[Snort-users] Unable to run Snort in IPS mode

Russ Combs rcombs at ...1935...
Wed Feb 24 12:14:48 EST 2010


Hmmm ... if Snort isn't starting with "reject" or "sdrop" rules then maybe
it wasn't actually built with --enable-inline.

Can you post the configure statement at the top of your config.log and the
output from snort -V?

On Wed, Feb 24, 2010 at 10:16 AM, Sharma, Ashish <ashish.sharma3 at ...6440...>wrote:

> Seth,
>
> Since I am testing on a Single machine on LAN, I replicated my Snort setup
> on a non virtual machine of Fedora 10, there too the problem persists.
>
> Packets are not getting dropped just 'console' outputs are generated.
>
> Also snort doesn't start with local rules of 'reject' or 'sdrop' kind.
>
> I have followed this for reference:
>
> 'http://openmaniak.com/inline_final.php'
>
> Please help!!!!
>
> Ashish Sharma
>
> -----Original Message-----
> From: Seth Art [mailto:sethsec at ...11827...]
> Sent: Tuesday, February 23, 2010 8:45 PM
> To: Sharma, Ashish
> Cc: Nigel Houghton; Snort Users List
> Subject: Re: [Snort-users] Unable to run Snort in IPS mode
>
> Is the virtual snort actually inline, or is it dropping a COPY of the
> traffic?  You can test this with some iptables rules.  Block the
> traffic with some FW rules on the snort box and see if the traffic
> STILL gets to the destination.
>
> -Seth
>
> On Tue, Feb 23, 2010 at 9:29 AM, Sharma, Ashish <ashish.sharma3 at ...6440...>
> wrote:
> > Nigel,
> >
> > No success :(
> >
> > My machine is Fedora Core 10 virtual machine, running on sun virtual Box.
> >
> > My rules in 'local.rules' are as:
> >
> > 'drop tcp any any -> 16.150.17.4 80 (msg: "Test web
> activity";sid:1000001;)
> > drop icmp any any -> 16.150.17.4 any (msg: "Test ping
> activity";sid:1000002;)'
> >
> > I am running 'snort' by this command:
> >
> > 'snort -k none -A console -Q -c /etc/snortIDSMode/snort.conf -i eth1 -l
> /var/log/snort'
> >
> > Console output is as:
> >
> > ' 02/23-19:57:13.288720  [Drop] [**] [1:1000001:0] Test web activity [**]
> [Priority: 0] {TCP} 16.213.0.37:13530 -> 16.150.17.4:80
> > 02/23-19:57:13.288812  [Drop] [**] [1:1000001:0] Test web activity [**]
> [Priority: 0] {TCP} 16.213.0.37:13402 -> 16.150.17.4:80
> > 02/23-19:57:47.034571  [Drop] [**] [1:1000002:0] Test ping activity [**]
> [Priority: 0] {ICMP} 16.150.18.130 -> 16.150.17.4'
> >
> > Put packets are not getting dropped and replies to above request are
> being received successfully. This should not happen :( right.
> >
> > With regards
> > Ashish Sharma
> >
> >
> > -----Original Message-----
> > From: Nigel Houghton [mailto:nhoughton at ...1935...]
> > Sent: Tuesday, February 23, 2010 7:00 PM
> > To: Sharma, Ashish
> > Cc: Snort Users List
> > Subject: Re: [Snort-users] Unable to run Snort in IPS mode
> >
> > On Tue, Feb 23, 2010 at 2:15 AM, Sharma, Ashish <ashish.sharma3 at ...6440...>
> wrote:
> >> Nigel,
> >>
> >> No success with your suggested idea.
> >>
> >> Attached is my 'local.rules' file.
> >>
> >> My uncommented rule is as:
> >> 'drop tcp any any -> 16.150.17.4 80 (msg: "Test web
> activity";sid:1000001;)'
> >>
> >> I launch my 'snort' with the following command:
> >>
> >> 'snort -A console -Q -c /etc/snortIDSMode/snort.conf -i eth1 -l
> /var/log/snort'
> >>
> >> Now whenever I try to access a web page hosted on a web server on the
> same machine (on which snort is hosted), I get following kind of console
> output:
> >>
> >> ' 02/23-12:28:04.537751  [Drop] [**] [1:1000001:0] Test web activity
> [**] [Priority: 0] {TCP} 16.213.0.37:5763 -> 16.150.17.4:80
> >> 02/23-12:28:04.538713  [Drop] [**] [1:1000001:0] Test web activity [**]
> [Priority: 0] {TCP} 16.213.0.37:5763 -> 16.150.17.4:80
> >> 02/23-12:28:04.935699  [Drop] [**] [1:1000001:0] Test web activity [**]
> [Priority: 0] {TCP} 16.213.0.37:5763 -> 16.150.17.4:80
