> Subject: Re: [Snort-users] Unable to run Snort in IPS mode
>>>
>>> Hi Sharma,
>>> you start snort with cmd line:
>>>  'snort -A console -Q -c /etc/snort /snort.conf -i eth1 -l /var/log/snort'
>>> please remove space like ... -c /etc/snort/snort.conf ...
>>> on your snort.conf, what is RULE_PATH variable contains please? or send
>>> snort.conf...
>>> Regards
>>> Rmkml
>>>
>>>
>>> On Mon, 22 Feb 2010, Sharma, Ashish wrote:
>>>
>>>> Hi,
>>>>
>>>> I have a fedora core 10 virtual machine running on a sun virtual box.
>>>>
>>>> I am trying to run Snort on this machine in IPS mode.
>>>>
>>>> I followed the following steps (I had already installed the prerequisites for Snort IPS):
>>>>
>>>> 1. Downloaded 'snort-2.8.5.2.tar.gz'
>>>> 2. Extracted the binaries.
>>>> 3. did './configure --enable-inline'
>>>> 4. did 'make'
>>>> 5. did 'make install'
>>>> 6. copied snort rules and snort conf at appropriate location.
>>>> 7. executed the following command :
>>>> 'snort -A console -Q -c /etc/snort /snort.conf -i eth1 -l /var/log/snort'
>>>> 8. Snort launches with the traces :
>>>>
>>>> Enabling inline operation
>>>> Running in IDS mode
>>>>
>>>> --== Initializing Snort ==--
>>>> Initializing Output Plugins!
>>>> Initializing Preprocessors!
>>>> ..................................
>>>>
>>>> Initializing rule chains...
>>>> ERROR: /etc/snortIDSMode/rules /local.rules(10 ) Unknown rule type: reject.
>>>> Fatal Error, Quitting..
>>>>
>>>> 8. As you can see I have a test rule in local.rule that have a 'reject' rule in it but snort is not accepting it, same is the case for 'sdrop' rule also.
>>>>
>>>> 9. What is the problem , please help!!!!!
>>>>
>>>> What should I do in all to let my Snort run in IPS mode
>>>>
>>>> Thanks in advance
>>>>
>>>> Ashish Sharma
>>>>
>>>
>>
>> ------------------------------------------------------------------------------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
> You have compiled Snort with --enable-inline. Your snort.conf looks
> fine. The rules you have need to use the "drop" keyword instead of
> "alert" so that they will drop the traffic in inline mode.
>
> So your two rules would become:
>
> drop tcp any any -> 16.150.17.4 25 (msg: "Test activity"; sid:1000003;)
> drop tcp any any -> 16.150.17.4 3310 (msg: "Test activity"; sid:1000004;)
>
> --
> Nigel Houghton
> Head Mentalist
> SF VRT
> http://vrt-sourcefire.blogspot.com && http://labs.snort.org/
>


Your drop rule is commented out, so it is not active. Please try what
I told you to try and report back. Thanks.

-- 
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://labs.snort.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: local.rules
Type: application/octet-stream
Size: 531 bytes
Desc: local.rules
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100223/b423d581/attachment.obj>


More information about the Snort-users mailing list