[Snort-users] Unable to run Snort in IPS mode

Russ Combs rcombs at ...1935...
Thu Feb 25 10:05:38 EST 2010


OK, taking another look at your SnortMake.logs, another possibility is that
you didn't `make clean` before rerunning configure & make.  Try doing that
and see if you get "inline" with `snort -V`.

Russ

On Thu, Feb 25, 2010 at 9:07 AM, Sharma, Ashish <ashish.sharma3 at ...6440...>wrote:

>  Russ,
>
>
>
> Sorry for earlier goof up.
>
>
>
> Attached is my ‘config.log’
>
>
>
> I ran following:
>
>
>
> [root at ...14789... src]# /root/snortinstall/snort-2.8.5.2/src/snort -V
>
>
>
>    ,,_     -*> Snort! <*-
>
>   o"  )~   Version 2.8.5.2 (Build 121)
>
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>
>            Copyright (C) 1998-2009 Sourcefire, Inc., et al.
>
>            Using PCRE version: 7.8 2008-09-05
>
>
>
> As you can see I am checking the compiled binary , prepared by ‘make’,
> right in the ‘src’ folder.
>
>
>
> Or
>
> Is there any other location where compiled binary is after executing
> ‘make’.
>
>
>
> So installing and running the wrong binary should not come in picture.
>
>
>
> Please reply.
>
>
>
> Thanks in advance
>
>
>
> Ashish Sharma
>
> *From:* Russ Combs [mailto:rcombs at ...1935...]
> *Sent:* Thursday, February 25, 2010 7:16 PM
>
> *To:* Sharma, Ashish
> *Cc:* Snort Users List
> *Subject:* Re: [Snort-users] Unable to run Snort in IPS mode
>
>
>
> Ashish,
>
>
>
> Your `snort -V` doesn't indicate an inline build.  Where you have:
>
>
>
>   Version 2.8.5.2 (Build 121)
>
>
>
> you should see "inline", like this:
>
>
>
>     Version 2.8.5 GRE (Build 124) inline
>
> That is why I'd like to see the configure statement from the top of the
> file "config.log" in the directory where you build.  Here is what it might
> look like:
>
>
>
>     ... Invocation command line was
>
>
>     $ ./configure --enable-dynamicplugin --enable-gre --enable-inline ...
>
>
>
> If you see --enable-inline there, you must be executing a different snort.
> Try running `which snort` to see if the full path is what you expect.
>
>
>
> Regards
>
> Russ
>
>
>
>
> On Thu, Feb 25, 2010 at 2:10 AM, Sharma, Ashish <ashish.sharma3 at ...14781....>
> wrote:
>
> Russ,
>
>
>
> I ran the following configure statement:
>
>
>
> # ./configure --enable-inline
>
>
>
> The output of this command is attached in the file : ‘config.logs’
>
>
>
> Then I ran the command:
>
> # libtool --finish /usr/local/lib/snort_dynamicpreprocessor
>
> The output of above command is attached in file : ‘libtool.logs’
>
>
>
> Then I ran the command:
>
> # make
>
> The output of above command is attached in file : ‘SnortMake.logs’
>
>
>
> Then I ran the command:
>
> #make install
>
> The output of above command is attached in file : ‘SnortInstall.logs’
>
>
>
> On running command:
>
> #snort  -V
>
>
>
> I get:
>
>    ,,_     -*> Snort! <*-
>
>   o"  )~   Version 2.8.5.2 (Build 121)
>
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>
>            Copyright (C) 1998-2009 Sourcefire, Inc., et al.
>
>            Using PCRE version: 7.8 2008-09-05
>
>
>
> On running Command:
>
> # snort -V -k None -K None -A console -Q -c /etc/snortIDSMode/snort.conf
> -i eth1 -l /var/log/snort
>
> I get:
>
>
>
> Enabling inline operation
>
>
>
>    ,,_     -*> Snort! <*-
>
>   o"  )~   Version 2.8.5.2 (Build 121)
>
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>
>            Copyright (C) 1998-2009 Sourcefire, Inc., et al.