> >> 02/23-12:28:05.263633  [Drop] [**] [1:1000001:0] Test web activity [**]
> [Priority: 0] {TCP} 16.213.0.37:5763 -> 16.150.17.4:80'
> >>
> >> Here I am able to access my web page from any other foreign machine, but
> this should not happen with 'Drop' rule of this kind , I should not be able
> to access my web page in first place when snort is running in 'inline' mode.
> >>
> >> Moreover I had to comment other 'reject' and 'sdrop' rules since 'snort'
> fails to identify them (Please look into my first message for console output
> for this error).
> >>
> >> Thanks
> >> Ashish Sharma
> >>
> >>
> >> -----Original Message-----
> >> From: Nigel Houghton [mailto:nhoughton at ...1935...]
> >> Sent: Monday, February 22, 2010 9:16 PM
> >> To: Sharma, Ashish
> >> Cc: Snort Users List
> >> Subject: Re: [Snort-users] Unable to run Snort in IPS mode
> >>
> >> On Mon, Feb 22, 2010 at 9:22 AM, Sharma, Ashish <ashish.sharma3 at ...6440...>
> wrote:
> >>> Nigel,
> >>>
> >>> One of my drop rules in 'local.rules' is of following type:
> >>> 'drop icmp any any -> xxx.xxx.xxx.xxx any (msg: "Test ping
> activity";sid:1000002;)'
> >>>
> >>> Here my intention is to drop any packet that is received for ICMP ping
> activity, but actually when I run my 'snort',
> >>> And 'Ping' on the destination machine only alerts are logged and I
> receive the response of my 'Ping' command too.
> >>>
> >>> But I expect this should not happen with 'drop' rule, no response
> should be received for this case.
> >>>
> >>> Thanks
> >>> Ashish Sharma
> >>>
> >>> -----Original Message-----
> >>> From: Nigel Houghton [mailto:nhoughton at ...1935...]
> >>> Sent: Monday, February 22, 2010 7:42 PM
> >>> To: Sharma, Ashish
> >>> Cc: Snort Users List
> >>> Subject: Re: [Snort-users] Unable to run Snort in IPS mode
> >>>
> >>> On Mon, Feb 22, 2010 at 8:37 AM, Sharma, Ashish <ashish.sharma3 at ...6440...>
> wrote:
> >>>> Rmkml,
> >>>>
> >>>> Please find attached my 'local.rules' file.
> >>>>
> >>>> Thanks
> >>>> Ashish Sharma
> >>>>
> >>>> -----Original Message-----
> >>>> From: rmkml [mailto:rmkml at ...953...]
> >>>> Sent: Monday, February 22, 2010 6:49 PM
> >>>> To: Sharma, Ashish
> >>>> Cc: rmkml at ...953...
> >>>> Subject: RE: [Snort-users] Unable to run Snort in IPS mode
> >>>>
> >>>> ok thx you Sharma,
> >>>> could you send local.rules please?
> >>>> Regards
> >>>> Rmkml
> >>>>
> >>>>
> >>>> On Mon, 22 Feb 2010, Sharma, Ashish wrote:
> >>>>
> >>>>> Rmkml,
> >>>>>
> >>>>> First of all thanks for helping.
> >>>>>
> >>>>> I don't think there is any problem with command formatting or
> 'RULE_PATH' variable error.
> >>>>>
> >>>>> Reason being that when I comment out the 'reject' and 'sdrop' rules
> from 'local.rules' file and only 'drop' rules are there, then 'Snort' is
> able to run fine and alerts are generated and logged.
> >>>>>
> >>>>> For your reference my 'Snort.conf' is attached.
> >>>>>
> >>>>> Thanks for helping again.
> >>>>>
> >>>>> Ashish Sharma
> >>>>>
> >>>>> -----Original Message-----
> >>>>> From: rmkml [mailto:rmkml at ...953...]
> >>>>> Sent: Monday, February 22, 2010 5:15 PM
> >>>>> To: Sharma, Ashish
> >>>>> Cc: rmkml at ...953...
> >>>>> Subject: Re: [Snort-users] Unable to run Snort in IPS mode
> >>>>>
> >>>>> Hi Sharma,
> >>>>> you start snort with cmd line:
> >>>>>  'snort -A console -Q -c /etc/snort /snort.conf -i eth1 -l
> /var/log/snort'
> >>>>> please remove space like ... -c /etc/snort/snort.conf ...
> >>>>> on your snort.conf, what is RULE_PATH variable contains please? or
> send
> >>>>> snort.conf...
> >>>>> Regards
> >>>>> Rmkml
> >>>>>
> >>>>>
> >>>>> On Mon, 22 Feb 2010, Sharma, Ashish wrote:
> >>>>>
> >>>>>> Hi,
> >>>>>>
> >>>>>> I have a fedora core 10 virtual machine running on a sun virtual
> box.
> >>>>>>
> >>>>>> I am trying to run Snort on this machine in IPS mode.
> >>>>>>
> >>>>>> I followed the following steps (I had already installed the
> prerequisites for Snort IPS):
> >>>>>>
> >>>>>> 1. Downloaded 'snort-2.8.5.2.tar.gz'
> >>>>>> 2. Extracted the binaries.
> >>>>>> 3. did './configure --enable-inline'
> >>>>>> 4. did 'make'
> >>>>>> 5. did 'make install'
> >>>>>> 6. copied snort rules and snort conf at appropriate location.
> >>>>>> 7. executed the following command :
> >>>>>> 'snort -A console -Q -c /etc/snort /snort.conf -i eth1 -l
> /var/log/snort'
> >>>>>> 8. Snort launches with the traces :
> >>>>>>
> >>>>>> Enabling inline operation
> >>>>>> Running in IDS mode
> >>>>>>
> >>>>>> --== Initializing Snort ==--
> >>>>>> Initializing Output Plugins!
> >>>>>> Initializing Preprocessors!
> >>>>>> ..................................
> >>>>>>
> >>>>>> Initializing rule chains...
> >>>>>> ERROR: /etc/snortIDSMode/rules /local.rules(10 ) Unknown rule type:
> reject.
> >>>>>> Fatal Error, Quitting..
> >>>>>>
> >>>>>> 8. As you can see I have a test rule in local.rule that have a
> 'reject' rule in it but snort is not accepting it, same is the case for
> 'sdrop' rule also.
> >>>>>>
> >>>>>> 9. What is the problem , please help!!!!!
> >>>>>>
> >>>>>> What should I do in all to let my Snort run in IPS mode
> >>>>>>
> >>>>>> Thanks in advance
> >>>>>>
> >>>>>> Ashish Sharma
> >>>>>>
> >>>>>
> >>>>
> >>>>
> ------------------------------------------------------------------------------
> >>>> Download Intel® Parallel Studio Eval
> >>>> Try the new software tools for yourself. Speed compiling, find bugs
> >>>> proactively, and fine-tune applications for parallel performance.
> >>>> See why Intel Parallel Studio got high marks during beta.
> >>>> http://p.sf.net/sfu/intel-sw-dev
> >>>> _______________________________________________
> >>>> Snort-users mailing list
> >>>> Snort-users at lists.sourceforge.net
> >>>> Go to this URL to change user options or unsubscribe:
> >>>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>>> Snort-users list archive:
> >>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>>>
> >>>
> >>>
> >>> You have compiled Snort with --enable-inline. Your snort.conf looks
> >>> fine. The rules you have need to use the "drop" keyword instead of
> >>> "alert" so that they will drop the traffic in inline mode.
> >>>
> >>> So your two rules would become:
> >>>
> >>> drop tcp any any -> 16.150.17.4 25 (msg: "Test activity"; sid:1000003;)
> >>> drop tcp any any -> 16.150.17.4 3310 (msg: "Test activity";
> sid:1000004;)
> >>>
> >>> --
> >>> Nigel Houghton
> >>> Head Mentalist
> >>> SF VRT
> >>> http://vrt-sourcefire.blogspot.com && http://labs.snort.org/
> >>>
> >>
> >>
> >> Your drop rule is commented out, so it is not active. Please try what
> >> I told you to try and report back. Thanks.
> >>
> >> --
> >> Nigel Houghton
> >> Head Mentalist
> >> SF VRT
> >> http://vrt-sourcefire.blogspot.com && http://labs.snort.org/
> >>
> >
> >
> > Now we are getting somewhere. Since your snort installation is on the
> > same machine you are sending packets to, try adding the "-k none"
> > option to the command line. See if that fixes your problem and report
> > back.
> >
> > --
> > Nigel Houghton
> > Head Mentalist
> > SF VRT
> > http://vrt-sourcefire.blogspot.com && http://labs.snort.org/
> >
> >
> ------------------------------------------------------------------------------
> > Download Intel® Parallel Studio Eval
> > Try the new software tools for yourself. Speed compiling, find bugs
> > proactively, and fine-tune applications for parallel performance.
> > See why Intel Parallel Studio got high marks during beta.
> > http://p.sf.net/sfu/intel-sw-dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100224/9c00583e/attachment.html>


More information about the Snort-users mailing list