>
>            Using PCRE version: 7.8 2008-09-05
>
>
>
>            Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.11  <Build
> 17>
>
>            Rules Object: web-misc  Version 1.0  <Build 1>
>
>            Rules Object: web-client  Version 1.0  <Build 1>
>
>            Rules Object: sql  Version 1.0  <Build 1>
>
>            Rules Object: smtp  Version 1.0  <Build 1>
>
>            Rules Object: p2p  Version 1.0  <Build 1>
>
>            Rules Object: nntp  Version 1.0  <Build 1>
>
>            Rules Object: netbios  Version 1.0  <Build 1>
>
>            Rules Object: multimedia  Version 1.0  <Build 1>
>
>            Rules Object: misc  Version 1.0  <Build 1>
>
>            Rules Object: imap  Version 1.0  <Build 1>
>
>            Rules Object: exploit  Version 1.0  <Build 1>
>
>            Rules Object: dos  Version 1.0  <Build 1>
>
>            Rules Object: chat  Version 1.0  <Build 1>
>
>            Rules Object: bad-traffic  Version 1.0  <Build 1>
>
>            Preprocessor Object: SF_SSLPP  Version 1.1  <Build 3>
>
>            Preprocessor Object: SF_SSH  Version 1.1  <Build 2>
>
>            Preprocessor Object: SF_SMTP  Version 1.1  <Build 8>
>
>            Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 12>
>
>            Preprocessor Object: SF_DNS  Version 1.1  <Build 3>
>
>            Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 2>
>
>
>
> My latest ‘snort.conf’ is also attached.
>
>
>
> Please reply if you need any more information.
>
>
>
> Thanks in advance
>
> Ashish Sharma
>
>
>
> *From:* Russ Combs [mailto:rcombs at ...1935...]
> *Sent:* Wednesday, February 24, 2010 10:45 PM
> *To:* Sharma, Ashish
> *Cc:* Seth Art; Snort Users List
>
>
> *Subject:* Re: [Snort-users] Unable to run Snort in IPS mode
>
>
>
> Hmmm ... if Snort isn't starting with "reject" or "sdrop" rules then maybe
> it wasn't actually built with --enable-inline.
>
> Can you post the configure statement at the top of your config.log and the
> output from snort -V?
>
> On Wed, Feb 24, 2010 at 10:16 AM, Sharma, Ashish <ashish.sharma3 at ...14783.....>
> wrote:
>
> Seth,
>
> Since I am testing on a Single machine on LAN, I replicated my Snort setup
> on a non virtual machine of Fedora 10, there too the problem persists.
>
> Packets are not getting dropped just 'console' outputs are generated.
>
> Also snort doesn't start with local rules of 'reject' or 'sdrop' kind.
>
> I have followed this for reference:
>
> 'http://openmaniak.com/inline_final.php'
>
> Please help!!!!
>
> Ashish Sharma
>
>
> -----Original Message-----
> From: Seth Art [mailto:sethsec at ...11827...]
> Sent: Tuesday, February 23, 2010 8:45 PM
> To: Sharma, Ashish
>
> Cc: Nigel Houghton; Snort Users List
> Subject: Re: [Snort-users] Unable to run Snort in IPS mode
>
> Is the virtual snort actually inline, or is it dropping a COPY of the
> traffic?  You can test this with some iptables rules.  Block the
> traffic with some FW rules on the snort box and see if the traffic
> STILL gets to the destination.
>
> -Seth
>
> On Tue, Feb 23, 2010 at 9:29 AM, Sharma, Ashish <ashish.sharma3 at ...14781....>
> wrote:
> > Nigel,
> >
> > No success :(
> >
> > My machine is Fedora Core 10 virtual machine, running on sun virtual Box.
> >
> > My rules in 'local.rules' are as:
> >
> > 'drop tcp any any -> 16.150.17.4 80 (msg: "Test web
> activity";sid:1000001;)
> > drop icmp any any -> 16.150.17.4 any (msg: "Test ping
> activity";sid:1000002;)'
> >
> > I am running 'snort' by this command:
> >
> > 'snort -k none -A console -Q -c /etc/snortIDSMode/snort.conf -i eth1 -l
> /var/log/snort'
> >
> > Console output is as:
> >
> > ' 02/23-19:57:13.288720  [Drop] [**] [1:1000001:0] Test web activity [**]
> [Priority: 0] {TCP} 16.213.0.37:13530 -> 16.150.17.4:80<http://16.150.17.4/>
> > 02/23-19:57:13.288812  [Drop] [**] [1:1000001:0] Test web activity [**]
> [Priority: 0] {TCP} 16.213.0.37:13402 -> 16.150.17.4:80<http://16.150.17.4/>
> > 02/23-19:57:47.034571  [Drop] [**] [1:1000002:0] Test ping activity [**]
> [Priority: 0] {ICMP} 16.150.18.130 -> 16.150.17.4'
> >
> > Put packets are not getting dropped and replies to above request are
> being received successfully. This should not happen :( right.
> >
> > With regards
> > Ashish Sharma
> >
> >
> > -----Original Message-----
> > From: Nigel Houghton [mailto:nhoughton at ...1935...]
> > Sent: Tuesday, February 23, 2010 7:00 PM
> > To: Sharma, Ashish
> > Cc: Snort Users List
> > Subject: Re: [Snort-users] Unable to run Snort in IPS mode
> >
> > On Tue, Feb 23, 2010 at 2:15 AM, Sharma, Ashish <ashish.sharma3 at ...14784......>
> wrote:
> >> Nigel,
> >>
> >> No success with your suggested idea.
> >>
> >> Attached is my 'local.rules' file.
> >>
> >> My uncommented rule is as:
> >> 'drop tcp any any -> 16.150.17.4 80 (msg: "Test web
> activity";sid:1000001;)'
> >>
> >> I launch my 'snort' with the following command:
> >>
> >> 'snort -A console -Q -c /etc/snortIDSMode/snort.conf -i eth1 -l
> /var/log/snort'
> >>
> >> Now whenever I try to access a web page hosted on a web server on the
> same machine (on which snort is hosted), I get following kind of console
> output:
> >>
> >> ' 02/23-12:28:04.537751  [Drop] [**] [1:1000001:0] Test web activity
> [**] [Priority: 0] {TCP} 16.213.0.37:5763 -> 16.150.17.4:80<http://16.150.17.4/>
> >> 02/23-12:28:04.538713  [Drop] [**] [1:1000001:0] Test web activity [**]
> [Priority: 0] {TCP} 16.213.0.37:5763 -> 16.150.17.4:80<http://16.150.17.4/>
> >> 02/23-12:28:04.935699  [Drop] [**] [1:1000001:0] Test web activity [**]
> [Priority: 0] {TCP} 16.213.0.37:5763 -> 16.150.17.4:80<http://16.150.17.4/>
> >> 02/23-12:28:05.263633  [Drop] [**] [1:1000001:0] Test web activity [**]
> [Priority: 0] {TCP} 16.213.0.37:5763 -> 16.150.17.4:80<http://16.150.17.4/>
> '
> >>
> >> Here I am able to access my web page from any other foreign machine, but
> this should not happen with 'Drop' rule of this kind , I should not be able
> to access my web page in first place when snort is running in 'inline' mode.
> >>
> >> Moreover I had to comment other 'reject' and 'sdrop' rules since 'snort'
> fails to identify them (Please look into my first message for console output
> for this error).
> >>
> >> Thanks
> >> Ashish Sharma
> >>
> >>
> >> -----Original Message-----
> >> From: Nigel Houghton [mailto:nhoughton at ...1935...]
> >> Sent: Monday, February 22, 2010 9:16 PM
> >> To: Sharma, Ashish
> >> Cc: Snort Users List
> >> Subject: Re: [Snort-users] Unable to run Snort in IPS mode
> >>
> >> On Mon, Feb 22, 2010 at 9:22 AM, Sharma, Ashish <ashish.sharma3 at ...14790...0...>
> wrote:
> >>> Nigel,
> >>>
> >>> One of my drop rules in 'local.rules' is of following type:
> >>> 'drop icmp any any -> xxx.xxx.xxx.xxx any (msg: "Test ping
> activity";sid:1000002;)'
> >>>
> >>> Here my intention is to drop any packet that is received for ICMP ping
> activity, but actually when I run my 'snort',
> >>> And 'Ping' on the destination machine only alerts are logged and I
> receive the response of my 'Ping' command too.
> >>>
> >>> But I expect this should not happen with 'drop' rule, no response
> should be received for this case.
> >>>
> >>> Thanks
> >>> Ashish Sharma
> >>>
> >>> -----Original Message-----
> >>> From: Nigel Houghton [mailto:nhoughton at ...1935...]
> >>> Sent: Monday, February 22, 2010 7:42 PM
> >>> To: Sharma, Ashish
> >>> Cc: Snort Users List
> >>> Subject: Re: [Snort-users] Unable to run Snort in IPS mode
> >>>
> >>> On Mon, Feb 22, 2010 at 8:37 AM, Sharma, Ashish <ashish.sharma3 at ...14785...40...>
> wrote:
> >>>> Rmkml,
> >>>>
> >>>> Please find attached my 'local.rules' file.
> >>>>
> >>>> Thanks
> >>>> Ashish Sharma
> >>>>
> >>>> -----Original Message-----
> >>>> From: rmkml [mailto:rmkml at ...953...]
> >>>> Sent: Monday, February 22, 2010 6:49 PM
> >>>> To: Sharma, Ashish
> >>>> Cc: rmkml at ...953...
> >>>> Subject: RE: [Snort-users] Unable to run Snort in IPS mode
> >>>>
> >>>> ok thx you Sharma,
> >>>> could you send local.rules please?
> >>>> Regards
> >>>> Rmkml
> >>>>
> >>>>
> >>>> On Mon, 22 Feb 2010, Sharma, Ashish wrote:
> >>>>
> >>>>> Rmkml,
> >>>>>
> >>>>> First of all thanks for helping.
> >>>>>
> >>>>> I don't think there is any problem with command formatting or
> 'RULE_PATH' variable error.
> >>>>>
> >>>>> Reason being that when I comment out the 'reject' and 'sdrop' rules
> from 'local.rules' file and only 'drop' rules are there, then 'Snort' is
> able to run fine and alerts are generated and logged.
> >>>>>
> >>>>> For your reference my 'Snort.conf' is attached.
> >>>>>
> >>>>> Thanks for helping again.
> >>>>>
> >>>>> Ashish Sharma
> >>>>>
> >>>>> -----Original Message-----
> >>>>> From: rmkml [mailto:rmkml at ...953...]
> >>>>> Sent: Monday, February 22, 2010 5:15 PM
> >>>>> To: Sharma, Ashish
> >>>>> Cc: rmkml at ...953...
> >>>>> Subject: Re: [Snort-users] Unable to run Snort in IPS mode
> >>>>>
> >>>>> Hi Sharma,
> >>>>> you start snort with cmd line:
> >>>>>  'snort -A console -Q -c /etc/snort /snort.conf -i eth1 -l
> /var/log/snort'
> >>>>> please remove space like ... -c /etc/snort/snort.conf ...
> >>>>> on your snort.conf, what is RULE_PATH variable contains please? or
> send
> >>>>> snort.conf...
> >>>>> Regards
> >>>>> Rmkml
> >>>>>
> >>>>>
> >>>>> On Mon, 22 Feb 2010, Sharma, Ashish wrote:
> >>>>>
> >>>>>> Hi,
> >>>>>>
> >>>>>> I have a fedora core 10 virtual machine running on a sun virtual
> box.
> >>>>>>
> >>>>>> I am trying to run Snort on this machine in IPS mode.
> >>>>>>
> >>>>>> I followed the following steps (I had already installed the
> prerequisites for Snort IPS):
> >>>>>>
> >>>>>> 1. Downloaded 'snort-2.8.5.2.tar.gz'
> >>>>>> 2. Extracted the binaries.
> >>>>>> 3. did './configure --enable-inline'
> >>>>>> 4. did 'make'
> >>>>>> 5. did 'make install'
> >>>>>> 6. copied snort rules and snort conf at appropriate location.
> >>>>>> 7. executed the following command :
> >>>>>> 'snort -A console -Q -c /etc/snort /snort.conf -i eth1 -l
> /var/log/snort'
> >>>>>> 8. Snort launches with the traces :
> >>>>>>
> >>>>>> Enabling inline operation
> >>>>>> Running in IDS mode
> >>>>>>
> >>>>>> --== Initializing Snort ==--
> >>>>>> Initializing Output Plugins!
> >>>>>> Initializing Preprocessors!
> >>>>>> ..................................
> >>>>>>
> >>>>>> Initializing rule chains...
> >>>>>> ERROR: /etc/snortIDSMode/rules /local.rules(10 ) Unknown rule type:
> reject.
> >>>>>> Fatal Error, Quitting..
> >>>>>>
> >>>>>> 8. As you can see I have a test rule in local.rule that have a
> 'reject' rule in it but snort is not accepting it, same is the case for
> 'sdrop' rule also.
> >>>>>>
> >>>>>> 9. What is the problem , please help!!!!!
> >>>>>>
> >>>>>> What should I do in all to let my Snort run in IPS mode
> >>>>>>
> >>>>>> Thanks in advance
> >>>>>>
> >>>>>> Ashish Sharma
> >>>>>>
> >>>>>
> >>>>
> >>>>
> ------------------------------------------------------------------------------
> >>>> Download Intel® Parallel Studio Eval
> >>>> Try the new software tools for yourself. Speed compiling, find bugs
> >>>> proactively, and fine-tune applications for parallel performance.
> >>>> See why Intel Parallel Studio got high marks during beta.
> >>>> http://p.sf.net/sfu/intel-sw-dev
> >>>> _______________________________________________
> >>>> Snort-users mailing list
> >>>> Snort-users at lists.sourceforge.net
> >>>> Go to this URL to change user options or unsubscribe:
> >>>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>>> Snort-users list archive:
> >>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>>>
> >>>
> >>>
> >>> You have compiled Snort with --enable-inline. Your snort.conf looks
> >>> fine. The rules you have need to use the "drop" keyword instead of
> >>> "alert" so that they will drop the traffic in inline mode.
> >>>
> >>> So your two rules would become:
> >>>
> >>> drop tcp any any -> 16.150.17.4 25 (msg: "Test activity"; sid:1000003;)
> >>> drop tcp any any -> 16.150.17.4 3310 (msg: "Test activity";
> sid:1000004;)
> >>>
> >>> --
> >>> Nigel Houghton
> >>> Head Mentalist
> >>> SF VRT
> >>> http://vrt-sourcefire.blogspot.com && http://labs.snort.org/
> >>>
> >>
> >>
> >> Your drop rule is commented out, so it is not active. Please try what
> >> I told you to try and report back. Thanks.
> >>
> >> --
> >> Nigel Houghton
> >> Head Mentalist
> >> SF VRT
> >> http://vrt-sourcefire.blogspot.com && http://labs.snort.org/
> >>
> >
> >
> > Now we are getting somewhere. Since your snort installation is on the
> > same machine you are sending packets to, try adding the "-k none"
> > option to the command line. See if that fixes your problem and report
> > back.
> >
> > --
> > Nigel Houghton
> > Head Mentalist
> > SF VRT
> > http://vrt-sourcefire.blogspot.com && http://labs.snort.org/
> >
> >
> ------------------------------------------------------------------------------
> > Download Intel® Parallel Studio Eval
> > Try the new software tools for yourself. Speed compiling, find bugs
> > proactively, and fine-tune applications for parallel performance.
> > See why Intel Parallel Studio got high marks during beta.
> > http://p.sf.net/sfu/intel-sw-dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100225/f8354172/attachment.html>


More information about the Snort-users mailing list